Home / vulnerabilitiesPDF  

TZO-2009-2.txt

Posted on 16 January 2009
Source : packetstormsecurity.org Link

 

___________________________________________________________________

From the 'cover-your-basics' and from the 'they-still-exist-department'
Antivir insecure CreateProcess() usage - Privilege Esclation
and autostart as free bonus
___________________________________________________________________

Reference : [TZO-2009-2]-Avira Antivir Priviledge escalation
WWW : http://blog.zoller.lu/2009/01/tzo-2009-2-avira-antivir-priviledge.html
Product : AV7/AV8 desktop products :
- Avira AntiVir Premium
- Avira Premium Security Suite
- Avira AntiVir Professional
Vendor : http://www.avira.de


I. Background
~~~~~~~~~~~~~
Avira AntiVir is a reliable free antivirus solution, that
constantly and rapidly scans your computer for malicious
programs such as viruses, Trojans, backdoor programs, hoaxes,
worms, dialers etc. Monitors every action executed by the
user or the operating system and reacts promptly when a
malicious program is detected.

The protection experts have numerous company locations
throughout Germany and cultivate partnerships in Europe,
Asia and America. Avira has more than 180 employees at their
main office in Tettnang near Lake Constance and is one of
the largest employers in the region. There are around 250
people employed worldwide whose commitment is continually
being confirmed by awards. A significant contribution to
protection is the Avira AntiVir Personal which is being used
by private users a million times over.

AV-Comparatives e.V. have chosen Avira AntiVir Premium as
the best anti-virus solution of 2008


II. Description
~~~~~~~~~~~~~~~
No funky IOCTL just a plain unsafe call to CreateProcess().
In detail, the scheduler (sched. exe) running with SYSTEM
privileges calls the CreateProcess() API without enclosing
lpCommandLine in quotes to _regularly_ shell avwsc.exe

Calling an executable with a path has spaces in it and not
using quotes will trigger windows to search for the
executable in various areas.

Calling for instance -

CreateProcess(
NULL,
c:program filesaviraantivir PersonalEdition Classicavwsc.exe,
...
);

will first look for
c:program.exe
and then
c:program filesaviraantivir.exe

This is documented and intended behaviour as can be seen at :
http://msdn.microsoft.com/en-us/library/ms682425.aspx

Quoting ms682425.aspx :
The lpApplicationName parameter can be NULL. In that case,
the module name must be the first white space–delimited
token in the lpCommandLine string. If you are using a long
file name that contains a space, use quoted strings to
indicate where the file name ends and the arguments begin;
otherwise, the file name is ambiguous. For example, consider
the string "c:program filessub dirprogram name". This
string can be interpreted in a number of ways. The system
tries to interpret the possibilities in the following order:


c:program.exe filessub dirprogram name, c:program filessub.exe dirprogram name
c:program filessub dirprogram.exe name, c:program filessub dirprogram name.exe

Pre-conditions for a CreateProcess() call to be insecure :
- lpApplicationName contains a NULL
- the path in lpCommandLine cotains white space
- the path in lpCommandLine is not enclosed in quotation marks

III. Impact
~~~~~~~~~~~
- Elevation of privileges from USER to SYSTEM is possible
by writing the payload to c:program filesaviraantivir.exe
- Autostart vector - The payload will be executed even after
a reboot

IV. Disclosure Timeline
~~~~~~~~~~~~~~~~~~~~~~~~
28/09/2008 : Contacted and send bug report to Avira
28/09/2008 : Avira acknowledges receipt
01/10/2008 : Avira notifies me that the issue will be fixed
with there next Emergency Update (EU2)
24/10/2008 : The update is pushed to customers
24/10/2008 : Avira notifies me that credits have been posted
here: http://www1.avira.com/en/support/faq/details.html?id=419
15/01/2009 : Release of this advisory


References :
[1] http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038789.html
[2] CreateProcess() - http://msdn.microsoft.com/en-us/library/ms682425.aspx
[3] Book: Fuzzing - Brute force vulnerability discovery
[4] Loadlibrary() - http://msdn.microsoft.com/en-us/library/ms684175(VS.85).aspx
If the string does not specify a path, the function uses a standard search strategy to find the file.

 

TOP

Malware :

Exploits :