AOH :: HP Unsorted M :: VA2837.HTM

Multiple Vulnerabilities in iAntiVirus



Multiple Vulnerabilities in iAntiVirus
Multiple Vulnerabilities in iAntiVirus



Title
Multiple Vulnerabilities in iAntiVirus 

Program
PC Tools iAntiVirus for Mac OS X
http://www.iantivirus.com/ 

Tested version
1.35, Engine Version 1.0.0.10 

tested on german Mac OS X 10.5 with following preferences: 
- Scan inside archives ON 
- Scan mode NORMAL 
-=A0Heuristics NORMAL 

Description
1. No scan in .sit- and .dmg-archives 

   The scan-function and the online-scanner OnGuard doesn't
   scan .sit- and .dmg-archives.
  
   Impact: 
   It's possible to download malware from the internet or
   to copy it from an usb-stick without interruption from
   iAntiVirus.  
   Malware in .sit-archives is recognized by OnGuard during
   manuel decompression, but malware in .dmg-diskimages is
   only recognized during a manual scan of the mounted image.  
   It's possible to run malware from the mounted diskimage
   (tested with MacSmurf, which iAntiVirus recognizes as
   'Hacktool.OSX.MacSmurf')

2. Problems with special chars in filenames 

   The scanner, OnGuard and the quarantine-management are 
   unable to work with files with several special chars in
   it, for example =3F, which is transformed to =C6.
   
   Impact: 
   False-positives are lost, since it's impossible to restore
   them. Perhaps it's possible to evade the virus-protection.

3. No user-restrictions in the quarantine-management 

   All quarantined files are managed in the same area. Every
   user can restore the files of every other user, included
   the admin
   
   Impact: 
   A normal user can restore quarantined malware in other 
   accounts, tested with the iWorks-Trojan, which was 
   installed by the admin and restored by a normal user.
   Additional, the history-function contains no information
   about the user which performs an action and can erased by
   every user.

4. OnGuard does only protect one user (or perhaps a few more) 
   If OnGuard is on and another user logs in, it seems as if
   OnGuard is off. If he copies some malware on the system,
   this disappears without any warning: OnGuard is active and
   moves the files in the quarantine, but doesn't inform the
   user about this. If the first user is an admin, this seems
   to work for every normal user. If the first user is a normal
   user, it sometimes works for the admin as second user, but
   not every time.

5. Ignorance of file-permissions 

   Every normal user can start a "normal scan", which includes
   the system-, library- an program-folders and the folders of
   every user.

Solution
None 

Credits
Carsten Eilers 

Original advisory
http://www.ceilers-it.de/advisories/iantivirus.html 
(also as german version) 


Regards
  Carsten Eilers




The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.