Multiple Vulnerabilities in iAntiVirus

To: <full-disclosure@xxxxxxxxxxxxxxxxx>, <vuln@xxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Multiple Vulnerabilities in iAntiVirus
From: "Carsten Eilers" <advisories@xxxxxxxxxxxxx>
Date: Tue, 10 Mar 2009 16:13:10 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Title
Multiple Vulnerabilities in iAntiVirus

Program
PC Tools iAntiVirus for Mac OS X
http://www.iantivirus.com/

Tested version
1.35, Engine Version 1.0.0.10

tested on german Mac OS X 10.5 with following preferences:
- Scan inside archives ON
- Scan mode NORMAL
- Heuristics NORMAL

Description
1. No scan in .sit- and .dmg-archives

   The scan-function and the online-scanner OnGuard doesn't
   scan .sit- and .dmg-archives.

   Impact:
   It's possible to download malware from the internet or
   to copy it from an usb-stick without interruption from
   iAntiVirus.
   Malware in .sit-archives is recognized by OnGuard during
   manuel decompression, but malware in .dmg-diskimages is
   only recognized during a manual scan of the mounted image.
   It's possible to run malware from the mounted diskimage
   (tested with MacSmurf, which iAntiVirus recognizes as
   'Hacktool.OSX.MacSmurf')

2. Problems with special chars in filenames

   The scanner, OnGuard and the quarantine-management are
   unable to work with files with several special chars in
   it, for example ?, which is transformed to Æ.

   Impact:
   False-positives are lost, since it's impossible to restore
   them. Perhaps it's possible to evade the virus-protection.

3. No user-restrictions in the quarantine-management

   All quarantined files are managed in the same area. Every
   user can restore the files of every other user, included
   the admin

   Impact:
   A normal user can restore quarantined malware in other
   accounts, tested with the iWorks-Trojan, which was
   installed by the admin and restored by a normal user.
   Additional, the history-function contains no information
   about the user which performs an action and can erased by
   every user.

4. OnGuard does only protect one user (or perhaps a few more)
   If OnGuard is on and another user logs in, it seems as if
   OnGuard is off. If he copies some malware on the system,
   this disappears without any warning: OnGuard is active and
   moves the files in the quarantine, but doesn't inform the
   user about this. If the first user is an admin, this seems
   to work for every normal user. If the first user is a normal
   user, it sometimes works for the admin as second user, but
   not every time.

5. Ignorance of file-permissions

   Every normal user can start a "normal scan", which includes
   the system-, library- an program-folders and the folders of
   every user.

Solution
None

Credits
Carsten Eilers

Original advisory
http://www.ceilers-it.de/advisories/iantivirus.html
(also as german version)


Regards
  Carsten Eilers

Prev by Date: [ GLSA 200903-22 ] Ganglia: Execution of arbitrary code
Next by Date: [ MDVSA-2009:070 ] openoffice.org
Previous by thread: [ GLSA 200903-22 ] Ganglia: Execution of arbitrary code
Next by thread: [ MDVSA-2009:070 ] openoffice.org
Index(es):
- Date
- Thread