'[Full-disclosure] Multiple improper file path handling issues'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Multiple improper file path handling issues
From:       <edi.strosar () varnostne-novice ! com>
Date:       2007-08-29 22:26:07
Message-ID: web-23644853 () bk3 ! webmaillogin ! com
[Download RAW message or body]



=========================================================================
Team Intell Security Advisory TISA2007-09-Public
-------------------------------------------------------------------------
Multiple improper file path handling issues
=========================================================================

Release date:    30.08.2007
Severity:        Less critical
Impact:          Privilege escalation
Remote:          No
Disclosed by:    Edi Strosar (Team Intell)


Summary:
========
The way Microsoft Windows handles filenames is well known 
and documented. In situations where the path to executable 
contains white space and is not enclosed in quotation 
marks, it is possible to execute alternate application. 
Microsoft certainly is aware of this issue, but they don't 
consider it as a security related problem.

Applications that were found susceptible to unquoted 
executable path issue a.k.a program.exe trick (from the 
series "Quis custodiet ipsos custodes?"):


01.) A-squared Anti-Malware 3.0
      Service: a-squared Anti-Malware Service
      Image path: C:\Program Files\a-squared 
Anti-Malware\a2service.exe
      Account: Local System
      Impact: Privilege escalation
      Status: Patched
      Vendor: http://www.emsisoft.com/

02.) A-squared Free 3.0
      Service: a-squared Free Service
      Image path: C:\Program Files\a-squared 
Free\a2service.exe
      Account: Local System
      Impact: Privilege escalation
      Status: Patched
      Vendor: http://www.emsisoft.com/

03.) Ashampoo AntiVirus v1.40
      Service: avGuard Service
      Image path: C:\Program Files\Ashampoo\Ashampoo 
AntiVirus\ashavsrv.exe
      Account: Local System
      Impact: Privilege escalation
      Status: Unknown (contact the vendor for further 
information)
      Vendor: http://www.ashampoo.com/

04.) Comodo BOClean Anti-Malware 4.25
      Service: BOClean Core Service
      Image path: C:\Program 
Files\Comodo\CBOClean\bocore.exe
      Account: Local System
      Impact: Privilege escalation
      Status: Unknown (contact the vendor for further 
information)
      Vendor: http://www.comodo.com/

05.) Comodo Firewall v2.4
      Service: Commodo Application Agent
      Image path: C:\Program 
Files\Comodo\Firewall\cmdagent.exe
      Account: Local System
      Impact: Privilege escalation
      Status: Unknown (contact the vendor for further 
information)
      Vendor: http://www.personalfirewall.comodo.com/

06.) eScan Anti-Virus 9.0
      Service: MicroWord Agent Service
      Image path: C:\Program Files\Common 
Files\MicroWord\Agent\mwaser.exe
      Account: Local System
      Impact: Privilege escalation
      Status: Unknown (contact the vendor for further 
information)
      Vendor: http://www.mwti.net/

07.) eScan Virus Control 9.0
      Service: MicroWord Agent Service
      Image path: C:\Program Files\Common 
Files\MicroWord\Agent\mwaser.exe
      Account: Local System
      Impact: Privilege escalation
      Status: Unknown (contact the vendor for further 
information)
      Vendor: http://www.mwti.net/

08.) Ikarus Virus Utilities v1.0.56
      Service: The Guard X Service
      Image path: C:\Program Files\Ikarus\Virus 
Utilities\Bin\guardxservice.exe
      Account: Local System
      Impact: Privilege escalation
      Status: Unknown (contact the vendor for further 
information)
      Vendor: http://www.ikarus-software.at/

09.) iolo Antivirus
      Service: iolo DMV Service
      Image path: C:\Program 
Files\iolo\Common\Lib\iolodmvsvc.exe
      Account: Local System
      Impact: Privilege escalation
      Status: Unknown (contact the vendor for further 
information)
      Vendor: http://www.iolo.com/

10.) iolo Firewall
      Service: iolo DMV Service
      Image path: C:\Program 
Files\iolo\Common\Lib\iolodmvsvc.exe
      Account: Local System
      Impact: Privilege escalation
      Status: Unknown (contact the vendor for further 
information)
      Vendor: http://www.iolo.com/

11.) Norman Internet Control (Pro) v5.90
      Service: Norman eLogger Service 6
      Image path: C:\Program 
Files\Norman\Npm\Bin\elogsvc.exe
      Account: Local System
      Impact: Privilege escalation
      Status: Unknown (contact the vendor for further 
information)
      Vendor: http://www.norman.com/

12.) Norman Personal Firewall v1.42
      Service: Norman Type-R
      Image path: C:\Program 
Files\Norman\Npm\Bin\npfsvice.exe
      Account: Local System
      Impact: Privilege escalation
      Status: Unknown (contact the vendor for further 
information)
      Vendor: http://www.norman.com/

13.) Norman Virus Control (Pro) v5.90
      Service: Norman eLogger Service 6
      Image path: C:\Program 
Files\Norman\Npm\Bin\elogsvc.exe
      Account: Local System
      Impact: Privilege escalation
      Status: Unknown (contact the vendor for further 
information)
      Vendor: http://www.norman.com/

14.) Outpost Firewall Pro
      Service: Outpost Firewall Service
      Image path: C:\Program Files\Agnitum\Outpost 
Firewall\outpost.exe
      Account: Local System
      Impact: Privilege escalation
      Status: Unknown (contact the vendor for further 
information)
      Vendor: http://www.agnitum.com/

15.) Outpost Security Suite Pro
      Service: Outpost Security Suite Service
      Image path: C:\Program Files\Agnitum\Outpost 
Security Suite\outpost.exe
      Account: Local System
      Impact: Privilege escalation
      Status: Unknown (contact the vendor for further 
information)
      Vendor: http://www.agnitum.com/

16.) Quick Heal AntiVirus Plus 2007
      Service: Quick Heal Firewall Service
      Image path: C:\Program Files\Cat Computer\Quick Heal 
Firewall Pro\qhfw.exe
      Account: Local System
      Impact: Privilege escalation
      Status: Unknown (contact the vendor for further 
information)
      Vendor: http://www.quickheal.co.in/

17.) Quick Heal Total Security 2007
      Service: Quick Heal Firewall Service
      Image path: C:\Program Files\Cat Computer\Quick Heal 
Firewall Pro\qhfw.exe
      Account: Local System
      Impact: Privilege escalation
      Status: Unknown (contact the vendor for further 
information)
      Vendor: http://www.quickheal.co.in/

18.) Rising Antivirus 2007
      Service: RsRavMon Service
      Image path: C:\Program Files\Rising\Rav\ravmond.exe
      Account: Local System
      Impact: Privilege escalation
      Status: Unknown (contact the vendor for further 
information)
      Vendor: http://www.rising-eu.de/

19.) Rising Firewall 2007
      Service: Rising Personal Firewall Service
      Image path: C:\Program Files\Rising\RFW\rfwsrv.exe
      Account: Local System
      Impact: Privilege escalation
      Status: Unknown (contact the vendor for further 
information)
      Vendor: http://www.rising-eu.de/

20.) Trend Micro AntiVirus + AntiSpyware 2007
      Service: Trend Micro AntiVirus Protection Service
      Image path: C:\Program Files\Trend Micro\AntiVirus 
2007\tavsvc.exe
      Account: Local System
      Impact: Privilege escalation
      Status: Unknown (contact the vendor for further 
information)
      Vemdor: http://www.trendmicro.com/

21.) ViRobot Desktop 5.5
      Service: Hauri Common Service
      Image path: C:\Program 
Files\Hauri\Common\hsvcmod.exe
      Account: Local System
      Impact: Privilege escalation
      Status: Unknown (contact the vendor for further 
information)
      Vendor: http://www.globalhauri.com/

22.) Virus Chaser
      Service: Virus Chaser Spider NT
      Image path: C:\Program Files\Virus 
Chaser\spidernt.exe
      Account: Local System
      Impact: Privilege escalation
      Status: Unknown (contact the vendor for further 
information)
      Vendor: http://www.viruschaser.com.hk/eng/

23.) And the list goes on and on...


Limitations:
============
This conditions are difficult, if not impossible, to 
exploit on Windows XP/2003/Vista. By default these 
operating systems implement restrictive file permission 
policy. Exploitation is limited to Microsoft Windows 2000 
and to misconfigured ACLs cases.


References:
===========
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/createprocess.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/createprocessasuser.asp


Solution:
=========
Some vendors released updates addressing this issue. The 
"hot fix" is actually pretty simple: open Registry Editor 
and place the ImagePath inside double quotes.


Timeline:
=========
10.08.2007 - initial vendors notification
20.08.2007 - additional vendors notification
30.08.2007 - public disclosure


Contact:
========
Maldin d.o.o.
Trzaska cesta 2
1000 Ljubljana - SI

tel: +386 (0)590 70 170
fax: +386 (0)590 70 177
gsm: +386 (0)31 816 400
web: www.teamintell.com
e-mail: info@teamintell.com


Disclaimer:
===========
The content of this report is purely informational and 
meant for educational purposes only. Maldin d.o.o. shall 
in no event be liable for any damage whatsoever, direct or 
implied, arising from use or spread of this information. 
Any use of information in this advisory is entirely at 
user's own risk.

=========================================================================
 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic