No description provided by source.
ShineShadow Security Report 28102009-13 TITLE Rising Multiple Products Local Privilege Escalation Vulnerability BACKGROUND RISING has introduced a variety of operating system based antivirus software, \ firewall software and enterprise antivirus wall, firewall, network security warning \ system and other hardware products. RISING is the third company in the world and the \ only one in China to provide a full range of information security products and \ professional services. RISING is catering to over 60 million personal users and more \ than 70,000 corporate customers in Asia, Europe and Northern America. RISING \ technology for the search of unknown computer viruses is recognized and protected by \ patents in Europe, Japan and the United States of America. Source: http://www.rising-global.com VULNERABLE PRODUCTS Rising Antivirus 2009 (21.62.04) Rising Internet Security 2009 (21.62.04) Rising Personal Firewall 2009 (21.62.04) Prior versions may also be affected. DETAILS Rising installs the own program files with insecure permissions (Users: Full \ Control). Local attacker (unprivileged user) can replace some files (for example, \ executable files of Rising services) by malicious file and execute arbitrary code \ with SYSTEM privileges. This is local privilege escalation vulnerability. For \ example, in Rising Antivirus 2009 the following attack scenario could be used: 1. An \ attacker (unprivileged user) replaces one of the Rising Antivirus program files by \ malicious executable file. For example, the replacing file could be - %Program \ Files%\Rising\RAV\RavTask.exe (Rising RavTask Manager). 2. Restart the system. After restart attackers malicious file will be executed with SYSTEM privileges. Self-defense of the Rising Antivirus will prevent all operations with Rising program \ files. It can be bypassed using internal shell dialogs in the Rising Antivirus (for \ example, "Save as" dialog in Tools -> Installer Creation Tool -> Browse). For other \ vulnerable Rising products similar attack scenario could be used. EXPLOITATION An attacker must have valid logon credentials to a system where vulnerable software \ is installed. WORKAROUND No workarounds DISCLOSURE TIMELINE 31/08/2009 Initial vendor notification. Secure contacts requested. 31/08/2009 Vendor response 02/09/2009 Vulnerability details sent. Confirmation requested. 03/09/2009 Vendor accepted vulnerability for analysis 14/09/2009 Vendor response: "This issue is not a vulnerability. During program \ designing, Rising Virus Lab has known Rising program files could be modified by this \ way. However, few malware attacks Antivirus through the method. And, we have not \ detected any malware do this until now." 14/09/2009 I informed vendor about the \ possible attack scenarios. No reply. 17/09/2009 Resend message 17/09/2009 Vendor accepted information for analysis 06/10/2009 Planned disclosure date has been sent to vendor 10/10/2009 Vendor notified me that vulnerability will be fixed only in 2010 edition \ of the vulnerable products 12/10/2009 Query for the 2010 edition release date 12/10/2009 Vendor response that the release date is unknown 28/10/2009 Advisory released CREDITS Maxim A. Kulakov (ShineShadow) ss_contacts[at]hotmail.com