Home / vulnerabilitiesPDF  

TISA-2007-09-Public.txt

Posted on 30 August 2007
Source : packetstormsecurity.org Link

 



=========================================================================
Team Intell Security Advisory TISA2007-09-Public
-------------------------------------------------------------------------
Multiple improper file path handling issues
=========================================================================

Release date: 30.08.2007
Severity: Less critical
Impact: Privilege escalation
Remote: No
Disclosed by: Edi Strosar (Team Intell)


Summary:
========
The way Microsoft Windows handles filenames is well known
and documented. In situations where the path to executable
contains white space and is not enclosed in quotation
marks, it is possible to execute alternate application.
Microsoft certainly is aware of this issue, but they don't
consider it as a security related problem.

Applications that were found susceptible to unquoted
executable path issue a.k.a program.exe trick (from the
series "Quis custodiet ipsos custodes?"):


01.) A-squared Anti-Malware 3.0
Service: a-squared Anti-Malware Service
Image path: C:Program Filesa-squared
Anti-Malwarea2service.exe
Account: Local System
Impact: Privilege escalation
Status: Patched
Vendor: http://www.emsisoft.com/

02.) A-squared Free 3.0
Service: a-squared Free Service
Image path: C:Program Filesa-squared
Freea2service.exe
Account: Local System
Impact: Privilege escalation
Status: Patched
Vendor: http://www.emsisoft.com/

03.) Ashampoo AntiVirus v1.40
Service: avGuard Service
Image path: C:Program FilesAshampooAshampoo
AntiVirusashavsrv.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.ashampoo.com/

04.) Comodo BOClean Anti-Malware 4.25
Service: BOClean Core Service
Image path: C:Program
FilesComodoCBOCleanocore.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.comodo.com/

05.) Comodo Firewall v2.4
Service: Commodo Application Agent
Image path: C:Program
FilesComodoFirewallcmdagent.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.personalfirewall.comodo.com/

06.) eScan Anti-Virus 9.0
Service: MicroWord Agent Service
Image path: C:Program FilesCommon
FilesMicroWordAgentmwaser.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.mwti.net/

07.) eScan Virus Control 9.0
Service: MicroWord Agent Service
Image path: C:Program FilesCommon
FilesMicroWordAgentmwaser.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.mwti.net/

08.) Ikarus Virus Utilities v1.0.56
Service: The Guard X Service
Image path: C:Program FilesIkarusVirus
UtilitiesBinguardxservice.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.ikarus-software.at/

09.) iolo Antivirus
Service: iolo DMV Service
Image path: C:Program
FilesioloCommonLibiolodmvsvc.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.iolo.com/

10.) iolo Firewall
Service: iolo DMV Service
Image path: C:Program
FilesioloCommonLibiolodmvsvc.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.iolo.com/

11.) Norman Internet Control (Pro) v5.90
Service: Norman eLogger Service 6
Image path: C:Program
FilesNormanNpmBinelogsvc.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.norman.com/

12.) Norman Personal Firewall v1.42
Service: Norman Type-R
Image path: C:Program
FilesNormanNpmBin
pfsvice.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.norman.com/

13.) Norman Virus Control (Pro) v5.90
Service: Norman eLogger Service 6
Image path: C:Program
FilesNormanNpmBinelogsvc.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.norman.com/

14.) Outpost Firewall Pro
Service: Outpost Firewall Service
Image path: C:Program FilesAgnitumOutpost
Firewalloutpost.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.agnitum.com/

15.) Outpost Security Suite Pro
Service: Outpost Security Suite Service
Image path: C:Program FilesAgnitumOutpost
Security Suiteoutpost.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.agnitum.com/

16.) Quick Heal AntiVirus Plus 2007
Service: Quick Heal Firewall Service
Image path: C:Program FilesCat ComputerQuick Heal
Firewall Proqhfw.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.quickheal.co.in/

17.) Quick Heal Total Security 2007
Service: Quick Heal Firewall Service
Image path: C:Program FilesCat ComputerQuick Heal
Firewall Proqhfw.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.quickheal.co.in/

18.) Rising Antivirus 2007
Service: RsRavMon Service
Image path: C:Program FilesRisingRav
avmond.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.rising-eu.de/

19.) Rising Firewall 2007
Service: Rising Personal Firewall Service
Image path: C:Program FilesRisingRFW
fwsrv.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.rising-eu.de/

20.) Trend Micro AntiVirus + AntiSpyware 2007
Service: Trend Micro AntiVirus Protection Service
Image path: C:Program FilesTrend MicroAntiVirus
2007 avsvc.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vemdor: http://www.trendmicro.com/

21.) ViRobot Desktop 5.5
Service: Hauri Common Service
Image path: C:Program
FilesHauriCommonhsvcmod.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.globalhauri.com/

22.) Virus Chaser
Service: Virus Chaser Spider NT
Image path: C:Program FilesVirus
Chaserspidernt.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.viruschaser.com.hk/eng/

23.) And the list goes on and on...


Limitations:
============
This conditions are difficult, if not impossible, to
exploit on Windows XP/2003/Vista. By default these
operating systems implement restrictive file permission
policy. Exploitation is limited to Microsoft Windows 2000
and to misconfigured ACLs cases.


References:
===========
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/createprocess.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/createprocessasuser.asp


Solution:
=========
Some vendors released updates addressing this issue. The
"hot fix" is actually pretty simple: open Registry Editor
and place the ImagePath inside double quotes.


Timeline:
=========
10.08.2007 - initial vendors notification
20.08.2007 - additional vendors notification
30.08.2007 - public disclosure


Contact:
========
Maldin d.o.o.
Trzaska cesta 2
1000 Ljubljana - SI

tel: +386 (0)590 70 170
fax: +386 (0)590 70 177
gsm: +386 (0)31 816 400
web: www.teamintell.com
e-mail: info@teamintell.com


Disclaimer:
===========
The content of this report is purely informational and
meant for educational purposes only. Maldin d.o.o. shall
in no event be liable for any damage whatsoever, direct or
implied, arising from use or spread of this information.
Any use of information in this advisory is entirely at
user's own risk.

=========================================================================


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 

TOP

Malware :

Exploits :