Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bug
From: Bipin Gautam (visitbipin_at_hotmail.com)
Date: 5 Oct 2004 13:54:17 -0000 To: firstname.lastname@example.org('binary' encoding is not supported, stored as-is)
Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bug.
Affected Product (Only tested on...):
Mcafee Virus Scan professional (220.127.116.11)
Norton Antivirus 2003
Risk Level: Medium
A malicious code can reside in a computer (with users privilege) bypassing "manual scans" of any Antivirus, Trojan & Spy ware scanners by simply issuing this command to itself.
cacls.exe hUNT.exe /T /C /P dumb_user:R
If "only execute" permission is set some AV auto-protect engine will also fail t stop a malicious code execution....By this way... any software’s with even Admin. privilege can't access this file (hUNT.exe) normally because the only person who has normal access to this file is "dumb_user"
If the scanner is unable to access the file that is under the security content of "dumb_user"... the auto-protect engine will also fail to stop a malicious code from executing. Mostly, a user's HOME directory *only accessible* by the by the particular user... cauz mostly* permission is set in a way he/she is only the owner of that directory. In that case, if a malicious code gets copied in desktop (inside home directory, or the directory that's only* accessible by the user) the auto-protect engine will also fail to stop a malicious code execution.
3APA3A (3APA3A[at]SECURITY.NNOV.RU] pointed out another interesting issue...
You still can bypass antiviral protection for manual scans with file encryption (on-access scanners may impersonate accessing user). This time file can only be scanned by administrator if administrator is recovery agent.
In manual scan... the scanner runs under the security content of Administrator who is responsible for scanning the system.... hence the virus goes unnoticed due to NTFS file permission restriction. But, if the Auto-Protect engine loads as a kernel driver, the virus gets stopped in the way during execution. But many trojan, spyware scanner just run with the Administrative privilege, so its a ISSUE for all those products.
Please follow the procedure & confirm if other antivirus products are vulnerable as well.
No wonder, there are several false assumptions in windows security configuration as well, when a JOE administrator could permanently lock himself up in his own machine.
Disclaimer: The information in the advisory is believed to be accurate at the time of printing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage arising from use of, or reliance on this information.