Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Elevation of Privileges Exploit with McAfee VirusScan 4.5
From: Richard Fry (RichardFryHALIFAX.CO.UK)
Date: Fri Nov 03 2000 - 04:15:24 CST

Details of Exploit.

Create a VB Executable which does what ever it is that you want it to do
(create new users, elevate permissions etc.).

Call the file COMMON.EXE

Place this executable in "C:\Program Files" (the default installation
permissions for this directory are Everyone Full Control).

Wait for a reboot (or restart the McShield Service)

The Service Control manager will pick up the file COMMON.EXE and run it as
Local System, the rest of the path name is passed as an argument to the
COMMON.EXE application so if you are feeling generous you can pass control
to the original application :)

This is due partly to a feature in the SCM but more to an oversight on the
of NAI. They have omitted the quotes around a long file name in the service
(ImagePath=C:\Program Files\Common Files\Network

This works on NT4 SP3 -> SP6a and Windows 2000 - Microsoft are aware of this
and are unlikely to do anything further.

NAI have agreed that this is a problem and it has been addressed in SP1 of
VirusScan Product


Place quotes around the image path for the McShield, AvSyncMgr Service


Install Service Pack 1 for Virus Scan


Change default permissions on "C:\Program Files" and "C:\Program
Files\Common Files" can only be written by Local Admin.


Richard Fry Snr Technical Infrastructure Analyst MCP CCSE CCSA CCMA Systems Management Exploitation Halifax plc RichardFryhalifax.co.uk DDI : 01422 830227 FAX : 01422 830400 Mobile: 07768 568029 Postal Ref : CY/W1/GTS/S&SME/Z5-48

------------------------------------------------------------------------------ Part of the Halifax Group, Halifax Group plc, Registered in England No. 2367076. Registered Office: Trinity Road, Halifax, West Yorkshire HX1 2RG. Represents only the Halifax Financial Services Marketing Group for the purposes of advising on and selling life assurance, pensions and unit trust business. The Marketing Group is regulated by the Personal Investment Authority. Switchboard 01422 333333.