All said and done, that doesn't make it a vulnerability. On Sun, May 23, 2010 at 11:47 PM, lsi <[email protected]> wrote:
> On 23 May 2010 at 16:34, Thor (Hammer of God) wrote: > > From: "Thor (Hammer of God)" <[email protected]> > To: "[email protected]" <full- > [email protected]> > Date sent: Sun, 23 May 2010 16:34:24 +0000 > Subject: Re: [Full-disclosure] denial-of-service > vulnerability in the > Microsoft Malicious Software Removal Tool > > > And where's the part where the system was rendered unbootable? > > The unbootable part comes when you replace NDIS.SYS. Unless you know > to replace the registry keys first, which is certainly not obvious > from the MRT log. > > > And how did your users get infected with Cutwail? Let me guess... > > they are all still running XP and you've got them running as local > > administrators right? And they get to download codecs "willy nilly" > > and are probably using Bittorrent to get illegal copies of software > > pre-infected with cutwail, right? > > How do I know how they got infected? These are all third-party > companies (my customers), sometimes when they have cash problems, > they don't call me, they try and do it themselves, or do nothing. I > might not see them for months. They don't want to upgrade - they > heard about Vista (LOL) and they don't have, or don't want to spend > the money. > > This is reality, not some managed datacentre in Redmond. > > > local administrators > > Their apps needed it last I checked. I didn't set up their machines. > They have not asked me to look at that. I have enough trouble > getting work OK'd without putting my neck on the line suggesting a > configuration change which I cannot guarantee will not cause > instability, particularly with their legacy and unsupported software, > of which there is plenty. > > Again, this is reality, not some managed datacentre in Redmond. > > > Bittorrent > > No, like this: > > "Stuart, need your help. My computer has a virus. Yesterday night I > opened an email that I was expecting from a Bernice. It turned out > that it was the wrong Bernice and it was a virus. It loaded Security > Essentials 2010 which is a scarevirus to make the user believe that > there are virus a pay for their software which does nothing anyway. > It has loaded a virus in the registry file. There is a lot about it > on the net. I then found a PC tools download to remove. However when > I turned mycomputer off it does not now allow me to log on. I have > turned it off. I am without a PC now. Can you come tomorrow to > resolve it for me? Many thanks. Please let me know ad I need it > urgently." > > > Regardless, let's see if we have your advisory correct. In order to > > be a victim of this "Denial of Service Vulnerability" we must first > > get infected with something like Cutwail > > true > > > that runs with user interaction > > false. Cutwail has no known infection vectors. However, Cutwail is > just an example. > > > interaction and also requires administrator privileges (you can see > > that NDIS.SYS was altered). > > When I am logged in as Admin and try to replace NDIS.SYS, Windows > File Protection replaces it. Why did WFP fail to protect the file > against Cutwail in the first place, and how can a virus replace > NDIS.SYS using Administrative privs, if I cannot do it myself when > Administrator? > > > Of course, your AV must be at least 2 years old too. > > false, it was up-to-date, although I am questioning its effectiveness > > > Then, once we get infected with malware, we run MRT, > > and see in the logs that it was successfully removed and requires a > > reboot. > > Actually, AV found the virus in NDIS.SYS but could not remove it. So > I ran MRT because I thought that a Microsoft product would know this > is a Windows file that cannot simply be deleted. MRT says it's done > and needs reboot, so I reboot... and the system is toast. > > To clarify, in this particular case, the first reboot, you can login > in normal mode, but cannot use any network adapters (code 39 - driver > corrupted or missing). Reinstalling the drivers doesn't help. So > then you think, oh that's because NDIS was trashed by MRT, so I'll > just replace NDIS.SYS.... > > And thats when you get the BSOD on boot to normal mode. So then you > need to figure out that the cause of that BSOD is a missing registry > key, then you need to figure out which keys (there are three, for > each controlset), then you need to get the correct keys from a clean > machine, then you need to figure out how to replace the keys (some of > them cannot be imported with mere Administrative permissions). > > However, just last week I also fixed a problem with the userinit > registry key, also mysteriously deleted - why would a virus trash its > host? Answer: it doesn't, I think it was MRT that trashed it. A > missing userinit key means instant logoff on logon, even in safe mode > as Administrator. I might be able to dig up the MRT log for that > machine (would be interesting to see whether it was in fact MRT that > did it). Want to place bets now? > > >From a quick look at the web, MRT has also in the past deleted > Internet Explorer (iexplore.exe). Oh, the poetry.... > > The point of my mail was that anyone can innocently run MRT and it > may trash their box. This is due to one or more design flaws in the > MRT, and in Windows itself. Are you saying I should just sit on this > info? If someone had told me MRT was going to trash my customer's > machine, I would not have wasted most of last week fixing it. > > Stu > > > >-----Original Message----- > > >From: [email protected] [mailto: > full-disclosure- > > >[email protected]] On Behalf Of lsi > > >Sent: Sunday, May 23, 2010 9:16 AM > > >To: [email protected] > > >Subject: [Full-disclosure] denial-of-service vulnerability in the > Microsoft > > >Malicious Software Removal Tool > > > > > >denial-of-service vulnerability in the Microsoft Malicious Software > Removal > > >Tool > > > > > >platforms affected: Windows > > >distribution: wide > > >severity: high > > > > > >Description of the vulnerability: > > > > > >The Microsoft Malicious Software Removal Tool (MRT) is a program used to > > >remove malware from infected Windows systems. However, MRT does not > > >always correctly repair the system. In at least one case, the changes > made by > > >MRT can render the system unbootable (log below). > > >Repair can be time-consuming and expensive, particularly as the error > > >messages and log files of the software concerned are cryptic and > > >uninformative, or non-existent. > > > > > >As MRT runs automatically in the background once a month, these changes > to > > >the system may be made without the knowledge of an Administrator (or > even > > >the user). > > > > > >Suspected cause: > > > > > >Missing logic in MRT to repair the system, rather than just deleting > stuff willy- > > >nilly. > > > > > >Recommendations: > > > > > >1. Do not run MRT manually. > > > > > >2. Disable MRT if possible, especially on mission-critical machines. > > > > > >3. Do not use Windows. > > > > > >Details of notification to vendor: > > > > > >None. > > > > > >Sample of the fault: > > > > > >Microsoft Windows Malicious Software Removal Tool v3.7, May 2010 Started > > >On Tue May 18 21:24:47 2010 > > > > > >Quick Scan Results for XXXXXXXXXXXXXXXXXXXXX: > > >---------------- > > >Threat detected: VirTool:WinNT/Cutwail.L > > > driver://NDIS > > > file://C:\WINDOWS\system32\drivers\NDIS.sys > > > SigSeq: 0x00008A78910FD971 > > > SHA1: DEFB65309ABB3DD81F223ABA7CDB9EB26D66611A > > > > > >regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETW > > >ORK\NDIS > > > > > >safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NET > > >WORK\NDIS > > > service://NDIS > > > > > >Quick Scan Removal Results > > >---------------- > > >Start 'remove' for > > >regkey://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NETW > > >ORK\NDIS > > >Operation succeeded ! > > > > > >Start 'remove' for service://NDIS > > >Operation was scheduled to be completed after next reboot. > > > > > >Start 'remove' for > > >safeboot://HKLM\SYSTEM\CURRENTCONTROLSET\CONTROL\SAFEBOOT\NET > > >WORK\NDIS > > >Operation succeeded ! > > > > > >Start 'remove' for driver://NDIS > > >Operation was scheduled to be completed after next reboot. > > > > > >Start 'remove' for file://\\?\C:\WINDOWS\system32\drivers\NDIS.sys > > >Operation succeeded ! > > > > > > > > >Results Summary: > > >---------------- > > >For cleaning VirTool:WinNT/Cutwail.L, the system needs to be restarted. > > >Microsoft Windows Malicious Software Removal Tool Finished On Tue May > > >18 21:31:29 2010 > > > > > > > > >Return code: 10 (0xa) > > > > --- > Stuart Udall > stuart [email protected] net - http://www.cyberdelix.net/ > > --- > * Origin: lsi: revolution through evolution (192:168/0.2) > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
