Multiple Vulnerabilities in iAntiVirus



Title
Multiple Vulnerabilities in iAntiVirus

Program
PC Tools iAntiVirus for Mac OS X
http://www.iantivirus.com/

Tested version
1.35, Engine Version 1.0.0.10

tested on german Mac OS X 10.5 with following preferences:
- Scan inside archives ON
- Scan mode NORMAL
- Heuristics NORMAL

Description
1. No scan in .sit- and .dmg-archives

The scan-function and the online-scanner OnGuard doesn't
scan .sit- and .dmg-archives.

Impact:
It's possible to download malware from the internet or
to copy it from an usb-stick without interruption from
iAntiVirus.
Malware in .sit-archives is recognized by OnGuard during
manuel decompression, but malware in .dmg-diskimages is
only recognized during a manual scan of the mounted image.
It's possible to run malware from the mounted diskimage
(tested with MacSmurf, which iAntiVirus recognizes as
'Hacktool.OSX.MacSmurf')

2. Problems with special chars in filenames

The scanner, OnGuard and the quarantine-management are
unable to work with files with several special chars in
it, for example ?, which is transformed to Æ.

Impact:
False-positives are lost, since it's impossible to restore
them. Perhaps it's possible to evade the virus-protection.

3. No user-restrictions in the quarantine-management

All quarantined files are managed in the same area. Every
user can restore the files of every other user, included
the admin

Impact:
A normal user can restore quarantined malware in other
accounts, tested with the iWorks-Trojan, which was
installed by the admin and restored by a normal user.
Additional, the history-function contains no information
about the user which performs an action and can erased by
every user.

4. OnGuard does only protect one user (or perhaps a few more)
If OnGuard is on and another user logs in, it seems as if
OnGuard is off. If he copies some malware on the system,
this disappears without any warning: OnGuard is active and
moves the files in the quarantine, but doesn't inform the
user about this. If the first user is an admin, this seems
to work for every normal user. If the first user is a normal
user, it sometimes works for the admin as second user, but
not every time.

5. Ignorance of file-permissions

Every normal user can start a "normal scan", which includes
the system-, library- an program-folders and the folders of
every user.

Solution
None

Credits
Carsten Eilers

Original advisory
http://www.ceilers-it.de/advisories/iantivirus.html
(also as german version)


Regards
Carsten Eilers