[NEWS] Safe'nSec Multiple Insecure Usage of CreateProcess()

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Safe'nSec Multiple Insecure Usage of CreateProcess()
------------------------------------------------------------------------


SUMMARY

" <http://www.star-force.com/computer_security/> Safe n Sec is complex
data and user applications protection against threats and vulnerabilities
for individual PC as well as workstations in corporate networks. "
The Microsoft Windows API "includes the
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/createprocess.asp> CreateProcess() function as a means to create a new process and it's primary thread."

Improper use of the Windows API command CreateProcess allows attackers to
execute arbitrary programs with in Microsoft's Windows.

DETAILS

Vulnerable Systems:
* Safe'nSec Personal version 2.0 and prior
* Safe'nSec Antispyware version 2.0 and prior

snsmcon.exe spawns the GUI process named safensec.exe through the use of
CreateProcess() . By doing so it omits to set the
variable'lpApplicationName' and further omits to quote the path in the
variable "lpCommandLine".

This results in c:\program.bat|exe|com being called prior to safensec.exe
and allows automatic startup of a potentially rogue application.
In particular one could imagine a scenario where it is possible to
escalate rights using this (as they are inherited from snsmcon.exe).

Safe'nSec omits the quotes around the path to the executable and as such
may spawn a rogue application instead of the appropriate Starforce
application.

During installion a routine spawns a process and omits the quotes around
the path, thus executing c:\program.exe (here calc.exe).

Vendor Status:
Vendor Response : None


ADDITIONAL INFORMATION

The information has been provided by <mailto:Thierry@xxxxxxxxx> Thierry
Zoller.
The original article can be found at:
<http://secdev.zoller.lu/research/safnsec.htm>
http://secdev.zoller.lu/research/safnsec.htm



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.