Full Disclosure mailing list archives
RE: Privilege escalation in McAfeeVirusScan Enterprise8.0i (patch 11) and CMA 3.5 (patch 5)
From: "wilder_jeff Wilder" <wilder_jeff () msn com>
Date: Thu, 22 Dec 2005 13:24:53 -0700
How often does McAfee try to run this file? -Jeff Wilder CISSP,CCE,C/EH -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GIT/CM/CS/O d- s:+ a C+++ UH++ P L++ E- w-- N+++ o-- K- w O- M-- V-- PS+ PE- Y++ PGP++ t+ 5- X-- R* tv b++ DI++ D++ G e* h--- r- y+++* ------END GEEK CODE BLOCK------
From: "mattmurphy () kc rr com" <mattmurphy () kc rr com> Reply-To: mattmurphy () kc rr com To: full-disclosure () lists grok org ukSubject: RE: [Full-disclosure] Privilege escalation in McAfeeVirusScan Enterprise8.0i (patch 11) and CMA 3.5 (patch 5)Date: Thu, 22 Dec 2005 15:18:32 -0500 MIME-Version: 1.0 X-Originating-IP: 198.209.77.233Received: from bay0-mc10-f7.bay0.hotmail.com ([65.54.245.47]) by imc1-s36.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 22 Dec 2005 12:19:06 -0800 Received: from lists.grok.org.uk ([195.184.125.51]) by bay0-mc10-f7.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 22 Dec 2005 12:19:05 -0800 Received: from lists.grok.org.uk (localhost [127.0.0.1])by lists.grok.org.uk (Postfix) with ESMTP id A5AF5A69;Thu, 22 Dec 2005 20:18:49 +0000 (GMT) Received: from xrelay01.mail2web.com (xrelay01.mail2web.com [168.144.1.52])by lists.grok.org.uk (Postfix) with ESMTP id 7DB6096Bfor <full-disclosure () lists grok org uk>;Thu, 22 Dec 2005 20:18:35 +0000 (GMT) Received: from [168.144.251.153] (helo=M2W047.mail2web.com)by xrelay01.mail2web.com with smtp (Exim 4.50) id 1EpWtU-0005h8-GXfor full-disclosure () lists grok org uk; Thu, 22 Dec 2005 15:18:34 -0500X-Message-Info: 6sSXyD95QpUNcxZ19OmqjaTdH3I6TH9jnIBlqgClG1I= X-Original-To: full-disclosure () lists grok org uk Delivered-To: full-disclosure () lists grok org uk X-URL: http://mail2web.com/ X-BeenThere: full-disclosure () lists grok org uk X-Mailman-Version: 2.1.5 Precedence: listList-Id: An unmoderated mailing list for the discussion of security issues<full-disclosure.lists.grok.org.uk> List-Unsubscribe: <https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, <mailto:full-disclosure-request () lists grok org uk?subject=unsubscribe>List-Archive: <http://lists.grok.org.uk/pipermail/full-disclosure> List-Post: <mailto:full-disclosure () lists grok org uk> List-Help: <mailto:full-disclosure-request () lists grok org uk?subject=help>List-Subscribe: <https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, <mailto:full-disclosure-request () lists grok org uk?subject=subscribe>Errors-To: full-disclosure-bounces () lists grok org uk Return-Path: full-disclosure-bounces () lists grok org ukX-OriginalArrivalTime: 22 Dec 2005 20:19:06.0240 (UTC) FILETIME=[F5563800:01C60734]Reed Arvin wrote: >The issue occurs when the naPrdMgr.exe process attempts to run the>C:\Program Files\Network Associates\VirusScan\EntVUtil.EXE file. Because of>a lack of quotes the naPrdMgr.exe process first tries to run C:\Program.exe. >If that is not found it tries to run C:\Program Files\Network.exe. When that >is not found it finally runs the EntVUtil.EXE file that it was originally >intending to run. A malicious user can create an application named >Program.exe and place it on the root of the C:\ and it will be run with >Local System privileges by the naPrdMgr.exe process. Source code for an >example Program.exe is listed below. While I agree this behavior is a bug, it is not a vulnerability. Properly secured installations of Windows aren't susceptible to this attack because the ACL on the root of the installation volume denies users other than Administrators the ability to write to files. The same ACL is in place on the Program Files directory, for obvious reasons, and it is inherited by software installations. Any Windows system without these ACLs in place is vulnerable to a myriad of attacks -- see Microsoft Security Bulletin MS02-064: http://www.microsoft.com/technet/security/bulletin/ms02-064.mspx -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ . _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: Privilege escalation in McAfee VirusScan Enterprise8.0i (patch 11) and CMA 3.5 (patch 5) mattmurphy () kc rr com (Dec 22)
- RE: Privilege escalation in McAfeeVirusScan Enterprise8.0i (patch 11) and CMA 3.5 (patch 5) wilder_jeff Wilder (Dec 22)