Team Intell Security Advisory TISA2007-09-Public - Microsoft Windows suffers from multiple improper file path handling issues.
e45443a257b76bae17116bc5cf8436d630550b5bbc6c59ae95bb739477b550b9
=========================================================================
Team Intell Security Advisory TISA2007-09-Public
-------------------------------------------------------------------------
Multiple improper file path handling issues
=========================================================================
Release date: 30.08.2007
Severity: Less critical
Impact: Privilege escalation
Remote: No
Disclosed by: Edi Strosar (Team Intell)
Summary:
========
The way Microsoft Windows handles filenames is well known
and documented. In situations where the path to executable
contains white space and is not enclosed in quotation
marks, it is possible to execute alternate application.
Microsoft certainly is aware of this issue, but they don't
consider it as a security related problem.
Applications that were found susceptible to unquoted
executable path issue a.k.a program.exe trick (from the
series "Quis custodiet ipsos custodes?"):
01.) A-squared Anti-Malware 3.0
Service: a-squared Anti-Malware Service
Image path: C:\Program Files\a-squared
Anti-Malware\a2service.exe
Account: Local System
Impact: Privilege escalation
Status: Patched
Vendor: http://www.emsisoft.com/
02.) A-squared Free 3.0
Service: a-squared Free Service
Image path: C:\Program Files\a-squared
Free\a2service.exe
Account: Local System
Impact: Privilege escalation
Status: Patched
Vendor: http://www.emsisoft.com/
03.) Ashampoo AntiVirus v1.40
Service: avGuard Service
Image path: C:\Program Files\Ashampoo\Ashampoo
AntiVirus\ashavsrv.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.ashampoo.com/
04.) Comodo BOClean Anti-Malware 4.25
Service: BOClean Core Service
Image path: C:\Program
Files\Comodo\CBOClean\bocore.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.comodo.com/
05.) Comodo Firewall v2.4
Service: Commodo Application Agent
Image path: C:\Program
Files\Comodo\Firewall\cmdagent.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.personalfirewall.comodo.com/
06.) eScan Anti-Virus 9.0
Service: MicroWord Agent Service
Image path: C:\Program Files\Common
Files\MicroWord\Agent\mwaser.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.mwti.net/
07.) eScan Virus Control 9.0
Service: MicroWord Agent Service
Image path: C:\Program Files\Common
Files\MicroWord\Agent\mwaser.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.mwti.net/
08.) Ikarus Virus Utilities v1.0.56
Service: The Guard X Service
Image path: C:\Program Files\Ikarus\Virus
Utilities\Bin\guardxservice.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.ikarus-software.at/
09.) iolo Antivirus
Service: iolo DMV Service
Image path: C:\Program
Files\iolo\Common\Lib\iolodmvsvc.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.iolo.com/
10.) iolo Firewall
Service: iolo DMV Service
Image path: C:\Program
Files\iolo\Common\Lib\iolodmvsvc.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.iolo.com/
11.) Norman Internet Control (Pro) v5.90
Service: Norman eLogger Service 6
Image path: C:\Program
Files\Norman\Npm\Bin\elogsvc.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.norman.com/
12.) Norman Personal Firewall v1.42
Service: Norman Type-R
Image path: C:\Program
Files\Norman\Npm\Bin\npfsvice.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.norman.com/
13.) Norman Virus Control (Pro) v5.90
Service: Norman eLogger Service 6
Image path: C:\Program
Files\Norman\Npm\Bin\elogsvc.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.norman.com/
14.) Outpost Firewall Pro
Service: Outpost Firewall Service
Image path: C:\Program Files\Agnitum\Outpost
Firewall\outpost.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.agnitum.com/
15.) Outpost Security Suite Pro
Service: Outpost Security Suite Service
Image path: C:\Program Files\Agnitum\Outpost
Security Suite\outpost.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.agnitum.com/
16.) Quick Heal AntiVirus Plus 2007
Service: Quick Heal Firewall Service
Image path: C:\Program Files\Cat Computer\Quick Heal
Firewall Pro\qhfw.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.quickheal.co.in/
17.) Quick Heal Total Security 2007
Service: Quick Heal Firewall Service
Image path: C:\Program Files\Cat Computer\Quick Heal
Firewall Pro\qhfw.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.quickheal.co.in/
18.) Rising Antivirus 2007
Service: RsRavMon Service
Image path: C:\Program Files\Rising\Rav\ravmond.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.rising-eu.de/
19.) Rising Firewall 2007
Service: Rising Personal Firewall Service
Image path: C:\Program Files\Rising\RFW\rfwsrv.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.rising-eu.de/
20.) Trend Micro AntiVirus + AntiSpyware 2007
Service: Trend Micro AntiVirus Protection Service
Image path: C:\Program Files\Trend Micro\AntiVirus
2007\tavsvc.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vemdor: http://www.trendmicro.com/
21.) ViRobot Desktop 5.5
Service: Hauri Common Service
Image path: C:\Program
Files\Hauri\Common\hsvcmod.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.globalhauri.com/
22.) Virus Chaser
Service: Virus Chaser Spider NT
Image path: C:\Program Files\Virus
Chaser\spidernt.exe
Account: Local System
Impact: Privilege escalation
Status: Unknown (contact the vendor for further
information)
Vendor: http://www.viruschaser.com.hk/eng/
23.) And the list goes on and on...
Limitations:
============
This conditions are difficult, if not impossible, to
exploit on Windows XP/2003/Vista. By default these
operating systems implement restrictive file permission
policy. Exploitation is limited to Microsoft Windows 2000
and to misconfigured ACLs cases.
References:
===========
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/createprocess.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/createprocessasuser.asp
Solution:
=========
Some vendors released updates addressing this issue. The
"hot fix" is actually pretty simple: open Registry Editor
and place the ImagePath inside double quotes.
Timeline:
=========
10.08.2007 - initial vendors notification
20.08.2007 - additional vendors notification
30.08.2007 - public disclosure
Contact:
========
Maldin d.o.o.
Trzaska cesta 2
1000 Ljubljana - SI
tel: +386 (0)590 70 170
fax: +386 (0)590 70 177
gsm: +386 (0)31 816 400
web: www.teamintell.com
e-mail: info@teamintell.com
Disclaimer:
===========
The content of this report is purely informational and
meant for educational purposes only. Maldin d.o.o. shall
in no event be liable for any damage whatsoever, direct or
implied, arising from use or spread of this information.
Any use of information in this advisory is entirely at
user's own risk.
=========================================================================
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed