Potential Vuln in McAfee VirusScan 451

[<jari.helenius () mawaron com>]

Potential security vulnerability in Network Associates McAfee VirusScan
4.5.1sp1 product with ability to run code of attackers choise

BACKGROUND
If Download Scan or Internet Filter is enabled program uses WebScanX.exe
module. When running WebScanX.exe is hooked also in explorer.exe.

If  %HOMEDRIVE%, %HOMEPATH% and %HOMESHARE% variables are pointing to
network, and possibly even if those variables point local disk, following
action takes place. (I refer those variables as homedirectory.)

DESCRIPTION
Opening explorer and browsing local hard disk like c:\winnt creates
traffic in network; WebScanX tries to locate various DLL files from users
homedirectory. At least following DLLs have been noticed in network
traffic capture: Mswsock.dll, regemul.dll, msjava.dll, psapi.dll,
setupapi.dll, browseui.dll. All other DLL:s are called once or twice but
browseui.dll approximately 60 times when opening winnt\system32 folder in
explorer.exe.

All DLLs are located in winnt\system32 folder.

VirusScan and WebScanX are running in localsystem context.

User may have only limited access to local resources. Normally user have
full control to his homedirectory.

I have not researched why WebScanX is trying to locate those DLLs from
homedirectory but probably it uses those DLLs to do something. If DLLs are
not needed by WebScanX behaviour is even more odd than it is now.

At this point all a malicious user has to do is to research WebScanX’s
behaviour and create a modified version of one of called DLLs and place in
users homedirectory. This gives the process running as LocalSystem access
to modified DLL and an opportunity to run it with the highest privileges
possible (as seen from local computer). This action can be carried out
from a Trojan program as well.

ENVIROMENT
This behaviour was seen with W2K sp2 and W2K sp3, IE 5.5sp2+rollups and
with McAfee VirusScan 4.5.1sp1, Scan Engine 4.1.60. Other older versions
might also be vulnerable.
WinXP not tested.

OTHER INFORMATION
Network Associates has been informed with this problem 28.10.2002, because
this slows computers down and generates unnecessary network load,
especially over slow WAN links.

At 20.11.2002, Network Associates answered:
QUOTE
“WebscanX creates some extra overhead for scanning - since it also hooks
Explorer.
I would suggest disabling the component, as there won't be a way to stop
those requests if it's for scanning.
Note: WebscanX also hooks Explorer because it can be used for browsing the
Web.

Customers need to be aware that this functionality is largely redundant,
and is optional for layered VirusScan protection - but is not necessary.”
END OF QUOTE

At the same day (20.11.2002) Network Associates were informed also of the
security aspect regarding this behaviour. Network Associates hasn’t
contacted us after that.

Yours
Jari Helenius
Mawaron Oy
jari.helenius () mawaron com