|
Vulnerability Cheyenne Inoculan Affected Win NT Description Paul Boyer found following. It is possible to run arbitrary code on any Intel machine running Cheyenne Inoculan version 4.0 for Windows NT (any version of NT) prior to SP2. Same kind of vulnerabilities might exist with other anti-virus product providing an auto-update mechanism. To check if you are vulnerable (if you have the resource kit installed), run SRVCHECK.EXE \\<YourMachine> else run srvmgr.exe from a NT server on the same domain, select <YourMachine> and select "Computer|Shared Directories". If there is a shared directory called "CHEYUPD$" that allows "FULL CONTROL" to the "EVERYONE" group, that's bad news. Inoculan runs as a service, called "Cheyenne InocuLAN Anti-Virus Server". When it starts, it replaces any shared directory with the same name and shares "CHEYUPD$" with full control for the everyone group. When the service starts, it does an update check in this directory (usually "C:\Inoculan\Update\" ) using the files "<NtBox>\CHEYUPD$\English\NtIntel\Ready\filelist.txt" and [idem]...\avh32dll.dll. Simply "touching" or modifying the file "filelist.txt" for it looks younger than real causes the update. The update causes the service to stop, the avh32dll.dll DLL to replace the existing one (usually in c:\inoculan\avh32dll.dll) and then starts the serv ice again. When the service starts, it loads the DLL into memory, and THEN does a lot of stuff (including checking if it is a valid DLL). The problem is you can write a DLL that execute arbitrary code at the time it is loaded in memory, at the precise time when DllMain is called by the image loader, before any other function have a chance to be called... Exemple (inoctroj.cpp): #include "stdio.h" long __stdcall DllMain (long, unsigned long, void*) { // Any code can goes here. This is an exemple // What it does is simply create a file on C: drive root directory // and writing "hello world !" inside of it FILE * demo; // create a file demo = fopen ( "C:\\I_can_write_a_file.txt", "w"); // write to the file char * buf = "hello world ! "; fwrite ( buf,1, 15, demo); fclose ( demo ); // This aborts the DLL loading. Anyway, we're done at that time ;)) return 0; } Compile and link to make the target avh32dll.dll Write it to <NtBox>\CHEYUPD$\English\NtIntel\Ready\ Touch <NtBox>\CHEYUPD$\English\NtIntel\Ready\filelist.txt in the same directory for it is more recent than initially. Stop the "Cheyenne InocuLAN Anti-Virus Server" on the <NtBox> machine and start it again (alternatively shutdown and restart the machine). Here you are: there is a file "I_can_write_a_file.txt" in "C:\" on <NtBox>. An interesting point is that Inoculan uses "domains". In one domain, a single server forwards the updates to all machines participating in that "domain" (nothing to do with NT domains). THIS WAS NO TESTED, but one would expect a much worse scenario if the trojan is written to the inoculan domain's server CHEYUPD$ shared directory. Trojan would be copied to all machines of that domain. This is serious, because all machines would be running arbitrary code in place of the anti-virus program. Solution There's InocuLAN for Windows NT Security Patch. This patch addresses possible security concerns regarding the CHEYUPD$ hidden share. This patch can be applied to builds 269, 270 (Service Pack 1 level) or build 373 (Service Pack 2A level). Get it at: http://www.cai.com/cheyenne/CheyTech/techbases/ilnt/cheyupd$.html