OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
jari.helenius_at_mawaron.com
Date: Fri Nov 29 2002 - 00:59:22 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Potential security vulnerability in Network Associates McAfee VirusScan
    4.5.1sp1 product with ability to run code of attackers choise

    BACKGROUND
    If Download Scan or Internet Filter is enabled program uses WebScanX.exe
    module. When running WebScanX.exe is hooked also in explorer.exe.

    If %HOMEDRIVE%, %HOMEPATH% and %HOMESHARE% variables are pointing to
    network, and possibly even if those variables point local disk, following
    action takes place. (I refer those variables as homedirectory.)

    DESCRIPTION
    Opening explorer and browsing local hard disk like c:\winnt creates
    traffic in network; WebScanX tries to locate various DLL files from users
    homedirectory. At least following DLLs have been noticed in network
    traffic capture: Mswsock.dll, regemul.dll, msjava.dll, psapi.dll,
    setupapi.dll, browseui.dll. All other DLL:s are called once or twice but
    browseui.dll approximately 60 times when opening winnt\system32 folder in
    explorer.exe.

    All DLLs are located in winnt\system32 folder.

    VirusScan and WebScanX are running in localsystem context.

    User may have only limited access to local resources. Normally user have
    full control to his homedirectory.

    I have not researched why WebScanX is trying to locate those DLLs from
    homedirectory but probably it uses those DLLs to do something. If DLLs are
    not needed by WebScanX behaviour is even more odd than it is now.

    At this point all a malicious user has to do is to research WebScanX’s
    behaviour and create a modified version of one of called DLLs and place in
    users homedirectory. This gives the process running as LocalSystem access
    to modified DLL and an opportunity to run it with the highest privileges
    possible (as seen from local computer). This action can be carried out
    from a Trojan program as well.

    ENVIROMENT
    This behaviour was seen with W2K sp2 and W2K sp3, IE 5.5sp2+rollups and
    with McAfee VirusScan 4.5.1sp1, Scan Engine 4.1.60. Other older versions
    might also be vulnerable.
    WinXP not tested.

    OTHER INFORMATION
    Network Associates has been informed with this problem 28.10.2002, because
    this slows computers down and generates unnecessary network load,
    especially over slow WAN links.

    At 20.11.2002, Network Associates answered:
    QUOTE
    “WebscanX creates some extra overhead for scanning - since it also hooks
    Explorer.
    I would suggest disabling the component, as there won't be a way to stop
    those requests if it's for scanning.
    Note: WebscanX also hooks Explorer because it can be used for browsing the
    Web.

    Customers need to be aware that this functionality is largely redundant,
    and is optional for layered VirusScan protection - but is not necessary.”
    END OF QUOTE

    At the same day (20.11.2002) Network Associates were informed also of the
    security aspect regarding this behaviour. Network Associates hasn’t
    contacted us after that.

    Yours
    Jari Helenius
    Mawaron Oy
    jari.heleniusmawaron.com