As far as I know, there is no way to manipulate the values you mention
without being an Administrator. If one of your administrators deletes these
values, you will indeed have the symptoms you mentioned. However, letting
someone like that have administrative rights on your machine is the source
of the error.

John Duddy
Principal Engineer
St. Bernard Software

-----Original Message-----
From: RagnarokHAMMEROFGOD.COM [mailto:RagnarokHAMMEROFGOD.COM]
Sent: Monday, April 15, 2002 9:49 AM
To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: Multiple Weaknesses in St Bernard's UpdateExpert 5.1

Multiple Weaknesses in St Bernard's UpdateExpert 5.1

OVERVIEW
Date: 15 April, 2002
Vendor: St Bernard
Website: http://www.updateexpert.com/

Product Description
UpdateEXPERT helps you to secure your systems by managing the deployment of
service packs and hotfixes. Microsoft constantly releases updates for the OS
and mission critical applications. These fixes address security
vulnerabilities and system stability problems. UpdateEXPERT v5.1 supports
Windows NT, 2000 and XP, and a long list of mission critical applications
(review the latest list of supported applications). UpdateEXPERT researches,
inventories, deploys updates and validates installations of networked
machines.

I decided to look into how UpdateExpert performs hotfix assessment including
patch detection and what it calls 'validation'. My tests were conducted with
UpdateExpert 5.1 against a Windows 2000 Server. We first need to understand
how UpdateExpert performs its inventory of installed and missing patches.

WEAKNESSES

1) UpdateExpert patch detection process is based only on the status of a
registry key. If you delete this key you can fool UpdateExpert into
thinking the patch has not been applied. Worse, if you create the expected
registry key, you can fool UpdateExpert into thinking the patch has been
applied when it hasn't been installed. (See number 2 for a weakness in the
patch validation process that is meant to overcome this problem)

To see if a patch is installed UpdateExpert looks at the computer's registry
for a registry value. For windows patches, it looks under the
hkey_local_machine\software\Microsoft\Windows
NT\CurrentVersion\Hotfix\Qxxxxxx\. If there is an entry with value of
installed=1, then UpdateExpert says the patch is installed. If the value is
0, or is not present then UpdateExpert says the patch is missing.

a) It's possible to make an installed patch appear to be missing by
modifying or deleting the Installed=1 registry value. To make the Windows
2000 rollup patch appear to be uninstalled find the following registry key

HKLM\Software\Microsoft\Windows NT\Currentversion\HotFix\SP2SRP1
and delete the Installed=1 value - or change it to 0.

b) It's possible to make an uninstalled patch appear to be installed. This
is the worst of the two scenarios. To make the recent IIS security patch
appear to be installed when it's not, create this key:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Q319733
and create a value of Installed=1

When UpdateExpert is run, it will show a green dot next to this patch on
this computer, telling the administrator that the patch has been applied
though it has not.

Relying on registry keys for performing patch inventory is not reliable.
Further, this process does not help identify situations where MS has
released a new version of a specific patch. (By relying oin registry keys,
UpdateExpert is not able to tell that a more recent version of the patch is
available)

To combat the above issue, St. Bernard built a patch Validation function.

"Validation is the process by which UpdateEXPERT verifies that the list of
updates that have been installed are still present. Validation is dependant
on the information made available in the fix describing what files are
supposed to exist and various information about these files." from
UpdateExpert Help file

Unfortunately, it has no integrity and can also be fooled.

2) The UpdateExpert patch validation function can be easily fooled by
modifying registry keys on the computer. By deleting or modifying specific
registry values, you can make UpdateExpert "Validate" the presence of a
patch that is not properly installed. In the worst case, you can make
UpdateExpert believe that a patch has been installed and is valid, when the
patch has never been applied.

By selecting a supposedly installed patch (marked by green dot), you can
right click on the patch and choose to view files that were installed by the
patch. The list of files comes from this registry key

HKLM\Software\Microsoft\Updates\Windows 2000\SP3\Qxxxxxx\Filelist

UpdateExpert performs its validation function by comparing the file version
data stored in this key to the file version of the files on the system. If
the files on the system are equal to or greater than the file versions
listed in the registry, UpdateExpert says the patch is Validated. Therefore
a malware copy of a hotfix file (with a version number greater than the
registry key) would be considered valid.

To make UpdateExpert believe that the recent IIS patch has been installed
and to make it appear valid (when neither case is true), write the following
registry keys:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Q319733
create a value of Installed=1

HKLM\Software\Microsoft\Updates\Windows 2000\SP3\Q319733\Filelist
create key '0'
under this key, write the following values
FileName:RegSZ:Kernel32.dll
Location:RegSZ:C:\Winnt\System32
Version:RegSZ:1.0

UpdateExpert will show the patch as installed (installed=1), and when it
Validates, it will look for kernel32.dll with a file version equal to or
greater than 1.0. Result, patch is shown as installed and Validated, when
it's never been applied.

SUMMARY
UpdateExpert's use of registry keys presents a flawed picture of hotfix
status.
Determining a file is valid because its version is equal to or greater than
a known value does not protect against trojan code.
Validating presence of patches based on information stored on the computer
itself is not a sound security practice.

RECOMMENDATION
Don't rely on patch status as reported by UpdateExpert.
Don't rely on patch validation as reported by UpdateExpert.

VENDOR STATUS
Vendor has not been notified.

Ragnarok.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]