|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Escalation of privileges
From: Nicolas Rachinsky (rnicolas
GMX.NET)Date: Tue Aug 08 2000 - 14:44:42 CDT
- Next message: Quentin GIORGI: "Possible vulnerability in HPUX"
- Previous message: bugzillaREDHAT.COM: "[RHSA-2000:050-01] mopd-linux buffer overflow"
- In reply to: Chris Foster: "Escalation of privileges"
- Next in thread: Adam Richard: "Re: Escalation of privileges"
- Reply: Nicolas Rachinsky: "Re: Escalation of privileges"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Exactly the same problem exists with netshield 4.0.3 and VirusscanNT 4.0.3 from Networkassociates.
tested on NT4 SP5.
Just replace scan32.exe with e.g. cmd.exe schedule a scan some minutes in the future and you'll get a shell running with more privileges you had. I don't know yet, if the shell is running in the system account or the account for the backgroundscanner because we run it in the system account. I think the later one.
Nicolas
System Administrator
----- Original Message -----
From: Chris Foster <frostmanCAROLINA.RR.COM>
To: <BUGTRAQSECURITYFOCUS.COM>
Sent: Monday, August 07, 2000 6:07 PM
Subject: Escalation of privileges
> While testing escalation of privileges from a normal user to admin I found
> that in my NTS 4.0/SP6 installation with Norton Antivirus 5.02 installed
> this is very simple. Here are the details on how this is done:
>
> 1. Logon as a normal user. Try to run windisk from the run prompt and you
> should get an access denied.
>
> 2. Browse to the root directory for the NAV installation and rename
> navlu32.exe to navlu32.old. Create navlu32.exe that executes the command:
>
> net localgroup administrators {name of account to escalate} /ADD
>
> 3. Open the Norton Program Scheduler by executing nschednt.exe in the
> installation directory. Since normal users are restricted as to what they
> can run. (Display Message, Scan for Viruses, Run LiveUpdate) Just schedule
> a LiveUpdate for a couple of mins ahead. When your scheduled job runs it
> will execute your navlu32.exe. Log back on and you now have admin privs and
> can execute windisk or whatever you like for that matter.
>
> This works due to the Norton Program Scheduler running with system privs and
> a normal user being able to write to the Norton installation directory.
>
> Frostman
>
- Next message: Quentin GIORGI: "Possible vulnerability in HPUX"
- Previous message: bugzillaREDHAT.COM: "[RHSA-2000:050-01] mopd-linux buffer overflow"
- In reply to: Chris Foster: "Escalation of privileges"
- Next in thread: Adam Richard: "Re: Escalation of privileges"
- Reply: Nicolas Rachinsky: "Re: Escalation of privileges"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]