Re: AVG updates grant full control to Everyone, changes owner? in Security

Re: AVG fixes, how about AVAST and PC-Cillin?

Fri, 17 Mar 2006 20:10:06 EDT

redxii : It keeps doing that to *all* files every time the updater is run, not just the updated ones. One might notice there is more delay when updating than before installing 385.

Re: AVG fixes, how about AVAST and PC-Cillin?

Thu, 16 Mar 2006 21:25:20 EDT

psloss :

said by redxii :

yeah

What's even "curious-er" to me is that those extra ACEs in the DACL are all flagged as "inherit-only" -- even for files! The complete set of flags (in the added ACEs) is "object inherit ace (OI) + container inherit ace (CI) + "inherit-only" (IO) + "inherited" (ID) or "OICIIOID".

For example, here's the DACL I pulled off "%ProgramFiles%\Grisoft\AVG Free\avgemc.exe":

D:
(A;ID;0x1200a9;;;BU)
(A;OICIIOID;GXGR;;;BU)
(A;ID;0x1301bf;;;PU)
(A;OICIIOID;SDGXGWGR;;;PU)
(A;ID;FA;;;BA)
(A;OICIIOID;GA;;;BA)
(A;ID;FA;;;SY)
(A;OICIIOID;GA;;;SY)
(A;ID;FA;;;S-1-5-21-X-Y-Z-1003)
(A;OICIIOID;GA;;;CO)

So while the "security problem ACE" is gone, I think you're right -- these additional ACEs appear to be superfluous.

I'll hasten to add that I stumbled onto this article again (referenced elsewhere previously) and noted that we've now seen more than one of these "ways to shoot yourself in the foot" employed by products mentioned in this thread...

said by the article :
Shooting Yourself in the Foot with ACLs

There are many ways to use ACLs, and some lead to the expected result whereas others have dire consequences. In this article, we will look at the following:

1. Blanket replacement of ACLs
2. Replacing Everyone with Authenticated Users
3. Failing to understand SDDL
4. Misusing inheritance
5. Everyone:Full Control DACLs
6. Everyone:Deny DACLs
7. Null DACLs
8. Excessive SACLs
9. Lack of SACLs on sensitive files

Philip Sloss

--
Feedback? e-mail: stuff@lupwa.org

Re: AVG fixes, how about AVAST and PC-Cillin?

Thu, 16 Mar 2006 20:06:55 EDT

redxii : yeah

Re: AVG fixes, how about AVAST and PC-Cillin?

Thu, 16 Mar 2006 19:58:25 EDT

psloss :

said by redxii :

Hopefully they fix it better than AVG, because I don't know what putting each group/user twice in the security descriptor is supposed to accomplish; one coming from "C:\Program Files" and the other from "Parent Object". They are secure, but it's "Stop screwing around and having a field day with changing the default permissions." (and yes it does continue after the initial update)

Aw, crap...so they still don't know what they're doing, but in a less insecure way now?
--
Feedback? e-mail: stuff@lupwa.org

Re: AVG fixes, how about AVAST and PC-Cillin?

Thu, 16 Mar 2006 19:10:40 EDT

redxii : Hopefully they fix it better than AVG, because I don't know what putting each group/user twice in the security descriptor is supposed to accomplish; one coming from "C:\Program Files" and the other from "Parent Object". They are secure, but it's "Stop screwing around and having a field day with changing the default permissions." (and yes it does continue after the initial update)

Re: AVG updates grant full control to Everyone, changes owner?

Thu, 16 Mar 2006 18:42:19 EDT

Libra : I want to thank RedXX1234 for discovering this problem and DP for notifying Grisoft about it. I am using AVG free and I just received an update yesterday. The program is 7.1.385 and my Updater is version .384.

RedXX1234, I was very impressed to see your discovery published at Secunia!

Sincerely, Libra

Re: AVG fixes, how about AVAST and PC-Cillin?

Thu, 16 Mar 2006 14:39:34 EDT

toadlife :

said by EGeezer :

toadlife pointed out that Avast home edition has the same issue, and geierr indicated possible problems with PC-Cillin home security - have they addressed it too, or is it not an issue with them?

I posted the issue along with instructions on how to fix it in the Avast forums. The Avast devs said they are aware of the issue and will be fixing it in the next update.
--
Have problems running your Windows box as a limited user?
Try this... »winsudo.toadlife.net

AVG fixes, how about AVAST and PC-Cillin?

Thu, 16 Mar 2006 12:52:51 EDT

EGeezer : I'm impressed that AVG resolved this so quickly - Thanks to redxii the vulnerabiltiy was discovered and resolved. I will lift my "recommendation embargo" on AVG Monday :)

toadlife pointed out that Avast home edition has the same issue, and geierr indicated possible problems with PC-Cillin home security - have they addressed it too, or is it not an issue with them?
--
Insert catchy sig line here

Re: AVG updates grant full control to Everyone, changes owner?

Thu, 16 Mar 2006 11:26:33 EDT

ironwalker : Great work redxii and thank you for the speedy fix AVG.

With that said,is there confirmation as to the initial problem being fixed?

I do have the paid pro version on several pc's and talked a few friends/relatives into purchaseing as well,I'd hate to see this still an issue or similar permissions issues.

I myself do not see an "obvious" email address.As for Red,I am glad he started this topic and I am glad other security sites made the public aware of this as well.I do not think you(AVG) have anything to worry about.It was brought to light and fixed,nothing more to worry about.Its people like Red that help developers with there product,keeping it quiet is a moot point imo.

Thanks again
--
Live Free or Die!

Re: AVG updates grant full control to Everyone, changes owner?

Thu, 16 Mar 2006 11:01:51 EDT

anon : have any of u guys tried using Steganos??? i used it when i spotted this alert (thanx RedxII) and it went right in and pulled the lot i found that my connection had already been compromised, but steg got rid of it all and also shredded all info 4 avg on my os and also online too.
then all i did was download another copy with the new definitions whilst still using stegs email security and that was that.... i rebooted...then uninstalled steg ...rebooted again...put avg back in and its been sorted ever since...
steganos r giving a free full install at the moment of suite 7.1.6 and also u can get the full trial of the latest full antivirus package on a try out for nothin at thier site... if its free....why not? its actually a very smooth prog i like it a lot, but i prefer avg 4 its simplicity but 4 this current prob u guys have or r worried about, try going to the steg site ..it wont hurt to check...and its a simple solution..ok?

go here guys
»www.steganos.com/?layout=web2005···guage=en

Re: AVG updates grant full control to Everyone, changes owner?

Sat, 11 Mar 2006 09:26:25 EDT

Jan Janowski : Been watching this thread pretty much since inception, as I've 2 AVG Pro licenses, and 2 free ones (On seldom used W98 systems)....

It is nice to know that the problem was addressed in a timely manner... Thanks to the poster, and AVG folks...

The one thing that got my attention on AVG products was, even when I used the "Free" and "Evaluation" versions, before deciding to swtich from my previous AV, was the fact that I could CONTACT THE AV COMPANY..... AND THEY WOULD RESPOND!!!!! That was one of the Selling Points for me to swtich to AVG Pro.

Had Norton done this during multiple failed installs on two separate upgrades from 2000 to 2003/2003 versions, I might still be with them!!

I don't know if companies know of the real Public Relations worth of email support....
If we all were code genius's, we wouldn't need it, but when we do..... It is worth it's weight in GOLD!!

Thanks to all involved in making this program better!!!
--
Looking for 1939 Indian Motocycle

Re: AVG updates grant full control to Everyone, changes owner?

Thu, 09 Mar 2006 17:53:51 EDT

redxii : secure@grisoft.cz and security@grisoft.cz ? Not even a Google search shows those e-mail addresses (and no, they are not obvious e-mail addresses). I suppose I couldn't get to the page with those email addresses if I had to enter a non-existant license key.

I'm wondering why no one caught it before.

'Nuff of this discussion anyhow..

Re: AVG updates grant full control to Everyone, changes owner?

Thu, 09 Mar 2006 15:59:44 EDT

Lappen :

said by Karel Obluk :

It is a pity that the original reporter has not contacted us using the standard e-mail addresses that should be used in such cases (secure@grisoft.cz, security@grisoft.cz etc.) before publicly disclosing this issue. Neverthless, we did our best to release a fix as soon as possible because as minor a problem it was, it definitely was a security problem.

Well in defence of RedXII1234 I have to say that I aslo am a user of the free version and I have been tryinng to contact avg before, not about this issue but about other things and I have never been able to acctually find a e-mail adress that I can reach you on as a free user of avg, only the forums and web forms for paying customers

As for RedXII1234 trying or not trying to report this to you I dont have any knowledge about that.
--
I can also be found at the SWI Forums as Lappen

Re: AVG updates grant full control to Everyone, changes owner?

Thu, 09 Mar 2006 15:24:13 EDT

anon : The AVG Pro has been fixed and build 384 also resets permissions of files that have their permissions incorrectly set by previous updates. As this was primarily an issue for corporate customers, we wanted to fix it as soon as possible for Professional users. Update for the Free edition will be released by the end of this week, i.e. in less then a week from when the problem has been disclosed.
It is a pity that the original reporter has not contacted us using the standard e-mail addresses that should be used in such cases (secure@grisoft.cz, security@grisoft.cz etc.) before publicly disclosing this issue. Neverthless, we did our best to release a fix as soon as possible because as minor a problem it was, it definitely was a security problem.

Re: Coming - AV rootkits?

Thu, 09 Mar 2006 14:59:06 EDT

Luka1 :

said by EGeezer :

This looks like a new opportunity - rootkitting AV programs. Wouldn't it be within malware technology to replace AV engine files with a rooted version of the AV engine that would ignore selected malware, open ports, make connections to bot controllers etc? Why disable AVs when they can "upgrade" them to their liking so the user could see an active AV they think is still protecting them?

Opportunity.

This has me curious indeed, because of a recent event on my computer.

Somewhere around two weeks ago, AVG was doing it's regularly scheduled automatic update.

It showed to be downloading a file roughly 5830kb in size. (I can't remember the exact number.)

When that much was downloaded, it just kept right on downloading. By the time it was finished, there was more than 11000kb file size.

By the time I noticed what was happening, it was too late. It had already finished the download and started the process of updating.

All other functions of the computer locked up. I couldn't stop it. Then it rebooted without even asking me.

After the reboot...

Mailwasher and Process guard were both "new" again. None of my account info was there in mailwasher, and it wanted me to fill out that info. Process guard was in learning mode, and all of my settings/programs/etc were gone.

And... Now every time that I send out an email with Eudora, (set to offline mode, so I have to ok the single connection each time I send out an email)... I hit the ok for the connection, then the same message comes up again a second time and I have to hit ok for the connection again.

All of this started with that update to AVG...

Re: AVG updates grant full control to Everyone, changes owner?

Wed, 08 Mar 2006 11:24:40 EDT

miraclemax203 : I'm a AVG 7.1 Pro user. I just installed the new update this morning. Is there a way to tell if AVG fixed the permissions granted to the update files?

Re: AVG updates grant full control to Everyone, changes owner?

Wed, 08 Mar 2006 10:38:06 EDT

dp :

said by psloss :

Probably going to take a little while to package for all the distribution channels...it's not showing up yet for the copy of the free version I just tried. I got one manual download of the 7.1.384 .bin file from the main site, but now there may be some contention issues doing that.

The update has only been released for the Pro version so far.
»AVG 7.1.384 Program Update
--
Write your questions down on the back of a $20 dollar bill and send them to me
Microsoft MVP/Windows Security 2004-2006

Re: AVG updates grant full control to Everyone, changes owner?

Wed, 08 Mar 2006 09:28:26 EDT

psloss : Probably going to take a little while to package for all the distribution channels...it's not showing up yet for the copy of the free version I just tried. I got one manual download of the 7.1.384 .bin file from the main site, but now there may be some contention issues doing that.
--
Feedback? e-mail: stuff@lupwa.org

Re: AVG updates grant full control to Everyone, changes owner?

Wed, 08 Mar 2006 08:49:06 EDT

amysheehan : It appears the 'fix' has been released by AVG.

SEE:
»www.grisoft.com/doc/28396/lng/us/tpl/tpl01

NOTE: Outlink:
»www.grisoft.com/linkout.php?doc=···19118%2F

:)

Re: AVG updates grant full control to Everyone, changes owner?

Wed, 08 Mar 2006 06:42:39 EDT

anon : According to Grisoft's conference, new program version is prepared to be released and it also solves this problem.. Hope that definitely..:)

Re: AVG updates grant full control to Everyone, changes owner?

Wed, 08 Mar 2006 05:05:36 EDT

toadlife : BTW, I shot an email over to Avast regarding the issue with their AV. Hopefully they take it seriously.

Re: AVG updates grant full control to Everyone, changes owner?

Mon, 06 Mar 2006 19:44:55 EDT

toadlife :

said by psloss :

It certainly doesn't change the effectiveness of the ACE to have an inherited flag from nowhere. I didn't see anywhere in CACLS to reset inheritance -- are you aware of how to do that with the utility?

Thanks,

Philip Sloss

No. AFAIK, calcs.exe can't reset inheritance. There are some other annoyances with cacls.exe. Microsoft really didn't do a very good job with it.
--
Have problems running your Windows box as a limited user?
Try this... »home.toadlife.net/winsudo

Re: AVG updates grant full control to Everyone, changes owner?

Mon, 06 Mar 2006 11:14:58 EDT

psloss : Me, too: good job, redxii .

Re: AVG updates grant full control to Everyone, changes owner?

Mon, 06 Mar 2006 11:08:54 EDT

dp :

said by gkweb :

Hello,

your findings has been published at secunia :
»secunia.com/advisories/19118/

I have received an email notification.

Good job on this one :-)

Regards,
gkweb.

Ditto here, kudos to redxii !
--
Write your questions down on the back of a $20 dollar bill and send them to me
Microsoft MVP/Windows Security 2004-2006

Re: AVG updates grant full control to Everyone, changes owner?

Mon, 06 Mar 2006 10:07:49 EDT

gkweb : Hello,

your findings has been published at secunia :
»secunia.com/advisories/19118/

I have received an email notification.

Good job on this one :-)

Regards,
gkweb.

Re: AVG updates grant full control to Everyone, changes owner?

Mon, 06 Mar 2006 07:34:41 EDT

psloss :

said by toadlife :

Actually, this happens when file permission are set using the command-line cacls.exe utility. I use cacls.exe at work to set custom perms for legacy programs, and this weird "bogus inheritance flag" happens every time I use it. I just passed it off as a strange bug, and though nothing more of it, as it didn't hinder the effectiveness of cacls.exe.

Wasn't aware of that with CACLS, thanks for pointing that out. It certainly doesn't change the effectiveness of the ACE to have an inherited flag from nowhere. I didn't see anywhere in CACLS to reset inheritance -- are you aware of how to do that with the utility?

Thanks,

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org

Re: AVG updates grant full control to Everyone, changes owner?

Mon, 06 Mar 2006 04:14:57 EDT

dp : Grisoft is aware of this issue and a fix is under development.

Re: AVG updates grant full control to Everyone, changes owner?

Mon, 06 Mar 2006 00:58:33 EDT

toadlife :

said by psloss :

In the screenshot, you can see where the other ACEs are inherited from, but not the one that came from Avast (it says "Parent Object", which I infer to mean that even the OS is confused).

Actually, this happens when file permission are set using the command-line cacls.exe utility. I use cacls.exe at work to set custom perms for legacy programs, and this weird "bogus inheritance flag" happens every time I use it. I just passed it off as a strange bug, and though nothing more of it, as it didn't hinder the effectiveness of cacls.exe.
--
Have problems running your Windows box as a limited user?
Try this... »home.toadlife.net/winsudo

Coming - AV rootkits?

Sun, 05 Mar 2006 21:49:56 EDT

EGeezer : This looks like a new opportunity - rootkitting AV programs. Wouldn't it be within malware technology to replace AV engine files with a rooted version of the AV engine that would ignore selected malware, open ports, make connections to bot controllers etc? Why disable AVs when they can "upgrade" them to their liking so the user could see an active AV they think is still protecting them?
--
Insert catchy sig line here

Re: AVG updates grant full control to Everyone, changes owner?

Sun, 05 Mar 2006 21:16:36 EDT

hpguru :

said by user=toadlife :

The Home Version.

Right click on one of the executable files like "ashServe.exe" or "aswUpdSv.exe", both which run under system permissions as services, and check the perms.

Not the case here. The screen cap shows the perms which ashserv.exe has inherited from its parent folder. AswUpdSv.exe inherits the same perms. The only files in this folder which are not inheriting perms are those I mentioned above.
--
Get hpHOSTS! Member ASAP
hpHOSTS Online
Paranoia is no substitute for understanding.

ashServ.exe perms

Re: AVG updates grant full control to Everyone, changes owner?

Sun, 05 Mar 2006 20:32:42 EDT

geierr : Trend Micro PC-cillin Internet Security (which I used for about a year) does almost the same thing to its program folder as well. However, only the Everyone group is listed on the Security tab with the permission set to Full Control of course.
--
Robert L. Geier

WFSE/AFSCME Local 1326

Re: AVG updates grant full control to Everyone, changes owner?

Sun, 05 Mar 2006 16:48:26 EDT

EGeezer : Now I'm wondering what other AV/security products have this vulnerability. I note that AVG Pro has ICSA certification. Seems like ICSA would have some standards on the vulnerability of the products themselves.

I'd expect these vendors to step up and respond to this issue. If they don't, It'll just reinforce security product critics who feel the Secvendor market is a big shell game.

Re: AVG updates grant full control to Everyone, changes owner?

Sun, 05 Mar 2006 11:54:42 EDT

zteardrop : Guess you get what you "pay" for. Thats why products like KAV and NAV build their own protection against attacks against their files, processes, registry keys. KAV just hides its processes. NAV 2006 and above have full protection. You can't terminate NAV processes, remove NAV files etc., even if you are admin.

Re: AVG updates grant full control to Everyone, changes owner?

Sun, 05 Mar 2006 10:09:23 EDT

psloss : Here's how the DACLs appear to me for the Avast and AVG installs:

The Avast file DACLs have inheritance flags in the DACL itself and all the ACEs (all the ACEs here are allow ACEs):

D:AI (discretionary ACL; auto-inherited)
(A;ID;FA;;;WD) (inherited, File All Access/Everyone, boo, hiss)
(A;ID;FA;;;S-1-5-21-X-Y-Z-1004) (inherited, File All Access/local account)
(A;ID;FA;;;SY) (inherited, File All Access/SYSTEM)
(A;ID;FA;;;BA) (inherited, File All Access/Administrators)

(I'm hiding the subauthorities for the machine-relative SID.)

The inheritance flag itself in Avast's Everyone ACE is still a head-scratcher.

The AVG DACLs don't have any inheritance indicated in them (no AI or ID strings):

D: (discretionary ACL)
(A;;FA;;;SY) (File All Access/SYSTEM)
(A;;FA;;;BA) (File All Access/Administrators)
(A;;FA;;;S-1-5-21-X-Y-Z-1004) (File All Access/local account)
(A;;0x1301bf;;;PU) ("Special"/Power Users)
(A;;0x1200a9;;;BU) ("Read and Execute"/Users)
(A;;FA;;;WD) (boo, hiss, again; "File All Access/Everyone")

Comparing these to the DACLs in parent directories and sibling files, it's still hard for me to come to any conclusion about the intentions behind the implementation. But in general, they need to start doing some kind of system continuity testing, particularly with regard to NT object security.

...hmmm, OK, here's one conclusion: these are two examples of kludges to NT security. And they both have very bad side effects.

Philip Sloss

--
Feedback? e-mail: stuff@lupwa.org

Re: AVG updates grant full control to Everyone, changes owner?

Sun, 05 Mar 2006 07:59:24 EDT

psloss : I'm five hours behind you (well, on this...it's probably worse in other areas). Just looking at the "live" and autostart "stuff," the startup scanner (aswboot.exe) and the screensaver jumped out as having the Everyone/Full Control ACE.

Have to go back and check AVG, but the DACLs that Avast is setting are weird -- the Everyone/Full Control ACE is flagged as inherited from the parent object (the containing directory), but it's not immediately obvious where it's inherited from. In the screenshot, you can see where the other ACEs are inherited from, but not the one that came from Avast (it says "Parent Object", which I infer to mean that even the OS is confused).

This sure gives you the warm fuzzies, doesn't it?

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org

Re: AVG updates grant full control to Everyone, changes owner?

Sun, 05 Mar 2006 01:58:35 EDT

toadlife :

said by redxii :

Avast does it right off the bat! Immediately after installing.

The Program Files pic doesn't display the whole thing, but you get the picture...

The sad part about it, is that it doesn't seem to be necessarily at all. I opened up explorer as admin, reset the permissions from the top, so that users could only read, and I was still able to initiate an update session with my user account, and change some settings.
--
Have problems running your Windows box as a limited user?
Try this... »home.toadlife.net/winsudo

Re: AVG updates grant full control to Everyone, changes owner?

Sun, 05 Mar 2006 01:47:21 EDT

redxii : Avast does it right off the bat! Immediately after installing.

The Program Files pic doesn't display the whole thing, but you get the picture...
--
"Open Source" == "Close Minded" Dig into Windows 2000 & XP.

Re: AVG updates grant full control to Everyone, changes owner?

Sun, 05 Mar 2006 01:35:43 EDT

toadlife :

said by hpguru :

said by toadlife :

Avast DOES have the same issue. All of the contents below the avast program folder are given a custom ACL that gives "builtin\everyone" full control. A piece of malware could *easily* hijack a computer running avast regardless of the permission level of the user.

Which version? Pro or Home? I have the home version here and I don't see that. The effected files and folders are below the DATA and Setup folders which I forgot to mention above. That doesn't make it any less a problem however since the virus definitions are in the Setup folder.

The Home Version.

Right click on one of the executable files like "ashServe.exe" or "aswUpdSv.exe", both which run under system permissions as services, and check the perms.

I'm pretty sure I never messed with the permission in that folder. Uninstalling, nuking the program folder, and reinstalling would verify that the installer actually does modify permissions.
--
Have problems running your Windows box as a limited user?
Try this... »home.toadlife.net/winsudo

Re: AVG updates grant full control to Everyone, changes owner?

Sun, 05 Mar 2006 01:13:03 EDT

hpguru :

Re: AVG updates grant full control to Everyone, changes owner?

Sat, 04 Mar 2006 23:10:58 EDT

toadlife :

said by hpguru :

On second thought, Avast! may have the same issue but I couldn't say it changes the default permissions since I have it installed in a folder on another partition with custome perms. It did however change the perms for the subfolders under D:\Program Files\Alwil Software\Avast4\DATA giving Everyone full control.

Avast DOES have the same issue. All of the contents below the avast program folder are given a custom ACL that gives "builtin\everyone" full control. A piece of malware could *easily* hijack a computer running avast regardless of the permission level of the user.
--
Have problems running your Windows box as a limited user?
Try this... »home.toadlife.net/winsudo

Re: AVG updates grant full control to Everyone, changes owner?

Sat, 04 Mar 2006 22:02:53 EDT

hpguru :

said by psloss :

said by hpguru :

Avast! me 'arties!

LOL! :D

On second thought, Avast! may have the same issue but I couldn't say it changes the default permissions since I have it installed in a folder on another partition with custome perms. It did however change the perms for the subfolders under D:\Program Files\Alwil Software\Avast4\DATA giving Everyone full control.
--
Get hpHOSTS! Member ASAP
hpHOSTS Online
Paranoia is no substitute for understanding.

Re: AVG updates grant full control to Everyone, changes owner?

Sat, 04 Mar 2006 17:48:56 EDT

dp : I've emailed Grisoft and asked them to view this thread. Hopefully they will address this issue promptly.

Re: AVG updates grant full control to Everyone, changes owner?

Sat, 04 Mar 2006 17:47:18 EDT

psloss :

said by hpguru :

Avast! me 'arties!

(Why am I thinking of Yosemite Sam talking to Bugs Bunny?..."I've got you outnumbered, one to one. Come out and meet your doom.")

Setup program is downloaded and a little evaluation is on my todo list.

It does appear that non-admin accounts can perform the workaround that redxii noted earlier of resetting the parts of the file permissions that are being changed (owner) and made too permissive (discretionary ACL), since "full control" includes WRITE_DAC and WRITE_OWNER.

Although looking at redxii 's screenshots, it still looks like kind of a mess in AVG's Program Files subdirectory...resetting individual files to inherit their permissions is more precise and more tedious. And propagating inheritance down from the containing directory might change something that was set explicitly (for a better reason than this, I hope :-) ).

I think I'll start with testing the software with the eye patch first...

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org

Re: AVG updates grant full control to Everyone, changes owner?

Sat, 04 Mar 2006 17:22:47 EDT

hpguru :

said by psloss :

Yeah, this looks like a showstopper for me right now...although I don't know what I'd recommend as an alternative.

Avast! me 'arties!

Re: AVG updates grant full control to Everyone, changes owner?

Sat, 04 Mar 2006 17:22:10 EDT

Libra :

said by redxii :

In a command prompt: cacls

I don't think I can do cacls on XP Home (but I haven't tried).

Should we be changing to a different AV?

Sincerely, Libra

Re: AVG updates grant full control to Everyone, changes owner?

Sat, 04 Mar 2006 16:57:58 EDT

EGeezer : Darn, I just suggested AVG pro to a friend/customer with a half dozen or so systems. I need to tell him to hold off until this is resolved.
--
Insert catchy sig line here

Re: AVG updates grant full control to Everyone, changes owner?

Sat, 04 Mar 2006 16:40:31 EDT

psloss : Yeah, this looks like a showstopper for me right now...although I don't know what I'd recommend as an alternative.

Thanks for bringing this to our attention.

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org

Re: AVG updates grant full control to Everyone, changes owner?

Sat, 04 Mar 2006 16:26:51 EDT

redxii : Pro does it too.

Re: AVG updates grant full control to Everyone, changes owner?

Sat, 04 Mar 2006 16:16:35 EDT

Joe12345678 : is just free AVG free? if this is this may just be a way to not used for free on non home systems and they assume that all home uses are admin.

Re: AVG updates grant full control to Everyone, changes owner?

Sat, 04 Mar 2006 01:46:11 EDT

redxii : In a command prompt: cacls

I am probably falling on deaf ears unless I were a paying customer... In the mean time, thinking about all those other AVG users who even if they are limited users have absolutely no idea...

Re: AVG updates grant full control to Everyone, changes owner?

Sat, 04 Mar 2006 00:35:34 EDT

Libra : Hi RedXII1234,
I'm not comfortable going into safe mode to look at those permissions, but I have AVG7.1 free on my daughter's computer and one time, in a limited account, I tried to delete a WMF test item from the vault, and I wasn't able to. I also tried to change the results of a scan to accept an item "changed", and I couldn't do that either. Based on that I didn't think the limited user had rights. When I tried to make one of those changes I got this error in the Event Viewer:

Source: AVG
Category: error
Event ID # 100
AVG7.CC plugins.CPluginManager action running failed. Error 0x80004004.

Is there a way for you to get this information to Grisoft? I don't think he visits the AVG forum.

Sincerely, Libra

Re: AVG updates grant full control to Everyone, changes owner?

Fri, 03 Mar 2006 17:02:03 EDT

psloss :

said by redxii :

said by psloss :

Yeah, that's not good about the updater, although this type of escalation opportunity is still not at the top of the list in terms of taking over control of a Windows box these days.

It's still an opportunity, and should be fixed.

Absolutely agree; however, given that they already have code that appears to add an Everyone/Full Control ACE to DACLs of updated or downloaded files, I'm not sure how sensitive they're going to be to privilege escalation. Or, how expeditiously this will get fixed.

Somewhat randomly, this reminds me of a recent blog post about how terminal session separation in Vista is going to cause some consternation for NAV. For what it's worth, AVG Free installed on the February Vista CTP...but both attempts I made to open the command center caused the OS to bugcheck. Going to be an interesting year to see what happens to this category of consumer software.

Hopefully this issue will gain some traction at Grisoft and maybe the changes to Windows will increase the importance of scouring kludges like this out of their code.
--
Feedback? e-mail: stuff@lupwa.org

Re: AVG updates grant full control to Everyone, changes owner?

Fri, 03 Mar 2006 12:45:52 EDT

redxii :

It's still an opportunity, and should be fixed.

Re: AVG updates grant full control to Everyone, changes owner?

Fri, 03 Mar 2006 11:45:08 EDT

psloss :

said by redxii :

psloss, I already indicated that I was using 7.1 Free edition

Sorry, went right over that in your original post. My bad.

Yeah, that's not good about the updater, although this type of escalation opportunity is still not at the top of the list in terms of taking over control of a Windows box these days.

A more interesting test would be to try to run this on the latest Vista CTP, though I don't know if AVG is compatible or not (i.e., will even install).

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org

Re: AVG updates grant full control to Everyone, changes owner?

Fri, 03 Mar 2006 11:14:38 EDT

redxii : I found 7.0.308, and then updated it in the limited user. Apparently AVG's drivers are affected too!

Hopefully I am not the only one that sees a problem with this...

Results for \WINDOWS


avg7core.sys
A limited account is owner of a driver.....

Re: AVG updates grant full control to Everyone, changes owner?

Fri, 03 Mar 2006 10:47:16 EDT

redxii : That'd be avgcc.exe and it runs as the current user.

psloss, I already indicated that I was using 7.1 Free edition

I posted in the AVG forum and the best response so far was "Make sure it isn't conflicting with KAV." First of all, there was and is no KAV on the machine in the pics and on my computer. I have KAV on other machines.

If someone has an 7.0 setup file, please do send...

Re: AVG updates grant full control to Everyone, changes owner?

Fri, 03 Mar 2006 07:47:57 EDT

psloss : Hmmm...well, I got the same thing on an MCE 2005 test install (with no subsequent OS/security updates) -- at least in terms of changing the security descriptors on those files (the .avg update files were also changed to be equally permissive).

(This is with the free edition, version 7.1.375a716.)

Unfortunately, some part of AVG also crashed and it began flagging some of its own files and some OS files as being infected. Going to have to retry now from the top to see if that was a transient.
--
Feedback? e-mail: stuff@lupwa.org

Re: AVG updates grant full control to Everyone, changes owner?

Fri, 03 Mar 2006 07:28:44 EDT

psloss : Not sure it matters (aside from a testing standpoint), but which version of AVG? (Free, trial, ???)

Thanks,

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org

Re: AVG updates grant full control to Everyone, changes owner?

Fri, 03 Mar 2006 04:33:43 EDT

toadlife : Bad developers!

Since AVG's developers seem to lack a clue, another thing to check for is weather or not AVG's tray icon (I assume it has one) is displayed by a service with SYSTEM rights. This opens the machine up to a shatter attack.

That's getting a little tinfoil hat-ish though. I've never heard of malware that actually used shatter attacks.

AVG updates grant full control to Everyone, changes owner?

Fri, 03 Mar 2006 02:05:48 EDT

redxii : I'm doing some auditing of permissions with AccessEnum, and was shocked to find out that my user was the owner of some of the files that belong to AVG, and that "Everyone" was set to Full Control. So I reset the permissions, and everything is set to \Program Files\ inheritance, and the owner back to "Administrator". Then I updated AVG. It changed "upd_vers.cfg" and "incavi.avm". I looked at them after the update, and sure enough I was the owner again and Everyone had Full Control.

The update service runs as SYSTEM, but so does Kaspersky's but Kaspersky 5 does not exhibit this behavior under a limited account. No permissions are changed in KAV.

I'm runnning:
AVG Free 7.1
XP Pro
limited account, NTFS

I don't know if the drivers for AVG in system32\drivers are affected, I hadn't checked, but more than likely they are. That is just asking for someone to replace one of AVG's sys files with a rootkit and launching at next boot..

EDIT: Added pics. These were all done in the context of a limited user (LowPriv).

Before updating:

[att=1][att=2]

After updating:

[att=3][att=4]

Accounts:
Administrator: Administrator
Limited User: LowPriv

Default Permissions
Default Owner
Permissions after update
The limited user is now the owner, multiply this by a major AVG update...