lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: 15 Sep 2004 04:30:08 -0000
From: "Jérôme" ATHIAS <jerome.athias@...amail.com>
To: bugtraq@...urityfocus.com
Subject: McAfee VirusScan Privilege Escalation Vulnerability [iDEFENSE]




McAfee VirusScan Privilege Escalation Vulnerability

iDEFENSE Security Advisory 09.14.04:

I. BACKGROUND

McAfee VirusScan is a popular real-time virus protection application.
For more information see http://www.mcafee.com.

II. DESCRIPTION

Local exploitation of a design error vulnerability in Networks
Associates Technology Inc.'s McAfee VirusScan could allow attackers to
obtain increased privileges.

The problem specifically exists because SYSTEM privileges are not
dropped when accessing the "System Scan" properties from the System
Tray applet. The vulnerability can be exploited by right-clicking the
System Tray icon, choosing "Properties", selecting "System Scan",
then, from the "Report" tab, selecting "Browse...". The opened file
selected can be abused by navigating to C:\WINDOWS\SYSTEM32\,
right-clicking cmd.exe, then selecting "Open"; doing so spawns a
command shell with SYSTEM privileges.

III. ANALYSIS

Exploitation allows local users to obtain Local System privileges,
thereby providing them with complete control of the affected system.

IV. DETECTION

McAfee VirusScan version 4.5.1 running on Windows 2000 Professional
and Windows XP Professional operating systems is vulnerable. It is
suspected that McAfee VirusScan 4.5 is also vulnerable.

V. WORKAROUND

iDEFENSE is currently unaware of any workarounds for this issue.

VI. VENDOR FIX

The vendor does not appear to have provided a patch for this issue.
However, due to design changes in the GUI, this vulnerability does not
appear to exist in later versions of the product.

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2004-0831 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

08/12/2004   Initial vendor notification - no response
08/12/2004   iDEFENSE clients notified
09/02/2004   Secondary vendor notification - no response
09/14/2004   Public disclosure

Ian Vitek is credited with this discovery.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ