vendor:
Update to a patched version of Cheyenne Inoculan
by:
I presume). You can write a DLL that executes arbitrary code at the time it is loaded in memory
the avh32dll.dll DLL to replace the existing one (usually in c:\inoculan\avh32dll.dll) and then starts the service again. When the service starts
CVSS
it loads the DLL into memory
Arbitrary Code Execution
before any other function have a chance to be called."
CWE
Product Name: Update to a patched version of Cheyenne Inoculan
Affected Version From:
Affected Version To: Unknown
Patch Exists: HIGH
Related CWE: at the precise time when DllMain is called by the image loader
CPE:
Tags: Windows
CVSS Metrics: https://www.exploit-db.com/raw/19083
Nuclei References:
Cheyenne
Nuclei Metadata: Cheyenne Inoculan
Platforms Tested: NO
and THEN does a lot of stuff (including checking if it is a valid DLL
Arbitrary Code Execution in Cheyenne Inoculan
It is possible to run arbitrary code on any Intel machine running Cheyenne Inoculan version 4.0 for Windows NT prior to SP2. Inoculan runs as a service, called "Cheyenne InocuLAN Anti-Virus Server". When it starts, it replaces any shared directory with the same name and shares "CHEYUPD$" with full control for the everyone group. When the service starts, it does an update check in this directory (usually "C:InoculanUpdate") using the files ""<NtBox>CHEYUPD$EnglishNtIntelReadyfilelist.txt"" and [idem]...avh32dll.dll. Simply ""touching"" or modifying the file ""filelist.txt"" to look younger than real causes the update. The update causes the service to stop
Mitigation:
7.5
