========================================================================= Team Intell Security Advisory TISA2007-09-Public ------------------------------------------------------------------------- Multiple improper file path handling issues ========================================================================= Release date: 30.08.2007 Severity: Less critical Impact: Privilege escalation Remote: No Disclosed by: Edi Strosar (Team Intell) Summary: ======== The way Microsoft Windows handles filenames is well known and documented. In situations where the path to executable contains white space and is not enclosed in quotation marks, it is possible to execute alternate application. Microsoft certainly is aware of this issue, but they don't consider it as a security related problem. Applications that were found susceptible to unquoted executable path issue a.k.a program.exe trick (from the series "Quis custodiet ipsos custodes?"): 01.) A-squared Anti-Malware 3.0 Service: a-squared Anti-Malware Service Image path: C:\Program Files\a-squared Anti-Malware\a2service.exe Account: Local System Impact: Privilege escalation Status: Patched Vendor: http://www.emsisoft.com/ 02.) A-squared Free 3.0 Service: a-squared Free Service Image path: C:\Program Files\a-squared Free\a2service.exe Account: Local System Impact: Privilege escalation Status: Patched Vendor: http://www.emsisoft.com/ 03.) Ashampoo AntiVirus v1.40 Service: avGuard Service Image path: C:\Program Files\Ashampoo\Ashampoo AntiVirus\ashavsrv.exe Account: Local System Impact: Privilege escalation Status: Unknown (contact the vendor for further information) Vendor: http://www.ashampoo.com/ 04.) Comodo BOClean Anti-Malware 4.25 Service: BOClean Core Service Image path: C:\Program Files\Comodo\CBOClean\bocore.exe Account: Local System Impact: Privilege escalation Status: Unknown (contact the vendor for further information) Vendor: http://www.comodo.com/ 05.) Comodo Firewall v2.4 Service: Commodo Application Agent Image path: C:\Program Files\Comodo\Firewall\cmdagent.exe Account: Local System Impact: Privilege escalation Status: Unknown (contact the vendor for further information) Vendor: http://www.personalfirewall.comodo.com/ 06.) eScan Anti-Virus 9.0 Service: MicroWord Agent Service Image path: C:\Program Files\Common Files\MicroWord\Agent\mwaser.exe Account: Local System Impact: Privilege escalation Status: Unknown (contact the vendor for further information) Vendor: http://www.mwti.net/ 07.) eScan Virus Control 9.0 Service: MicroWord Agent Service Image path: C:\Program Files\Common Files\MicroWord\Agent\mwaser.exe Account: Local System Impact: Privilege escalation Status: Unknown (contact the vendor for further information) Vendor: http://www.mwti.net/ 08.) Ikarus Virus Utilities v1.0.56 Service: The Guard X Service Image path: C:\Program Files\Ikarus\Virus Utilities\Bin\guardxservice.exe Account: Local System Impact: Privilege escalation Status: Unknown (contact the vendor for further information) Vendor: http://www.ikarus-software.at/ 09.) iolo Antivirus Service: iolo DMV Service Image path: C:\Program Files\iolo\Common\Lib\iolodmvsvc.exe Account: Local System Impact: Privilege escalation Status: Unknown (contact the vendor for further information) Vendor: http://www.iolo.com/ 10.) iolo Firewall Service: iolo DMV Service Image path: C:\Program Files\iolo\Common\Lib\iolodmvsvc.exe Account: Local System Impact: Privilege escalation Status: Unknown (contact the vendor for further information) Vendor: http://www.iolo.com/ 11.) Norman Internet Control (Pro) v5.90 Service: Norman eLogger Service 6 Image path: C:\Program Files\Norman\Npm\Bin\elogsvc.exe Account: Local System Impact: Privilege escalation Status: Unknown (contact the vendor for further information) Vendor: http://www.norman.com/ 12.) Norman Personal Firewall v1.42 Service: Norman Type-R Image path: C:\Program Files\Norman\Npm\Bin\npfsvice.exe Account: Local System Impact: Privilege escalation Status: Unknown (contact the vendor for further information) Vendor: http://www.norman.com/ 13.) Norman Virus Control (Pro) v5.90 Service: Norman eLogger Service 6 Image path: C:\Program Files\Norman\Npm\Bin\elogsvc.exe Account: Local System Impact: Privilege escalation Status: Unknown (contact the vendor for further information) Vendor: http://www.norman.com/ 14.) Outpost Firewall Pro Service: Outpost Firewall Service Image path: C:\Program Files\Agnitum\Outpost Firewall\outpost.exe Account: Local System Impact: Privilege escalation Status: Unknown (contact the vendor for further information) Vendor: http://www.agnitum.com/ 15.) Outpost Security Suite Pro Service: Outpost Security Suite Service Image path: C:\Program Files\Agnitum\Outpost Security Suite\outpost.exe Account: Local System Impact: Privilege escalation Status: Unknown (contact the vendor for further information) Vendor: http://www.agnitum.com/ 16.) Quick Heal AntiVirus Plus 2007 Service: Quick Heal Firewall Service Image path: C:\Program Files\Cat Computer\Quick Heal Firewall Pro\qhfw.exe Account: Local System Impact: Privilege escalation Status: Unknown (contact the vendor for further information) Vendor: http://www.quickheal.co.in/ 17.) Quick Heal Total Security 2007 Service: Quick Heal Firewall Service Image path: C:\Program Files\Cat Computer\Quick Heal Firewall Pro\qhfw.exe Account: Local System Impact: Privilege escalation Status: Unknown (contact the vendor for further information) Vendor: http://www.quickheal.co.in/ 18.) Rising Antivirus 2007 Service: RsRavMon Service Image path: C:\Program Files\Rising\Rav\ravmond.exe Account: Local System Impact: Privilege escalation Status: Unknown (contact the vendor for further information) Vendor: http://www.rising-eu.de/ 19.) Rising Firewall 2007 Service: Rising Personal Firewall Service Image path: C:\Program Files\Rising\RFW\rfwsrv.exe Account: Local System Impact: Privilege escalation Status: Unknown (contact the vendor for further information) Vendor: http://www.rising-eu.de/ 20.) Trend Micro AntiVirus + AntiSpyware 2007 Service: Trend Micro AntiVirus Protection Service Image path: C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe Account: Local System Impact: Privilege escalation Status: Unknown (contact the vendor for further information) Vemdor: http://www.trendmicro.com/ 21.) ViRobot Desktop 5.5 Service: Hauri Common Service Image path: C:\Program Files\Hauri\Common\hsvcmod.exe Account: Local System Impact: Privilege escalation Status: Unknown (contact the vendor for further information) Vendor: http://www.globalhauri.com/ 22.) Virus Chaser Service: Virus Chaser Spider NT Image path: C:\Program Files\Virus Chaser\spidernt.exe Account: Local System Impact: Privilege escalation Status: Unknown (contact the vendor for further information) Vendor: http://www.viruschaser.com.hk/eng/ 23.) And the list goes on and on... Limitations: ============ This conditions are difficult, if not impossible, to exploit on Windows XP/2003/Vista. By default these operating systems implement restrictive file permission policy. Exploitation is limited to Microsoft Windows 2000 and to misconfigured ACLs cases. References: =========== http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/createprocess.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/createprocessasuser.asp Solution: ========= Some vendors released updates addressing this issue. The "hot fix" is actually pretty simple: open Registry Editor and place the ImagePath inside double quotes. Timeline: ========= 10.08.2007 - initial vendors notification 20.08.2007 - additional vendors notification 30.08.2007 - public disclosure Contact: ======== Maldin d.o.o. Trzaska cesta 2 1000 Ljubljana - SI tel: +386 (0)590 70 170 fax: +386 (0)590 70 177 gsm: +386 (0)31 816 400 web: www.teamintell.com e-mail: info@teamintell.com Disclaimer: =========== The content of this report is purely informational and meant for educational purposes only. Maldin d.o.o. shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. Any use of information in this advisory is entirely at user's own risk. ========================================================================= _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/