Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: All Antivirus, Trojan, Spy ware scanner, Nested file manual scan bypass bugs. [Part IV]
From: GuidoZ <uberguidoz () gmail com>
Date: Fri, 1 Oct 2004 20:29:19 -0700

I've heard of this before (see following link). I thought it was fixed
in SP1 (maybe it was SP2). I'm probabaly wrong - call it wishful
thinking. There is an interesting page in German about it here:
 - http://www.lsg.musin.de/Admin/NT/rechte/die_batch_online_mit_vielen_erkl.htm

English transation provided by Google is:
 - 
http://translate.google.com/translate?hl=en&sl=de&u=http://www.lsg.musin.de/Admin/NT/rechte/die_batch_online_mit_vielen_erkl.htm&prev=/search%3Fq%3D%2522cacls%2B*.*%2B/T%2B/C%2B/P%2B*:R%2522%26hl%3Den%26lr%3D%26ie%3DUTF-8
(if the URL wrap bothers you, here's a TinyURL: http://tinyurl.com/6t6lu)

It doesn't take much to figure out how this could be used to cause
some hell. (Maybe combined with the recent GDI/JPEG exploit?
Downloading a batch file coudl be nasty...)

-
Peace. ~G


On Fri, 1 Oct 2004 19:37:49 -0700 (PDT), bipin gautam
<visitbipin () yahoo com> wrote:
All Antivirus, Trojan, Spy ware scanner, Nested file
manual scan bypass bugs. [Part IV]

Risk Level: Medium
Affected Product: (Should be) all Antivirus, Trojan,
Spy ware scanners for windows.

Description:
------------

A malicious code can reside in a computer (with users
privilage) bypassing "manual scans" of any
Antivirus, Trojan & Spy ware scanners by simply
issuing this command to itself.

cacls hUNT.exe /T /C /P dumb_user:R

...this is only due to the design fault in Microsoft
Windows, the way it handles NTFS permission.By this
way... any software's with even Admin./SYSTEM
privilege can't access this file (hUNT.exe) normally
because the only person who has normal access to this
file is "dumb_user"

No wonder, there are several false assumptions in
windows security configuration as well, when a JOE
administrator could permenantly lock himself up in his
own machine.

regards,
Bipin Gautam
http://www.geocities.com/visitbipin

Disclaimer: The information in the advisory is
believed to be accurate at the time of printing based
on currently available information. Use of the
information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this
information. Neither the author nor the publisher
accepts any liability for any direct, indirect or
consequential loss or damage arising from use of, or
reliance on this information.

__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault