toadlife
Premium
join:2004-05-03
Lemoore, CA
 ·AT&T Yahoo
| reply to hpguru
Re: AVG updates grant full control to Everyone, changes owner?
said by hpguru  :On second thought, Avast! may have the same issue but I couldn't say it changes the default permissions since I have it installed in a folder on another partition with custome perms. It did however change the perms for the subfolders under D:\Program Files\Alwil Software\Avast4\DATA giving Everyone full control. Avast DOES have the same issue. All of the contents below the avast program folder are given a custom ACL that gives "builtin\everyone" full control. A piece of malware could *easily* hijack a computer running avast regardless of the permission level of the user.
--
Have problems running your Windows box as a limited user?
Try this...»home.toadlife.net/winsudo |
|
hpguru
Curb Your Dogma
Premium
join:2002-04-12
| said by toadlife :Avast DOES have the same issue. All of the contents below the avast program folder are given a custom ACL that gives "builtin\everyone" full control. A piece of malware could *easily* hijack a computer running avast regardless of the permission level of the user. Which version? Pro or Home? I have the home version here and I don't see that. The effected files and folders are below the DATA and Setup folders which I forgot to mention above. That doesn't make it any less a problem however since the virus definitions are in the Setup folder.
--
Get hpHOSTS! Member ASAP
hpHOSTS Online
Paranoia is no substitute for understanding. |
|
toadlife
Premium
join:2004-05-03
Lemoore, CA
·AT&T Yahoo
| said by hpguru :said by toadlife :Avast DOES have the same issue. All of the contents below the avast program folder are given a custom ACL that gives "builtin\everyone" full control. A piece of malware could *easily* hijack a computer running avast regardless of the permission level of the user. Which version? Pro or Home? I have the home version here and I don't see that. The effected files and folders are below the DATA and Setup folders which I forgot to mention above. That doesn't make it any less a problem however since the virus definitions are in the Setup folder. The Home Version.
Right click on one of the executable files like "ashServe.exe" or "aswUpdSv.exe", both which run under system permissions as services, and check the perms.
I'm pretty sure I never messed with the permission in that folder. Uninstalling, nuking the program folder, and reinstalling would verify that the installer actually does modify permissions.
--
Have problems running your Windows box as a limited user?
Try this...»home.toadlife.net/winsudo |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
2 edits | Avast does it right off the bat! Immediately after installing.
The Program Files pic doesn't display the whole thing, but you get the picture...
--
"Open Source" == "Close Minded" Dig into Windows 2000 & XP. |
|
toadlife
Premium
join:2004-05-03
Lemoore, CA
·AT&T Yahoo
| said by redxii :Avast does it right off the bat! Immediately after installing. The Program Files pic doesn't display the whole thing, but you get the picture... The sad part about it, is that it doesn't seem to be necessarily at all. I opened up explorer as admin, reset the permissions from the top, so that users could only read, and I was still able to initiate an update session with my user account, and change some settings.
--
Have problems running your Windows box as a limited user?
Try this...»home.toadlife.net/winsudo |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
1 edit | I'm five hours behind you (well, on this...it's probably worse in other areas). Just looking at the "live" and autostart "stuff," the startup scanner (aswboot.exe) and the screensaver jumped out as having the Everyone/Full Control ACE.
Have to go back and check AVG, but the DACLs that Avast is setting are weird -- the Everyone/Full Control ACE is flagged as inherited from the parent object (the containing directory), but it's not immediately obvious where it's inherited from. In the screenshot, you can see where the other ACEs are inherited from, but not the one that came from Avast (it says "Parent Object", which I infer to mean that even the OS is confused).
This sure gives you the warm fuzzies, doesn't it?
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org
|
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to redxii
Here's how the DACLs appear to me for the Avast and AVG installs:
The Avast file DACLs have inheritance flags in the DACL itself and all the ACEs (all the ACEs here are allow ACEs):
D:AI (discretionary ACL; auto-inherited)
(A;ID;FA;;;WD) (inherited, File All Access/Everyone, boo, hiss)
(A;ID;FA;;;S-1-5-21-X-Y-Z-1004) (inherited, File All Access/local account)
(A;ID;FA;;;SY) (inherited, File All Access/SYSTEM)
(A;ID;FA;;;BA) (inherited, File All Access/Administrators)
(I'm hiding the subauthorities for the machine-relative SID.)
The inheritance flag itself in Avast's Everyone ACE is still a head-scratcher.
The AVG DACLs don't have any inheritance indicated in them (no AI or ID strings):
D: (discretionary ACL)
(A;;FA;;;SY) (File All Access/SYSTEM)
(A;;FA;;;BA) (File All Access/Administrators)
(A;;FA;;;S-1-5-21-X-Y-Z-1004) (File All Access/local account)
(A;;0x1301bf;;;PU) ("Special"/Power Users)
(A;;0x1200a9;;;BU) ("Read and Execute"/Users)
(A;;FA;;;WD) (boo, hiss, again; "File All Access/Everyone")
Comparing these to the DACLs in parent directories and sibling files, it's still hard for me to come to any conclusion about the intentions behind the implementation. But in general, they need to start doing some kind of system continuity testing, particularly with regard to NT object security.
...hmmm, OK, here's one conclusion: these are two examples of kludges to NT security. And they both have very bad side effects.
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
zteardrop
join:2005-12-20
Brooklyn, NY
| reply to redxii
Guess you get what you "pay" for. Thats why products like KAV and NAV build their own protection against attacks against their files, processes, registry keys. KAV just hides its processes. NAV 2006 and above have full protection. You can't terminate NAV processes, remove NAV files etc., even if you are admin. |
|
EGeezer
Summertime -
Premium
join:2002-08-04
Country!
 ·Callcentric
 ·RoadRunner Cable
·AT&T CallVantage
| reply to redxii
Now I'm wondering what other AV/security products have this vulnerability. I note that AVG Pro has ICSA certification. Seems like ICSA would have some standards on the vulnerability of the products themselves.
I'd expect these vendors to step up and respond to this issue. If they don't, It'll just reinforce security product critics who feel the Secvendor market is a big shell game. |
|
geierr
Computer Nut
Premium
join:2001-07-07
Yakima, WA
·Charter Pipeline
| Trend Micro PC-cillin Internet Security (which I used for about a year) does almost the same thing to its program folder as well. However, only the Everyone group is listed on the Security tab with the permission set to Full Control of course.
--
Robert L. Geier
WFSE/AFSCME Local 1326 |
|
hpguru
Curb Your Dogma
Premium
join:2002-04-12
| reply to toadlife
ashServ.exe perms |
said by user=toadlife :
The Home Version.
Right click on one of the executable files like "ashServe.exe" or "aswUpdSv.exe", both which run under system permissions as services, and check the perms.
Not the case here. The screen cap shows the perms which ashserv.exe has inherited from its parent folder. AswUpdSv.exe inherits the same perms. The only files in this folder which are not inheriting perms are those I mentioned above.
--
Get hpHOSTS! Member ASAP
hpHOSTS Online
Paranoia is no substitute for understanding. |
|
EGeezer
Summertime -
Premium
join:2002-08-04
Country!
·Callcentric
·RoadRunner Cable
·AT&T CallVantage
1 edit | reply to redxii
Coming - AV rootkits?
This looks like a new opportunity - rootkitting AV programs. Wouldn't it be within malware technology to replace AV engine files with a rooted version of the AV engine that would ignore selected malware, open ports, make connections to bot controllers etc? Why disable AVs when they can "upgrade" them to their liking so the user could see an active AV they think is still protecting them?
--
Insert catchy sig line here |
|
toadlife
Premium
join:2004-05-03
Lemoore, CA
·AT&T Yahoo
| reply to psloss
Re: AVG updates grant full control to Everyone, changes owner?
said by psloss :In the screenshot, you can see where the other ACEs are inherited from, but not the one that came from Avast (it says "Parent Object", which I infer to mean that even the OS is confused). Actually, this happens when file permission are set using the command-line cacls.exe utility. I use cacls.exe at work to set custom perms for legacy programs, and this weird "bogus inheritance flag" happens every time I use it. I just passed it off as a strange bug, and though nothing more of it, as it didn't hinder the effectiveness of cacls.exe.
--
Have problems running your Windows box as a limited user?
Try this...»home.toadlife.net/winsudo |
|
dp
Go Steelers
Premium,MVM
join:2000-12-08
Greensburg, PA | reply to redxii
Grisoft is aware of this issue and a fix is under development. |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA
| reply to toadlife
said by toadlife :Actually, this happens when file permission are set using the command-line cacls.exe utility. I use cacls.exe at work to set custom perms for legacy programs, and this weird "bogus inheritance flag" happens every time I use it. I just passed it off as a strange bug, and though nothing more of it, as it didn't hinder the effectiveness of cacls.exe. Wasn't aware of that with CACLS, thanks for pointing that out. It certainly doesn't change the effectiveness of the ACE to have an inherited flag from nowhere. I didn't see anywhere in CACLS to reset inheritance -- are you aware of how to do that with the utility?
Thanks,
Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org |
|
gkweb
join:2003-06-09
76800
| reply to redxii
Hello,
your findings has been published at secunia :
»secunia.com/advisories/19118/
I have received an email notification.
Good job on this one 
Regards,
gkweb. |
|
dp
Go Steelers
Premium,MVM
join:2000-12-08
Greensburg, PA
·Verizon Online DSL
| said by gkweb :Hello, your findings has been published at secunia : » secunia.com/advisories/19118/I have received an email notification. Good job on this one Regards, gkweb. Ditto here, kudos to redxii !
--
Write your questions down on the back of a $20 dollar bill and send them to me
Microsoft MVP/Windows Security 2004-2006 |
|
psloss
Premium
join:2002-02-24
Alpharetta, GA | reply to redxii
Me, too: good job, redxii . |
|
toadlife
Premium
join:2004-05-03
Lemoore, CA
·AT&T Yahoo
| reply to psloss
said by psloss :It certainly doesn't change the effectiveness of the ACE to have an inherited flag from nowhere. I didn't see anywhere in CACLS to reset inheritance -- are you aware of how to do that with the utility? Thanks, Philip Sloss No. AFAIK, calcs.exe can't reset inheritance. There are some other annoyances with cacls.exe. Microsoft really didn't do a very good job with it.
--
Have problems running your Windows box as a limited user?
Try this...»home.toadlife.net/winsudo |
|
toadlife
Premium
join:2004-05-03
Lemoore, CA | reply to redxii
BTW, I shot an email over to Avast regarding the issue with their AV. Hopefully they take it seriously. |
|
