SecurityTracker.com Archives - ViRobot Anti-Virus Buffer Overflows Let Local Users Gain Elevated Privileges

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Security) > ViRobot

Vendors: HAURI Inc.

ViRobot Anti-Virus Buffer Overflows Let Local Users Gain Elevated Privileges

SecurityTracker Alert ID: 1007542

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Aug 20 2003

Impact: Execution of arbitrary code via local system, Root access via local system, User access via local system

Advisory: Strategic Reconnaissance Team

Version(s): 2.0

Description: Several vulnerabilities were reported in the ViRobot anti-virus system. On Linux/UNIX systems, a local user may be able to gain root privileges on the system.

Secure Network Operations Strategic Reconnaissance Team reported that several of the ViRobot components contain buffer overflow vulnerabilities, some of which allow a local or remote authenticated user to execute arbitrary code on the system. The affected scripts are reportedly configured with set user id (setuid) root user privlieges. A local user (or remote authenticated user) can execute code with root privileges.

The report credits Alex Hernandez with drawing attention to this matter and jointly testing the software.

Impact: A local user can execute arbitrary code on the system with root privileges.

Solution: No solution was available at the time of this entry.

The author of the report indicates that, as a workaround, you can remove the setuid bit for all files in the '/usr/local/ViRobot/' directory that have setuid privileges.

Vendor URL: www.globalhauri.com/html/ (Links to External Site)

Cause: Boundary error

Underlying OS: Linux (Any), UNIX (Any)

Reported By: KF <dotslash@snosoft.com>

Message History: None.

Source Message Contents

Date: Wed, 20 Aug 2003 13:31:45 -0400
From: KF <dotslash@snosoft.com>
Subject: SRT2003-08-11-0729 - Linux based antivirus software contains several

 

--------------050101090702060205060806
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

http://www.secnetops.biz/research



--------------050101090702060205060806
Content-Type: text/plain;
 name="SRT2003-08-11-0729.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="SRT2003-08-11-0729.txt"

Secure Network Operations, Inc.           http://www.secnetops.com
Strategic Reconnaissance Team               research@secnetops.com
Team Lead Contact                                 kf@secnetops.com


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 


Quick Summary:
************************************************************************
Advisory Number         : SRT2003-08-11-0729
Product                 : ViRobot Linux Server
Version                 : Ver 2.0
Vendor                  : http://www.hauri.net
Class                   : local (remote?)
Criticality             : High
Operating System(s)     : *nix


High Level Explanation
************************************************************************
High Level Description  : Antivirus software has local security issues
What to do              : chmod -s all suids in /usr/local/ViRobot/


Technical Details
************************************************************************
Proof Of Concept Status : SNO has PoC code for this issue
Low Level Description   : 

Alex Hernandez "Security Specialist" from Spain pointed out to us that a 
new unix based antivirus solution contained a large number of suids. Based 
on this information we both began beating on the suids in efforts to expose
security issues. 

ViRobot Linux Server protects your file server from viruses. It can have 
up-to-date definition files through scheduled update and it scans most 
compressed file formats. ViRobot Linux Server is very convenient with 
remote-control function via web access. A user who has the ID and password 
for the server, can access ViRobot on the server from any computer via 
web browser. Please have a safe server with ViRobot Linux Server... but
be sure to chmod -s everything in sight. 

There are several potential suids to abuse... some have local overflows that 
may or may not be exploitable I honestly only checked a few since most are
run as cgi scripts (more fun later?). 

./vrupdate
./cgi-bin/addexceptdir
./cgi-bin/addschscan
./cgi-bin/addschup
./cgi-bin/addtargetdir
./cgi-bin/applyadmin
./cgi-bin/applybackuplog
./cgi-bin/applyfilescan
./cgi-bin/bottom
./cgi-bin/deletelog
./cgi-bin/delschscan
./cgi-bin/delschup
./cgi-bin/filescan
./cgi-bin/frame
./cgi-bin/help
./cgi-bin/help1
./cgi-bin/help2
./cgi-bin/login
./cgi-bin/main
./cgi-bin/menu
./cgi-bin/menu2
./cgi-bin/menu3
./cgi-bin/menu4
./cgi-bin/menu5
./cgi-bin/menu6
./cgi-bin/rmdir
./cgi-bin/schscan
./cgi-bin/schupdate
./cgi-bin/setadmin
./cgi-bin/setbackuplog
./cgi-bin/setfilescan
./cgi-bin/setupdate
./cgi-bin/top
./cgi-bin/update
./cgi-bin/ver_info
./cgi-bin/viewfilelog
./cgi-bin/viewupdatelog
./cgi-bin/virobot
./cgi-bin/vrupdate
./cgi-bin/warningmessage
./cgi-bin/webvrscan

[kf@vegeta kf]$ ln -s /usr/local/ViRobot/cgi-bin/virobot virobot
[kf@vegeta kf]$ ./ex_virobot
ViRobot Linux Server Local root exploit
BY: Dvdman@l33tsecurity.com
BUG FOUND BY: KF@SNOSOFT.COM
TERM environment variable not set.

-------------------------------------------------------------------------------
 ViRobot Linux Server ( Heuristic & Feature detection )      10 May 2002 Korea
 Copyright (c) 1998-2003 HAURI Inc.                        All rights reserved
 E-mail : support@hauri.net                                        Version 2.0
-------------------------------------------------------------------------------


 Usage : virobot [<option list>] -d [directory]

 <option list> :
                 --recursive  :  Subdirectory Scanning
                 --archive    :  Archive File Scanning
                 --recovery   :  Repair Infected File
                 --delete     :  Delete Infected File
                 --backup     :  Backup Infected File
                 --version    :  Display ViRobot Engine Version
                 --help       :  DisPlay The Command Line Options


sh-2.05b# id
uid=0(root) gid=500(kf) groups=500(kf)

Thanks to alex_hernandez [at] ureach.com for passing the information 
on to our staff. 

Patch or Workaround     : chmod -s all suids in /usr/local/ViRobot/

Vendor Status           : vendor communication was minimal

Bugtraq URL             : to be assigned

------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.



--------------050101090702060205060806--

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2002, SecurityGlobal.net LLC