Eset Software NOD32反病毒本地任意文件创建漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1195492 漏洞类型 访问验证错误
发布时间 2006-04-06 更新时间 2006-12-21
CVE编号 CVE-2006-1649 CNNVD-ID CNNVD-200604-070
漏洞平台 N/A CVSS评分 7.2
|漏洞来源
https://cxsecurity.com/issue/WLB-2006040007
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200604-070
|漏洞详情
ESETNOD322.51.26之前版本的"quarantineafile"capability中的"restoreto"选择操作使得调用恢复到任意目录的操作的用户读访问,那使得本地用户不管是否有写目录的权限都可以创建新文件。
|漏洞EXP
NOD32 local privilege escalation vulnerability

Not affected: > Version 2.51.26
Tested on: Winxp sp2
Risk: Average

To escalate the system privilage, the option 'quarentine a file' in NOD32 can be exploited & a malicious file can be copied to the quarentine and using the 'restore to...' option it can be  dropped to the directory in which the STSTEM user just had read-only permession.

Note: from lower privilege, this trick can write a file to any directory in which the user has read-only access to but can't overwrite a file if the file-name already exists.

Vendor Website: www.eset.com
Vender reported: Mar 24, 2006
Patch release: Apr 4, 2006 (Version 2.51.26)

POC video & detail description: http://bipin.securityhead.com/NOD32.zip

--

Bipin Gautam
http://bipin.tk
|参考资料

来源:BID
名称:17374
链接:http://www.securityfocus.com/bid/17374
来源:BUGTRAQ
名称:20060404NOD32localprivilegeescalationvulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/429892/100/0/threaded
来源:XF
名称:nod32-restoreto-file-upload(25640)
链接:http://xforce.iss.net/xforce/xfdb/25640
来源:OSVDB
名称:24393
链接:http://www.osvdb.org/24393
来源:VUPEN
名称:ADV-2006-1242
链接:http://www.frsirt.com/english/advisories/2006/1242
来源:SECTRACK
名称:1015867
链接:http://securitytracker.com/id?1015867
来源:SECUNIA
名称:19054
链接:http://secunia.com/advisories/19054
来源:SREASON
名称:672
链接:http://securityreason.com/securityalert/672