110265 2003-08-20 20:52 /4 rader/ KF <dotslash@snosoft.com>
Importerad: 2003-08-20 20:52 av Brevbäraren
Extern mottagare: bugtraq <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <6158>
Ärende: SRT2003-08-11-0729 - Linux based antivirus software contains several local overflows
------------------------------------------------------------
http://www.secnetops.biz/research
(110265) /KF <dotslash@snosoft.com>/----------------
Bilaga (text/plain) i text 110266
110266 2003-08-20 20:52 /142 rader/ KF <dotslash@snosoft.com>
Bilagans filnamn: "SRT2003-08-11-0729.txt"
Importerad: 2003-08-20 20:52 av Brevbäraren
Extern mottagare: bugtraq <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <6159>
Bilaga (text/plain) till text 110265
Ärende: Bilaga (SRT2003-08-11-0729.txt) till: SRT2003-08-11-0729 - Linux based antivirus software contains several local overflows
------------------------------------------------------------
Secure Network Operations, Inc. http://www.secnetops.com
Strategic Reconnaissance Team research@secnetops.com
Team Lead Contact kf@secnetops.com
Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion
Detection Systems (IDS), Software Security Validation, and
Corporate/Private Network Security. Our mission is to facilitate a
secure and reliable Internet and inter-enterprise communications
infrastructure through the products and services we offer.
Quick Summary:
************************************************************************
Advisory Number : SRT2003-08-11-0729
Product : ViRobot Linux Server
Version : Ver 2.0
Vendor : http://www.hauri.net
Class : local (remote?)
Criticality : High
Operating System(s) : *nix
High Level Explanation
************************************************************************
High Level Description : Antivirus software has local security issues
What to do : chmod -s all suids in /usr/local/ViRobot/
Technical Details
************************************************************************
Proof Of Concept Status : SNO has PoC code for this issue
Low Level Description :
Alex Hernandez "Security Specialist" from Spain pointed out to us
that a new unix based antivirus solution contained a large number of
suids. Based on this information we both began beating on the suids
in efforts to expose security issues.
ViRobot Linux Server protects your file server from viruses. It can
have up-to-date definition files through scheduled update and it
scans most compressed file formats. ViRobot Linux Server is very
convenient with remote-control function via web access. A user who
has the ID and password for the server, can access ViRobot on the
server from any computer via web browser. Please have a safe server
with ViRobot Linux Server... but be sure to chmod -s everything in
sight.
There are several potential suids to abuse... some have local
overflows that may or may not be exploitable I honestly only checked
a few since most are run as cgi scripts (more fun later?).
./vrupdate
./cgi-bin/addexceptdir
./cgi-bin/addschscan
./cgi-bin/addschup
./cgi-bin/addtargetdir
./cgi-bin/applyadmin
./cgi-bin/applybackuplog
./cgi-bin/applyfilescan
./cgi-bin/bottom
./cgi-bin/deletelog
./cgi-bin/delschscan
./cgi-bin/delschup
./cgi-bin/filescan
./cgi-bin/frame
./cgi-bin/help
./cgi-bin/help1
./cgi-bin/help2
./cgi-bin/login
./cgi-bin/main
./cgi-bin/menu
./cgi-bin/menu2
./cgi-bin/menu3
./cgi-bin/menu4
./cgi-bin/menu5
./cgi-bin/menu6
./cgi-bin/rmdir
./cgi-bin/schscan
./cgi-bin/schupdate
./cgi-bin/setadmin
./cgi-bin/setbackuplog
./cgi-bin/setfilescan
./cgi-bin/setupdate
./cgi-bin/top
./cgi-bin/update
./cgi-bin/ver_info
./cgi-bin/viewfilelog
./cgi-bin/viewupdatelog
./cgi-bin/virobot
./cgi-bin/vrupdate
./cgi-bin/warningmessage
./cgi-bin/webvrscan
[kf@vegeta kf]$ ln -s /usr/local/ViRobot/cgi-bin/virobot virobot
[kf@vegeta kf]$ ./ex_virobot
ViRobot Linux Server Local root exploit
BY: Dvdman@l33tsecurity.com
BUG FOUND BY: KF@SNOSOFT.COM
TERM environment variable not set.
-------------------------------------------------------------------------------
ViRobot Linux Server ( Heuristic & Feature detection ) 10 May 2002 Korea
Copyright (c) 1998-2003 HAURI Inc. All rights reserved
E-mail : support@hauri.net Version 2.0
-------------------------------------------------------------------------------
Usage : virobot [<option list>] -d [directory]
<option list> :
--recursive : Subdirectory Scanning
--archive : Archive File Scanning
--recovery : Repair Infected File
--delete : Delete Infected File
--backup : Backup Infected File
--version : Display ViRobot Engine Version
--help : DisPlay The Command Line Options
sh-2.05b# id
uid=0(root) gid=500(kf) groups=500(kf)
Thanks to alex_hernandez [at] ureach.com for passing the information
on to our staff.
Patch or Workaround : chmod -s all suids in /usr/local/ViRobot/
Vendor Status : vendor communication was minimal
Bugtraq URL : to be assigned
------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.
(110266) /KF <dotslash@snosoft.com>/------(Ombruten)