OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Elevation of Privileges Exploit with McAfee VirusScan 4.5
From: Richard Fry (RichardFryHALIFAX.CO.UK)
Date: Fri Nov 03 2000 - 04:15:24 CST


Details of Exploit.
=============

Create a VB Executable which does what ever it is that you want it to do
(create new users, elevate permissions etc.).

Call the file COMMON.EXE

Place this executable in "C:\Program Files" (the default installation
permissions for this directory are Everyone Full Control).

Wait for a reboot (or restart the McShield Service)

The Service Control manager will pick up the file COMMON.EXE and run it as
Local System, the rest of the path name is passed as an argument to the
COMMON.EXE application so if you are feeling generous you can pass control
to the original application :)

This is due partly to a feature in the SCM but more to an oversight on the
part
of NAI. They have omitted the quotes around a long file name in the service
key.
(ImagePath=C:\Program Files\Common Files\Network
Associates\McShield\McShield.exe)

This works on NT4 SP3 -> SP6a and Windows 2000 - Microsoft are aware of this
and are unlikely to do anything further.

NAI have agreed that this is a problem and it has been addressed in SP1 of
the
VirusScan Product

WorkAround
=========

Place quotes around the image path for the McShield, AvSyncMgr Service

or

Install Service Pack 1 for Virus Scan

or

Change default permissions on "C:\Program Files" and "C:\Program
Files\Common Files" can only be written by Local Admin.

--

Richard Fry Snr Technical Infrastructure Analyst MCP CCSE CCSA CCMA Systems Management Exploitation Halifax plc RichardFryhalifax.co.uk DDI : 01422 830227 FAX : 01422 830400 Mobile: 07768 568029 Postal Ref : CY/W1/GTS/S&SME/Z5-48

------------------------------------------------------------------------------ Part of the Halifax Group, Halifax Group plc, Registered in England No. 2367076. Registered Office: Trinity Road, Halifax, West Yorkshire HX1 2RG. Represents only the Halifax Financial Services Marketing Group for the purposes of advising on and selling life assurance, pensions and unit trust business. The Marketing Group is regulated by the Personal Investment Authority. Switchboard 01422 333333.

==============================================================================