Full Disclosure mailing list archives
Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV]
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Sat, 2 Oct 2004 11:52:53 +0400
Dear bipin gautam, Your statements about "all antivirus" and "design fault" are wrong, it's strongly depend on the way manual scanning is implemented in specific product. 1. many antiviral products implement their own kernel driver to access scanned file. For this case permissions have no impact for scanning. 2. many antiviral products use their own daemon, running as SYSTEM, scanner use this daemon to access files. Daemon may acquire SeBackupPrivilege. With backup privilege daemon can bypass ACLs. Same goes to scan with administrator's account. You still can bypass antiviral protection for manual scans with file encryption (on-access scanners may impersonate accessing user). This time file can only be scanned by administrator if administrator is recovery agent. --Saturday, October 2, 2004, 6:37:35 AM, you wrote to full-disclosure () lists netsys com: bg> All Antivirus, Trojan, Spy ware scanner, Nested file bg> manual scan bypass bugs. [Part IV] bg> Risk Level: Medium bg> Affected Product: (Should be) all Antivirus, Trojan, bg> Spy ware scanners for windows. bg> Description: bg> ------------ bg> A malicious code can reside in a computer (with users bg> privilage) bypassing "manual scans" of any bg> Antivirus, Trojan & Spy ware scanners by simply bg> issuing this command to itself. bg> cacls hUNT.exe /T /C /P dumb_user:R bg> ...this is only due to the design fault in Microsoft bg> Windows, the way it handles NTFS permission.By this bg> way... any software’s with even Admin./SYSTEM bg> privilege can't access this file (hUNT.exe) normally bg> because the only person who has normal access to this bg> file is "dumb_user" bg> No wonder, there are several false assumptions in bg> windows security configuration as well, when a JOE bg> administrator could permenantly lock himself up in his bg> own machine. bg> regards, bg> Bipin Gautam bg> http://www.geocities.com/visitbipin bg> Disclaimer: The information in the advisory is bg> believed to be accurate at the time of printing based bg> on currently available information. Use of the bg> information constitutes acceptance for use in an AS IS bg> condition. There are no warranties with regard to this bg> information. Neither the author nor the publisher bg> accepts any liability for any direct, indirect or bg> consequential loss or damage arising from use of, or bg> reliance on this information. bg> __________________________________ bg> Do you Yahoo!? bg> Yahoo! Mail Address AutoComplete - You start. We finish. bg> http://promotions.yahoo.com/new_mail bg> _______________________________________________ bg> Full-Disclosure - We believe in it. bg> Charter: http://lists.netsys.com/full-disclosure-charter.html -- ~/ZARAZA Неприятности начнутся в восемь. (Твен) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 01)
- Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] GuidoZ (Oct 01)
- Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] GuidoZ (Oct 01)
- Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 01)
- Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 01)
- <Possible follow-ups>
- All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 01)
- Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] 3APA3A (Oct 02)
- Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 02)
- Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 02)
- Re: (confirm) Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 02)
- Re: (confirm) Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 02)
- Re[2]: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] 3APA3A (Oct 02)
- Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] bipin gautam (Oct 02)
- Re[2]: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] 3APA3A (Oct 03)
- Re[2]: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] Kolja Powischer (Oct 04)
- Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] 3APA3A (Oct 02)
- Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV] GuidoZ (Oct 01)