Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV]

[GuidoZ <uberguidoz () gmail com>]

More useful info on calcs/xcalcs:
 - http://support.microsoft.com/default.aspx?scid=kb;EN-US;135268
 - http://www.ss64.com/nt/cacls.html
 - http://www.jsiinc.com/SUBH/tip3700/rh3729.htm

--
Peace. ~G


On Fri, 1 Oct 2004 20:29:19 -0700, GuidoZ <uberguidoz () gmail com> wrote:
> I've heard of this before (see following link). I thought it was fixed
> in SP1 (maybe it was SP2). I'm probabaly wrong - call it wishful
> thinking. There is an interesting page in German about it here:
>  - http://www.lsg.musin.de/Admin/NT/rechte/die_batch_online_mit_vielen_erkl.htm
>
> English transation provided by Google is:
>  - 
> http://translate.google.com/translate?hl=en&sl=de&u=http://www.lsg.musin.de/Admin/NT/rechte/die_batch_online_mit_vielen_erkl.htm&prev=/search%3Fq%3D%2522cacls%2B*.*%2B/T%2B/C%2B/P%2B*:R%2522%26hl%3Den%26lr%3D%26ie%3DUTF-8
> (if the URL wrap bothers you, here's a TinyURL: http://tinyurl.com/6t6lu)
>
> It doesn't take much to figure out how this could be used to cause
> some hell. (Maybe combined with the recent GDI/JPEG exploit?
> Downloading a batch file coudl be nasty...)
>
> -
> Peace. ~G
>
>
>
>
> On Fri, 1 Oct 2004 19:37:49 -0700 (PDT), bipin gautam
> <visitbipin () yahoo com> wrote:
> > All Antivirus, Trojan, Spy ware scanner, Nested file
> > manual scan bypass bugs. [Part IV]
> >
> > Risk Level: Medium
> > Affected Product: (Should be) all Antivirus, Trojan,
> > Spy ware scanners for windows.
> >
> > Description:
> > ------------
> >
> > A malicious code can reside in a computer (with users
> > privilage) bypassing "manual scans" of any
> > Antivirus, Trojan & Spy ware scanners by simply
> > issuing this command to itself.
> >
> > cacls hUNT.exe /T /C /P dumb_user:R
> >
> > ...this is only due to the design fault in Microsoft
> > Windows, the way it handles NTFS permission.By this
> > way... any software's with even Admin./SYSTEM
> > privilege can't access this file (hUNT.exe) normally
> > because the only person who has normal access to this
> > file is "dumb_user"
> >
> > No wonder, there are several false assumptions in
> > windows security configuration as well, when a JOE
> > administrator could permenantly lock himself up in his
> > own machine.
> >
> > regards,
> > Bipin Gautam
> > http://www.geocities.com/visitbipin
> >
> > Disclaimer: The information in the advisory is
> > believed to be accurate at the time of printing based
> > on currently available information. Use of the
> > information constitutes acceptance for use in an AS IS
> > condition. There are no warranties with regard to this
> > information. Neither the author nor the publisher
> > accepts any liability for any direct, indirect or
> > consequential loss or damage arising from use of, or
> > reliance on this information.
> >
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! Mail - 50x more storage than other providers!
> > http://promotions.yahoo.com/new_mail
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html