[NT] Multiple Weaknesses in St Bernard's UpdateEXPERT

From: support@securiteam.com
Date: 04/17/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 17 Apr 2002 15:55:51 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Multiple Weaknesses in St Bernard's UpdateEXPERT
------------------------------------------------------------------------

SUMMARY

 <http://www.updateexpert.com/> UpdateEXPERT helps you to secure your
systems by managing the deployment of service packs and Hotfixes.
Microsoft constantly releases updates for the OS and mission critical
applications. These fixes address security vulnerabilities and system
stability problems. UpdateEXPERT v5.1 supports Windows NT, 2000 and XP,
and a long list of mission critical applications (review the latest list
of supported applications). UpdateEXPERT's use of registry keys presents a
flawed picture of Hotfix status. Determining a file is valid because its
version is equal to or greater than a known value does not protect against
Trojan code. Validating presence of patches based on information stored on
the computer itself is not a sound security practice.

DETAILS

Vulnerable systems:
UpdateEXPERT version 5.1

Weaknesses:
1) UpdateEXPERT patch detection process is based only on the status of a
registry key. If you delete this key you can fool UpdateEXPERT into
thinking the patch has not been applied. Worse, if you create the expected
registry key, you can fool UpdateEXPERT into thinking the patch has been
applied when it has not been installed. (See number 2 for a weakness in
the patch validation process that is meant to overcome this problem)

To see if a patch is installed UpdateEXPERT looks at the computer's
registry for a registry value. For windows patches, it looks under the
hkey_local_machine\software\Microsoft\Windows
NT\CurrentVersion\Hotfix\Qxxxxxx\. If there is an entry with value of
installed=1, then UpdateEXPERT says the patch is installed. If the value
is 0, or is not present then UpdateEXPERT says the patch is missing.

A) It is possible to make an installed patch appear to be missing by
modifying or deleting the Installed=1 registry value. To make the Windows
2000 rollup patch appear to be uninstalled find the following registry
key: HKLM\Software\Microsoft\Windows NT\Currentversion\HotFix\SP2SRP1 and
delete the Installed=1 value - or change it to 0.

B) It is possible to make an uninstalled patch appear to be installed.
This is the worst of the two scenarios. To make the recent IIS security
patch appear to be installed when it is not, create this key:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Q319733 and create a
value of Installed=1

When UpdateEXPERT is run, it will show a green dot next to this patch on
this computer, telling the administrator that the patch has been applied
though it has not.

Relying on registry keys for performing patch inventory is not reliable.
Further, this process does not help identify situations where MS has
released a new version of a specific patch. (By relying on registry keys,
UpdateEXPERT is not able to tell that a more recent version of the patch
is available)

To combat the above issue, St. Bernard built a patch Validation function.

"Validation is the process by which UpdateEXPERT verifies that the list of
updates that have been installed are still present. Validation is
dependant on the information made available in the fix describing what
files are supposed to exist and various information about these files."
from UpdateEXPERT Help file.

Unfortunately, since it has no integrity checking it can be fooled.

2) The UpdateEXPERT patch validation function can be easily fooled by
modifying registry keys on the computer. By deleting or modifying specific
registry values, you can make UpdateEXPERT "Validate" the presence of a
patch that is not properly installed. In the worst case, you can make
UpdateEXPERT believe that a patch has been installed and is valid, when
the patch has never been applied.

By selecting a supposedly installed patch (marked by green dot), you can
right click on the patch and choose to view files that were installed by
the patch. The list of files comes from this registry key
HKLM\Software\Microsoft\Updates\Windows 2000\SP3\Qxxxxxx\Filelist

UpdateEXPERT performs its validation function by comparing the file
version data stored in this key to the file version of the files on the
system. If the files on the system are equal to or greater than the file
versions listed in the registry, UpdateEXPERT says the patch is Validated.
Therefore, a malware copy of a Hotfix file (with a version number greater
than the registry key) would be considered valid.

To make UpdateEXPERT believe that the recent IIS patch has been installed
and to make it appear valid (when neither case is true), write the
following registry keys:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Q319733 create a value
of Installed=1
HKLM\Software\Microsoft\Updates\Windows 2000\SP3\Q319733\Filelist create
key '0' under this key, write the following values:
 FileName:RegSZ:Kernel32.dll
 Location:RegSZ:C:\Winnt\System32
 Version:RegSZ:1.0

UpdateEXPERT will show the patch as installed (installed=1), and when it
Validates, it will look for kernel32.dll with a file version equal to or
greater than 1.0. Result, patch is shown as installed and Validated, when
it has never been applied.

Vendor status:
"As far as I know, there is no way to manipulate the values you mention
without being an Administrator. If one of your administrators deletes
these values, you will indeed have the symptoms you mentioned. However,
letting someone like that have administrative rights on your machine is
the source of the error." - John Duddy, Principal Engineer, St. Bernard
Software

This is not entirely correct since a lot of viruses and Trojans run as
SYSTEM or Administrator equivalent privileges, thus would be able to
modify the values stored in those registry keys.

ADDITIONAL INFORMATION

The information has been provided by <mailto:Ragnarok@HAMMEROFGOD.COM>
Ragnarok and <mailto:JDuddy@STBERNARD.COM> John Duddy.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages