| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu Dec 22 20:18:46 2005
From: mattmurphy at kc.rr.com (mattmurphy@...rr.com)
Subject: Privilege escalation in McAfee
VirusScan Enterprise8.0i (patch 11) and CMA 3.5 (patch 5)
Reed Arvin wrote:
>The issue occurs when the naPrdMgr.exe process attempts to run the
>C:\Program Files\Network Associates\VirusScan\EntVUtil.EXE file. Because of
>a lack of quotes the naPrdMgr.exe process first tries to run
C:\Program.exe.
>If that is not found it tries to run C:\Program Files\Network.exe. When
that
>is not found it finally runs the EntVUtil.EXE file that it was originally
>intending to run. A malicious user can create an application named
>Program.exe and place it on the root of the C:\ and it will be run with
>Local System privileges by the naPrdMgr.exe process. Source code for an
>example Program.exe is listed below.
While I agree this behavior is a bug, it is not a vulnerability. Properly
secured installations of Windows aren't susceptible to this attack because
the ACL on the root of the installation volume denies users other than
Administrators the ability to write to files.
The same ACL is in place on the Program Files directory, for obvious
reasons, and it is inherited by software installations.
Any Windows system without these ACLs in place is vulnerable to a myriad of
attacks -- see Microsoft Security Bulletin MS02-064:
http://www.microsoft.com/technet/security/bulletin/ms02-064.mspx
--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .
Powered by blists - more mailing lists