| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <BAY106-F2085CBEE32AA5F8CF1F02994300@phx.gbl> Date: Thu Dec 22 20:25:02 2005 From: wilder_jeff at msn.com (wilder_jeff Wilder) Subject: Privilege escalation in McAfeeVirusScan Enterprise8.0i (patch 11) and CMA 3.5 (patch 5) How often does McAfee try to run this file? -Jeff Wilder CISSP,CCE,C/EH -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GIT/CM/CS/O d- s:+ a C+++ UH++ P L++ E- w-- N+++ o-- K- w O- M-- V-- PS+ PE- Y++ PGP++ t+ 5- X-- R* tv b++ DI++ D++ G e* h--- r- y+++* ------END GEEK CODE BLOCK------ >From: "mattmurphy@...rr.com" <mattmurphy@...rr.com> >Reply-To: mattmurphy@...rr.com >To: full-disclosure@...ts.grok.org.uk >Subject: RE: [Full-disclosure] Privilege escalation in >McAfeeVirusScan Enterprise8.0i (patch 11) and CMA 3.5 (patch 5) >Date: Thu, 22 Dec 2005 15:18:32 -0500 >MIME-Version: 1.0 >X-Originating-IP: 198.209.77.233 >Received: from bay0-mc10-f7.bay0.hotmail.com ([65.54.245.47]) by >imc1-s36.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 22 Dec 2005 >12:19:06 -0800 >Received: from lists.grok.org.uk ([195.184.125.51]) by >bay0-mc10-f7.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 22 >Dec 2005 12:19:05 -0800 >Received: from lists.grok.org.uk (localhost [127.0.0.1])by >lists.grok.org.uk (Postfix) with ESMTP id A5AF5A69;Thu, 22 Dec 2005 >20:18:49 +0000 (GMT) >Received: from xrelay01.mail2web.com (xrelay01.mail2web.com >[168.144.1.52])by lists.grok.org.uk (Postfix) with ESMTP id 7DB6096Bfor ><full-disclosure@...ts.grok.org.uk>;Thu, 22 Dec 2005 20:18:35 +0000 (GMT) >Received: from [168.144.251.153] (helo=M2W047.mail2web.com)by >xrelay01.mail2web.com with smtp (Exim 4.50) id 1EpWtU-0005h8-GXfor >full-disclosure@...ts.grok.org.uk; Thu, 22 Dec 2005 15:18:34 -0500 >X-Message-Info: 6sSXyD95QpUNcxZ19OmqjaTdH3I6TH9jnIBlqgClG1I= >X-Original-To: full-disclosure@...ts.grok.org.uk >Delivered-To: full-disclosure@...ts.grok.org.uk >X-URL: http://mail2web.com/ >X-BeenThere: full-disclosure@...ts.grok.org.uk >X-Mailman-Version: 2.1.5 >Precedence: list >List-Id: An unmoderated mailing list for the discussion of security >issues<full-disclosure.lists.grok.org.uk> >List-Unsubscribe: ><https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, ><mailto:full-disclosure-request@...ts.grok.org.uk?subject=unsubscribe> >List-Archive: <http://lists.grok.org.uk/pipermail/full-disclosure> >List-Post: <mailto:full-disclosure@...ts.grok.org.uk> >List-Help: <mailto:full-disclosure-request@...ts.grok.org.uk?subject=help> >List-Subscribe: ><https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, ><mailto:full-disclosure-request@...ts.grok.org.uk?subject=subscribe> >Errors-To: full-disclosure-bounces@...ts.grok.org.uk >Return-Path: full-disclosure-bounces@...ts.grok.org.uk >X-OriginalArrivalTime: 22 Dec 2005 20:19:06.0240 (UTC) >FILETIME=[F5563800:01C60734] > >Reed Arvin wrote: > >The issue occurs when the naPrdMgr.exe process attempts to run the > >C:\Program Files\Network Associates\VirusScan\EntVUtil.EXE file. Because >of > >a lack of quotes the naPrdMgr.exe process first tries to run >C:\Program.exe. > >If that is not found it tries to run C:\Program Files\Network.exe. When >that > >is not found it finally runs the EntVUtil.EXE file that it was originally > >intending to run. A malicious user can create an application named > >Program.exe and place it on the root of the C:\ and it will be run with > >Local System privileges by the naPrdMgr.exe process. Source code for an > >example Program.exe is listed below. > >While I agree this behavior is a bug, it is not a vulnerability. Properly >secured installations of Windows aren't susceptible to this attack because >the ACL on the root of the installation volume denies users other than >Administrators the ability to write to files. > >The same ACL is in place on the Program Files directory, for obvious >reasons, and it is inherited by software installations. > >Any Windows system without these ACLs in place is vulnerable to a myriad of >attacks -- see Microsoft Security Bulletin MS02-064: > > http://www.microsoft.com/technet/security/bulletin/ms02-064.mspx > >-------------------------------------------------------------------- >mail2web - Check your email from the web at >http://mail2web.com/ . > > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists