• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Cheyenne InocuLAN Windows NT Share Vulnerability

Severity: HIGH

Description:

It is possible to run arbitrary code on any Intel machine running Cheyenne
Inoculan version 4.0 for Windows NT prior to SP2.

Inoculan runs as a service, called "Cheyenne InocuLAN Anti-Virus Server".
When it starts, it replaces any shared directory with the same name and shares
"CHEYUPD$" with full control for the everyone group.

When the service starts, it does an update check in this directory (usually
"C:\Inoculan\Update\" ) using the files
"<NtBox>\CHEYUPD$\English\NtIntel\Ready\filelist.txt" and
[idem]...\avh32dll.dll

Simply "touching" or modifying the file "filelist.txt" to look younger
than real causes the update. Th update causes the service to stop, the
avh32dll.dll DLL to replace the existing one (usually in
c:\inoculan\avh32dll.dll) and then starts the service again.
When the service starts, it loads the DLL into memory, and THEN does a lot of
stuff (including checking if it is a valid DLL, I presume).

You can write a DLL that executes arbitrary code at the time it
is loaded in memory, at the precise time when DllMain is called by the image
loader, before any other function have a chance to be called.

To check if you are vulnerable, if you have the resource kit installed, run

SRVCHECK.EXE \\<YourMachine>

else run srvmgr.exe from a NT server on the same domain, select <YourMachine>
and select "Computer|Shared Directories".

If there is a shared directory called "CHEYUPD$" that allows "FULL CONTROL" to
the "EVERYONE" group, you are vulnerable.

An interesting point is that Inoculan uses "domains". In one domain, a single
server forwards the updates to all machines participating in that "domain"
(nothing to do with NT domains). It may be possible to write the trojan
DLL to the domain's server CHEYUPD$ shared directory, and have it copy
it to all the machines in the domain.

Affected Products:

• Cheyenne Inoculan for Windows NT 4.0.0

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.