Re: Escalation of privileges

[Nicolas Rachinsky <rnicolas () GMX NET>]

Exactly the same problem exists with netshield 4.0.3 and VirusscanNT 4.0.3 from Networkassociates.
tested on NT4 SP5.
Just replace scan32.exe with e.g. cmd.exe schedule a scan some minutes in the future and you'll get a shell running 
with more privileges you had. I don't know yet, if the shell is running in the system account or the account for the 
backgroundscanner because we run it in the system account. I think the later one.
Nicolas
System Administrator
----- Original Message ----- 
From: Chris Foster <frostman () CAROLINA RR COM>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Monday, August 07, 2000 6:07 PM
Subject: Escalation of privileges


> While testing escalation of privileges from a normal user to admin I found
> that in my NTS 4.0/SP6 installation with Norton Antivirus 5.02 installed
> this is very simple. Here are the details on how this is done:
>
> 1. Logon as a normal user. Try to run windisk from the run prompt and you
> should get an access denied.
>
> 2. Browse to the root directory for the NAV installation and rename
> navlu32.exe to navlu32.old. Create navlu32.exe that executes the command:
>
> net localgroup administrators {name of account to escalate} /ADD
>
> 3. Open the Norton Program Scheduler by executing nschednt.exe in the
> installation directory. Since normal users are restricted as to what they
> can run.   (Display Message, Scan for Viruses, Run LiveUpdate) Just schedule
> a LiveUpdate for a couple of mins ahead. When your scheduled job runs it
> will execute your navlu32.exe. Log back on and you now have admin privs and
> can execute windisk or whatever you like for that matter.
>
> This works due to the Norton Program Scheduler running with system privs and
> a normal user being able to write to the Norton installation directory.
>
> Frostman