|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Registry permissions insecurity in McAfee VirusScan
From: Jesper M. Johansson (jjohanss
BU.EDU)Date: Mon Apr 17 2000 - 11:15:01 CDT
- Next message: Jesper M. Johansson: "Re: Registry permissions insecurity in McAfee VirusScan"
- Previous message: Russ: "Re: DVWSSR.dll Vulnerability and revised MS00-025"
- Next in thread: Jesper M. Johansson: "Re: Registry permissions insecurity in McAfee VirusScan"
- Reply: Jesper M. Johansson: "Re: Registry permissions insecurity in McAfee VirusScan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This was submitted to McAfee Friday morning. No response yet, in spite of
their 24-hour turn-around policy.
--- The SHSTAT.EXE component of Virus Scan that launches when a user logs on attempts to access the registry with too high a permission. It accesses the following key: Hive: HKEY_LOCAL_MACHINE Key: SOFTWARE\McAfee\VirusScan\McShield\CURRENTVERSIONwith Set Value and Create Sub-Key permissions. By default under Windows 2000 Professional, members of the Users group have only read permissions on this key. This causes SHSTAT.EXE to fail when the user logs on and throw up a dialog that says "Unable to access local server" If you audit failed accesses to this key in the registry, you get the following Security Event Log entry: --- Event Type: Failure Audit Event Source: Security Event Category: Object Access Event ID: 560 Date: 4/14/2000 Time: 7:46:30 AM User: <DOMAIN>\<USER> Computer: <COMPUTER> Description: Object Open: Object Server: Security Object Type: Key Object Name: \REGISTRY\MACHINE\SOFTWARE\McAfee\VirusScan\McShield\CURRENTVERSION New Handle ID: - Operation ID: {0,972168} Process ID: 1168 Primary User Name: <USER> Primary Domain: <DOMAIN> Primary Logon ID: (0x0,0xC2A75) Client User Name: - Client Domain: - Client Logon ID: - Accesses READ_CONTROL Query key value Set key value Create sub-key Enumerate sub-keys Notify about changes to keys
Privileges - --- It is unclear why SHSTAT.EXE would need set value and create sub-key permission on this key. Furthermore, it is highly undesirable from a security standpoint to allow ordinary users set value permission on this sub-key since the key contains the list of items to exclude from scanning, the list of extensions considered to be programs, and other sensitive information.
Jesper M. Johansson
- Next message: Jesper M. Johansson: "Re: Registry permissions insecurity in McAfee VirusScan"
- Previous message: Russ: "Re: DVWSSR.dll Vulnerability and revised MS00-025"
- Next in thread: Jesper M. Johansson: "Re: Registry permissions insecurity in McAfee VirusScan"
- Reply: Jesper M. Johansson: "Re: Registry permissions insecurity in McAfee VirusScan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]