Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: SUPERAntiSpyware Multiple Vulnerabilities

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Vulnerabilities

See the original Secunia advisory:
SUPERAntiSpyware Multiple Vulnerabilities

Secunia SUPERAntiSpyware Multiple Vulnerabilities
Secunia Official 11th Mar, 2010 21:10
Ranking: 0
Posts: 0
User Since: -
System Score: -
Location: Copenhagen, DK
Luka Milkovic has reported some vulnerabilities in SUPERAntiSpyware, which can be exploited by malicious, local users to cause a DoS (Denial of Service) or gain escalated privileges.

1) The SASENUM.sys kernel driver passes user-space pointers in calls to e.g. ZwQueryObject(). This can be exploited to cause a NULL-pointer dereference and crash an affected system via specially crafted IOCTLs.

2) A boundary error exists in SASKUTIL.sys when processing user-space registration requests. This can be exploited to cause a buffer overflow with process ID values and cause a system crash.

3) An error exists in SASKUTIL.sys when processing IOCTL_SABKUTIL_ZWOPENPROCESS requests. This can be exploited to corrupt kernel memory and cause a system crash via invalid parameters passed to ZwOpenProcess().

4) The SASKUTIL.sys driver passes user-mode parameters to the ZwQueryValueKey() function. This can be exploited to overwrite arbitrary memory and potentially gain escalated privileges via a specially crafted IOCTL_SABKUTIL_QUERY_VALUE request.

5) The SASKUTIL.sys driver provides wrappers against registry and file functions. This can be exploited to read arbitrary files and registry keys, and modify arbitrary registry keys via specially crafted IOCTLs.

6) SASKUTIL.sys allows unrestricted access to the SetVistaTokenInformation() function. This can be exploited to cause a crash or gain escalated privileges via a specially crafted IOCTL_SABKUTIL_SET_VISTA_TOKEN_INFORMATION request.

7) An error in SASKUTIL.sys can be exploited to gain escalated privileges via a specially crafted IOCTL_SABKUTIL_SET_VISTA_PRIVILEGES_FOR_CURRENT_PR OCESS request.

The vulnerabilities are reported in version 4.33.1000. Other versions may also be affected.

bjm__ RE: SUPERAntiSpyware Multiple Vulnerabilities
Member 11th Mar, 2010 21:10
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
Last edited on 11th Mar, 2010 21:20
Solution
Update to version 4.34.1000, which fixes some of the vulnerabilities.
Unable to update to version 4.34.1000 as vendor available current version is 4.34.0.1000
SUPERAntiSpyware 4.x 4.34.0.1000
PSI reports:
SUPERAntiSpyware 4.x
This installation of SUPERAntiSpyware 4.x is insecure and potentially exposes your system to security threats!

Secunia strongly recommends that you update this program by installing the update that is provided by the vendor of this program.
-------------------------------------------------- -----------
I have the current update that is provided by the vendor....4.34.0.1000
The product current ver 4.34.0.1000 has been installed on my box and has been reported as "secure" prior to Secunia "insecure" reporting for ver 4.34.1000
Is the "insecure" because this is only a partial fix?

bjm-

Was this reply relevant?
+6
-5
Anthony Wells RE: SUPERAntiSpyware Multiple Vulnerabilities
Expert Contributor 11th Mar, 2010 22:14
Score: 2414
Posts: 3,310
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 11th Mar, 2010 22:18
Hello bjm ,

Don't know if it is your eyes or mine but the SAS programme on my PC reports version 4.34.1000 and also the same programme version is offered for download from their website .

PSI is now reporting version 4.34.0.1000 as CAT 2 insecure , and directing to the latest installation link at SAS :ie: 4.34.1000 .

Following the PSI "installation path" the SAS .exe file in the programme folder shows 4.34.0.1000 . So everybody is right in one way or another :)

The question remains is the up to date version 4.34.x still vulnerable and if there is no fix why has it been moved to "insecure" ??

Perhaps we are rushing things and PSI needs to reset .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+5
-5

bjm__

RE: SUPERAntiSpyware Multiple Vulnerabilities
[+]
This reply has been minimised due to a negative Relevancy Score.
SUPERAntiSpy RE: SUPERAntiSpyware Multiple Vulnerabilities
Secunia Vendor 12th Mar, 2010 01:41
Score: 13
Posts: 1
User Since: 12th Mar 2010
System Score: N/A
Location: US
Last edited on 12th Mar, 2010 01:41
Hello all - my name is Nick Skrepetos owner of SUPERAntiSpyware.com. Luka contacted our company and has, what I believe, attempted to extort us over these "issues" - no one has EVER used any of these items to exploit ANYTHING in the real-world.

We altered our kernel drivers so that his test code would no longer have issues, and he simple re-reverse engineered the drivers to make his test "work" again - I have the original code and can provide that if necessary to show this fact.

NONE of the functions as described above can be accessed by "any" program unless the program is authenticated with our driver - Luka indicated he would NOT post the authentication scheme which he ripped from our program - without that, no other application can access our drivers - as we did not play into the potential extortion Luka has included that code for malware authors to exploit. As such, we are altering the authentication scheme as we do often to prevent potential exploits and hacking. As such, any piece of code, including that of the Windows Kernel has and will always be reverse engineered in time.

Luka's results essentially are like saying "I put sand in the pistons of a motor and now it crashed/stopped running" - there is always a way to force ANY driver to crash from kernel mode - NONE of the items documented by Luka are real-world and have not been exploited in over 5 years of the drivers being downloaded over 30 million times.

It's unfortunate that a single user such as Luka, who likely has another agenda, are allowed to post code and hide behind the walls of the Internet - all Luka is doing is helping malware authors.
Was this reply relevant?
+13
-0
Anthony Wells RE: SUPERAntiSpyware Multiple Vulnerabilities
Expert Contributor 12th Mar, 2010 12:20
Score: 2414
Posts: 3,310
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Thank you Nick for your explanation (even I understood it :)) ; I have good experience of your software (Free product only on my budget , I'm afraid :(() and hope you continue to defend us from black hats . Every force to your arm .

I trust Secunia will decide quickly as to why the "latest" 4.34.x version of SAS (fully patched in their eyes or not) is showing in the PSI "insecure" tab (as of this moment) when convention implies that it should still be in the "patched" tab .

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+6
-5
Anthony Wells RE: SUPERAntiSpyware Multiple Vulnerabilities
Expert Contributor 12th Mar, 2010 12:22
Score: 2414
Posts: 3,310
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 12th Mar, 2010 12:28
Double post ,deleted .

Update , SAS has now gone back into the "patched" tab , thank you everybody .

Take care
Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+10
-8

cadence yedmore

RE: SUPERAntiSpyware Multiple Vulnerabilities
[+]
This reply has been minimised due to a negative Relevancy Score.
bjm__ RE: SUPERAntiSpyware Multiple Vulnerabilities
Member 24th Mar, 2010 18:17
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
Last edited on 24th Mar, 2010 18:21
Hello Dave
I see your message is @ SAS Vendor
I'll just toss in my thoughts for your consideration.
SAS has a removal tool available from their site > scroll the page > How do I uninstall?
http://www.superantispyware.com/precreateticket.ht...
------------------------
alternative ~ install Revo Uninstaller free version (see if Revo finds SAS)
Odd that control panel does not populate SAS....as you have SAS on your box.
-------------------------------
Are you sure it's SAS and not a rouge malicious application?

Cheers
bjm-
Was this reply relevant?
+4
-0

stvh1

RE: SUPERAntiSpyware Multiple Vulnerabilities
[+]
This reply has been minimised due to a negative Relevancy Score.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability