lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <80115b6905081109301b0bcbaa@mail.gmail.com>
Date: Thu, 11 Aug 2005 09:30:46 -0700
From: Reed Arvin <reedarvin@...il.com>
To: vuln@...unia.com, news@...uriteam.com, bugtraq@...urityfocus.com, 
	full-disclosure@...ts.grok.org.uk
Subject: Privilege escalation in Network Associates
	ePolicy Orchestrator Agent 3.5.0 (patch 3)


Summary:
Privilege escalation in Network Associates ePolicy Orchestrator Agent
3.5.0 (patch 3) (http://www.nai.com/)

Details:
The ePolicy Orchestrator Agent web server (which runs on TCP port 8081
by default and serves the McAfee Agent Activity Log) can be used to
view files that exist on the same partition with LocalSystem level
privileges. On a default windows installation the "C:\Documents and
Settings\All Users\Application Data\Network Associates\Common
Framework\Db" folder (which is created by the EPO agent and is the
folder that serves as the web root for the McAfee Agent Activity Log)
includes the NTFS permission Everyone/Full Control. By using the
Junction tool (from SysInternals) available at
http://www.sysinternals.com/utilities/junction.html one can create a
subfolder in the EPO agent web root directory (as any user) that will
allow any file on the same partition to be viewed with LocalSystem
level privileges.

Vulnerable Versions:
Network Associates ePolicy Orchestrator Agent 3.5.0 (patch 3)

Patches/Workarounds:
The vendor was notified of the issue. There was no response.

Exploits:

1. Logon to a machine running the EPO agent as any user.

2. Using the Juction tool type the following command:

   junction "C:\Documents and Settings\All Users\Application Data\Network
   Associates\Common Framework\Db\Test" C:\

   This creates the equivalent of a virtual folder in the web server root named
   Test that points to C:\

3. Use Internet Explorer to view a restricted file such as:

   http://127.0.0.1:8081/Test/WINDOWS/repair/sam

   The contents of the restricted file will be displayed thanks to the
   LocalSystem account.

Discovered by Reed Arvin reedarvin[at]gmail[dot]com
(http://reedarvin.thearvins.com/)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ