Today's bugtraq post

Discussion in 'NOD32 version 2 Forum' started by stevenestrada, Apr 5, 2006.

Thread Status:
Not open for further replies.
  1. stevenestrada

    stevenestrada Registered Member

    Joined:
    Apr 13, 2004
    Posts:
    43
    Please refer to version printouts and bugtraq post below.

    Why hasn't ESET initiated a customer contact regarding this, why hasn't the patch been pushed with normal updates, is nod32 for unix affected, what need to be done to get a system patched now?

    ----------------------------------------------------------------

    NOD32 antivirus system information
    Virus signature database version: 1.1471 (20060404)
    Dated: Tuesday, April 04, 2006
    Virus signature database build: 7013

    Information on other scanner support parts
    Advanced heuristics module version: 1.028 (20060324)
    Advanced heuristics module build: 1107
    Internet filter version: 1.002 (2004070:cool:
    Internet filter build: 1013
    Archive support module version: 1.040 (20051222)
    Archive support module build version: 1142

    Information about installed components
    NOD32 For Windows NT/2000/XP/2003 - Base
    Version: 2.50.25
    NOD32 For Windows NT/2000/XP/2003 - Internet support
    Version: 2.50.25
    NOD32 for Windows NT/2000/XP/2003 - Standard component
    Version: 2.50.25

    Operating system information
    Platform: Windows XP
    Version: 5.1.2600 Service Pack 2
    Version of common control components: 5.82.2900
    RAM: 1023 MB
    Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz (2992 MHz)

    ------------------------------------------------------------------

    NOD32 Update Mirror Creator, Version 2.09,
    (C) 2004 Eset, s.r.o.
    Update started on 04-05-2006, 04:22:16.
    Checking remote update packages at 'www.nod32.com'... ok / 2k (100%)
    Checking local update packages in '/var/opt/eset/nod32/lib/mirror/'... ok (17 nups found).
    Local copy is up to date.
    Update finished at 04:22:17, total time: 1 sec (00:00:01).

    NOD32 Antivirus System Update, Version 2.01,
    (C) 2004 Eset, spol. s r.o.

    Installed version:
    Virus signature database version: 1.1471 (20060404)
    Virus signature database build: 7013

    Update launched: Wed Apr 5 04:22:17 2006

    +-+-------------------------------+---------------------+---------------------+
    | | Module | Available version | Installed version |
    +-+-------------------------------+---------------------+---------------------+
    | | Virus signature database | 1.1471 (7013) | 1.1471 (7013) |
    | | pwscan | 1.001 (1012) | 1.001 (1012) |
    | | utilmod | 1.009 (1067) | 1.009 (1067) |
    | | Archive support | 1.040 (1142) | 1.040 (1142) |
    | | charon | 1.005 (1040) | 1.005 (1040) |
    | | Advanced heuristics | 1.028 (1107) | 1.028 (1107) |
    +-+-------------------------------+---------------------+---------------------+

    Return code 1:
    Your NOD32 Antivirus System is already up-to-date

    ----------------------------------------------------------------------------------------------

    Date: 4 Apr 2006 19:27:20 -0000
    X-Mailer: MIME-tools 5.411 (Entity 5.404)
    From: visitbipin@hotmail.com
    To: bugtraq@securityfocus.com
    Subject: NOD32 local privilege escalation vulnerability

    NOD32 local privilege escalation vulnerability

    Not affected: > Version 2.51.26
    Tested on: Winxp sp2
    Risk: Average

    To escalate the system privilage, the option 'quarentine a file' in NOD32 can be exploited & a malicious file can be copied to the quarentine and using the 'restore to...' option it can be dropped to the directory in which the STSTEM user just had read-only permession.

    Note: from lower privilege, this trick can write a file to any directory in which the user has read-only access to but can't overwrite a file if the file-name already exists.

    Vendor Website: www.eset.com
    Vender reported: Mar 24, 2006
    Patch release: Apr 4, 2006 (Version 2.51.26)

    POC video & detail description: http://bipin.securityhead.com/NOD32.zip

    --

    Bipin Gautam
    http://bipin.tk
     
  2. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    This exploit requires either a deliberatly malicious or stupid user. My question is - why would you let either use your PC to take advantage of this?

    Of course if I have any concern then I hope that it will be resolved. My other question is - do I have any concern?
    You, I and everybody else have far easier means available to elevate privelidges than this :)

    Cheers :)

    afterthought...
    If as a good administrator should, you set a password to protect your NOD32 settings, then who else can otherwise take advantage of this?
     
    Last edited: Apr 6, 2006
Thread Status:
Not open for further replies.