[VulnWatch] SRT2003-08-11-0729 - Linux based antivirus software contains several local overflows

From: KF (dotslash_at_snosoft.com)
Date: 08/20/03

  • Next message: KF: "[VulnWatch] SRT2003-08-22-104 - Wireless Intrusion dection remote root compromise" 
    Date: Wed, 20 Aug 2003 13:31:45 -0400
To: bugtraq <bugtraq@securityfocus.com>

    http://www.secnetops.biz/research

    Secure Network Operations, Inc. http://www.secnetops.com
    Strategic Reconnaissance Team research@secnetops.com
    Team Lead Contact kf@secnetops.com

    Our Mission:
    ************************************************************************
    Secure Network Operations offers expertise in Networking, Intrusion
    Detection Systems (IDS), Software Security Validation, and
    Corporate/Private Network Security. Our mission is to facilitate a
    secure and reliable Internet and inter-enterprise communications
    infrastructure through the products and services we offer.

    Quick Summary:
    ************************************************************************
    Advisory Number : SRT2003-08-11-0729
    Product : ViRobot Linux Server
    Version : Ver 2.0
    Vendor : http://www.hauri.net
    Class : local (remote?)
    Criticality : High
    Operating System(s) : *nix

    High Level Explanation
    ************************************************************************
    High Level Description : Antivirus software has local security issues
    What to do : chmod -s all suids in /usr/local/ViRobot/

    Technical Details
    ************************************************************************
    Proof Of Concept Status : SNO has PoC code for this issue
    Low Level Description :

    Alex Hernandez "Security Specialist" from Spain pointed out to us that a
    new unix based antivirus solution contained a large number of suids. Based
    on this information we both began beating on the suids in efforts to expose
    security issues.

    ViRobot Linux Server protects your file server from viruses. It can have
    up-to-date definition files through scheduled update and it scans most
    compressed file formats. ViRobot Linux Server is very convenient with
    remote-control function via web access. A user who has the ID and password
    for the server, can access ViRobot on the server from any computer via
    web browser. Please have a safe server with ViRobot Linux Server... but
    be sure to chmod -s everything in sight.

    There are several potential suids to abuse... some have local overflows that
    may or may not be exploitable I honestly only checked a few since most are
    run as cgi scripts (more fun later?).

    ./vrupdate
    ./cgi-bin/addexceptdir
    ./cgi-bin/addschscan
    ./cgi-bin/addschup
    ./cgi-bin/addtargetdir
    ./cgi-bin/applyadmin
    ./cgi-bin/applybackuplog
    ./cgi-bin/applyfilescan
    ./cgi-bin/bottom
    ./cgi-bin/deletelog
    ./cgi-bin/delschscan
    ./cgi-bin/delschup
    ./cgi-bin/filescan
    ./cgi-bin/frame
    ./cgi-bin/help
    ./cgi-bin/help1
    ./cgi-bin/help2
    ./cgi-bin/login
    ./cgi-bin/main
    ./cgi-bin/menu
    ./cgi-bin/menu2
    ./cgi-bin/menu3
    ./cgi-bin/menu4
    ./cgi-bin/menu5
    ./cgi-bin/menu6
    ./cgi-bin/rmdir
    ./cgi-bin/schscan
    ./cgi-bin/schupdate
    ./cgi-bin/setadmin
    ./cgi-bin/setbackuplog
    ./cgi-bin/setfilescan
    ./cgi-bin/setupdate
    ./cgi-bin/top
    ./cgi-bin/update
    ./cgi-bin/ver_info
    ./cgi-bin/viewfilelog
    ./cgi-bin/viewupdatelog
    ./cgi-bin/virobot
    ./cgi-bin/vrupdate
    ./cgi-bin/warningmessage
    ./cgi-bin/webvrscan

    [kf@vegeta kf]$ ln -s /usr/local/ViRobot/cgi-bin/virobot virobot
    [kf@vegeta kf]$ ./ex_virobot
    ViRobot Linux Server Local root exploit
    BY: Dvdman@l33tsecurity.com
    BUG FOUND BY: KF@SNOSOFT.COM
    TERM environment variable not set.

    -------------------------------------------------------------------------------
     ViRobot Linux Server ( Heuristic & Feature detection ) 10 May 2002 Korea
     Copyright (c) 1998-2003 HAURI Inc. All rights reserved
     E-mail : support@hauri.net Version 2.0
    -------------------------------------------------------------------------------

     Usage : virobot [<option list>] -d [directory]

     <option list> :
                     --recursive : Subdirectory Scanning
                     --archive : Archive File Scanning
                     --recovery : Repair Infected File
                     --delete : Delete Infected File
                     --backup : Backup Infected File
                     --version : Display ViRobot Engine Version
                     --help : DisPlay The Command Line Options

    sh-2.05b# id
    uid=0(root) gid=500(kf) groups=500(kf)

    Thanks to alex_hernandez [at] ureach.com for passing the information
    on to our staff.

    Patch or Workaround : chmod -s all suids in /usr/local/ViRobot/

    Vendor Status : vendor communication was minimal

    Bugtraq URL : to be assigned

    ------------------------------------------------------------------------
    This advisory was released by Secure Network Operations,Inc. as a matter
    of notification to help administrators protect their networks against
    the described vulnerability. Exploit source code is no longer released
    in our advisories. Contact research@secnetops.com for information on how
    to obtain exploit information.

  • Next message: KF: "[VulnWatch] SRT2003-08-22-104 - Wireless Intrusion dection remote root compromise"

    Relevant Pages