program files
> On the very next reboot, at least one reboot is required to
> disable the kernel driver (RapportPG.sys), Trusteer's service
> (RapportMgmtService.exe) should now be inactive/disabled, and
> thus you'll be able to rename Trusteer's now unprotected folders.
> i.e. Command Prompt
> C:\> cd \"Program Files"
> C:\> rename Trusteer TrusBeer
>
> NOTE: At this point the web browser's not protected by
> Trusteer, nor is Trusteer's software & system settings
> protected, thus pretty much open to your imagination.
Rising Personal Firewall 2009 (21.62.04)
Prior versions may also be affected.
DETAILS
Rising installs the own program files with insecure permissions (Users: Full Control). Local attacker (unprivileged user) can replace some files (for example, executable files of Rising services) by malicious file and execute arbitrary code with SYSTEM privileges. This is local privilege escalation vulnerability.
For example, in Rising Antivirus 2009 the following attack scenario could be used:
1. An attacker (unprivileged user) replaces one of the Rising Antivirus program files by malicious executable file. For example, the replacing file could be - %Program Files%\Rising\RAV\RavTask.exe (Rising RavTask Manager).
2. Restart the system.
After restart attackers malicious file will be executed with SYSTEM privileges.
Self-defense of the Rising Antivirus will prevent all operations with Rising program files. It can be bypassed using internal shell dialogs in the Rising Antivirus (for example, "Save as" dialog in Tools -> Installer Creation Tool -> Browse).
Services.msc > "Rapport Management Service" > "Log On" > "Hardware Profile" > "Disabled"
On the very next reboot, at least one reboot is required to disable the kernel driver (RapportPG.sys), Trusteer's service (RapportMgmtService.exe) should now be inactive/disabled, and thus you'll be able to rename Trusteer's now unprotected folders.
i.e. Command Prompt
C:\> cd \"Program Files"
C:\> rename Trusteer TrusBeer
NOTE: At this point the web browser's not protected by Trusteer, nor is Trusteer's software & system settings protected, thus pretty much open to your imagination.
Prior versions may also be affected.
DETAILS
Panda installs the own program files with insecure permissions (Everyone: Full Control). Local attacker (unprivileged user) can replace some files (for example, executable files of Panda services) by malicious file and execute arbitrary code with SYSTEM privileges. This is local privilege escalation vulnerability.
For example, in Panda Antivirus Pro 2010 the following attack scenario could be used:
1. An attacker (unprivileged user) replaces one of the Panda Antivirus program files by malicious executable file. For example, the replacing file could be - %Program Files%\Panda Security\Panda Antivirus Pro 2010\TPSrv.exe (Panda TPSrv service).
2. Restart the system.
In the case of this vuln, the only thing to do is to check all the files' and
directories' names. If there are any ".." strings found, they should be simply
removed from the name before the extraction process itself. It is also a nice idea
not to run the WinImage program with administrative privileges, just to disable
the access of the most important windows directories like "Program Files", "WINDOWS" etc ;>
== Vendor status ==
Type: ActiveX-Control
Version: 1.4.9508.605
Prog ID: CSSWEBLib.Installer
GUID: {6CCE3920-3183-4B3D-808A-B12EB769DE12}
File: cssweb.dll
Folder: C:\WINDOWS\Downloaded Program Files\
Safe for Script: True
Safe for Init: True
IObjectSafety: False
Quick Heal Antivirus Plus 2009 for Desktop (v.10.00 SP1)
Quick Heal Total Security 2009 (v.10.00 SP1)
DETAILS
Quick Heal installs the own program files with insecure permissions (Everyone: Full Control). Local attacker (unprivileged user) can replace some files (for example, executable files of Quick Heal services) by malicious file and execute arbitrary code with SYSTEM privileges. This is local privilege escalation vulnerability.
For example, in Quick Heal Antivirus Plus 2009 the following attack scenario could be used:
1. An attacker (unprivileged user) replaces one of the Quick Heal Antivirus program files by malicious executable file. For example, the replacing file could be - %Program Files%\Quick Heal\Quick Heal AntiVirus Plus\quhlpsvc.exe (Quick Update Service).
2. Restart the system.
After restart attackers malicious file will be executed with SYSTEM privileges.
Avast! Professional Edition <= 4.8.1356
Avast! Home Edition <= 4.8.1356
DETAILS
Avast! installs some program files with insecure permissions. "Everyone" group has "Full Control" rights to the files/folders in the following path: "%Program Files%\Alwil Software\Avast4\Data". Its mean that any unprivileged user can modify, delete or change permissions of any file in DATA folder. The folder consists of data, executable and configuration files. In result multiple attack vectors are possible.
Vulnerability #1 Local privilege escalation (CVE-2009-3524)
A local attacker (unprivileged user) can modify %Program Files%\Alwil Software\Avast4\Data\avast4.ini file. "ISAPIFilter1" parameter in avast4.ini contains filename or full path to ISAPI filter module – originally "ashWsFtr.dll". An attacker can replace the original path by path to the attackers malicious dynamic library (DLL). After restart attackers DLL will be loaded with SYSTEM privileges. This is local privilege escalation vulnerability.
Previous versions may also be affected
DETAILS
Trustport installs the own program files with insecure permissions (Everyone - Full Control). Local attacker (unprivileged user) can replace some files (including executable files of Trustport services) by malicious files and execute arbitrary code with SYSTEM privileges.
EXPLOITATION
This is local privilege escalation vulnerability. An attacker must have valid logon credentials to a system where vulnerable software is installed.
Previous versions may also be affected
DETAILS
Protector Plus installs the own program files with insecure permissions (Everyone - Full Control). Local attacker (unprivileged user) can replace some files (for example, executable files of Protector services) by malicious file and execute arbitary code with SYSTEM privileges. This is local privilege escalation vulnerability.
For example, the following attack scenario could be used:
1. An attacker (unprivileged user) renames one of the Protector program files (below, the FILE). For example, the FILE could be - PPAVMON.exe (Protector Plus Anti-virus Monitor Service).
2. An attacker copies his malicious executable file (with same name as the old filename of the FILE - PPAVMON.exe) to Protector folder.
3. Restart the system.
|
