RE: Privilege escalation in McAfee VirusScan Enterprise8.0i (patch 11) and CMA 3.5 (patch 5)

["mattmurphy () kc rr com" <mattmurphy () kc rr com>]

Reed Arvin wrote:
> The issue occurs when the naPrdMgr.exe process attempts to run the
> C:\Program Files\Network Associates\VirusScan\EntVUtil.EXE file. Because of
> a lack of quotes the naPrdMgr.exe process first tries to run
C:\Program.exe.
> If that is not found it tries to run C:\Program Files\Network.exe. When
that
> is not found it finally runs the EntVUtil.EXE file that it was originally
> intending to run. A malicious user can create an application named
> Program.exe and place it on the root of the C:\ and it will be run with
> Local System privileges by the naPrdMgr.exe process. Source code for an
> example Program.exe is listed below.

While I agree this behavior is a bug, it is not a vulnerability.  Properly
secured installations of Windows aren't susceptible to this attack because
the ACL on the root of the installation volume denies users other than
Administrators the ability to write to files.

The same ACL is in place on the Program Files directory, for obvious
reasons, and it is inherited by software installations.

Any Windows system without these ACLs in place is vulnerable to a myriad of
attacks -- see Microsoft Security Bulletin MS02-064:

    http://www.microsoft.com/technet/security/bulletin/ms02-064.mspx

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/