Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV]

From: Bipin Gautam <visitbipin () hotmail com>
Date: 4 Oct 2004 13:34:39 -0000


Affected Product (Only tested on...):

Mcafee Virus Scan professional (8.0.0.12)
Norton Antivirus 2003
Kaspersky 4.5x
Ad-Aware (6.0.1.181)
The Cleaner

Risk Level: Medium


Description:
------------

A malicious code can reside in a computer (with users privilege) bypassing "manual scans" of any Antivirus, Trojan & 
Spy ware scanners by simply issuing this command to itself.

cacls.exe hUNT.exe /T /C /P dumb_user:R

...this is only due to the design fault in Microsoft Windows, the way it handles NTFS file permission. By this way... 
any software’s with even Admin./SYSTEM privilege can't access this file (hUNT.exe) normally because the only person who 
has normal access to this file is "dumb_user"

If the scanner is unable to access the file that is under the security content of "dumb_user"... the auto-protect 
engine will also fail to stop a malicious code from executing. Mostly, a user's HOME directory *only accessible* by the 
by the particular user... cauz mostly* permission is set in a way he/she is only the owner of that directory. In that 
case, if a malicious code gets copied in desktop (inside home directory, or the directory that's only* accessible by 
the user) the auto-protect engine will also fail to stop a malicious code execution.

3APA3A (3APA3A[at]SECURITY.NNOV.RU] pointed out another interesting issue...
You still can bypass antiviral protection for manual scans with file encryption (on-access scanners may impersonate 
accessing user). This time file can only be scanned by administrator if administrator is recovery agent.

In manual scan... the scanner runs under the security content of Administrator who is responsible for scanning the 
system.... hence the virus goes unnoticed due to NTFS file permission restriction. But, if the Auto-Protect engine 
loads as a kernel driver, the virus gets stopped in the way during execution. But many trojan, spyware scanner just run 
with the Administrative privilege, so its a ISSUE for all those products.

Please follow the procedure & confirm if other antivirus products are vulnerable as well.

No wonder, there are several false assumptions in windows security configuration as well, when a JOE administrator 
could permanently lock himself up in his own machine.

regards,
Bipin Gautam
http://www.geocities.com/visitbipin/

 

Disclaimer: The information in the advisory is believed to be accurate at the time of printing based on currently 
available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no 
warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, 
indirect or consequential loss or damage arising from use of, or reliance on this information.
Previous By Date Next
Previous By Thread Next

Current thread: