RE: Privilege escalation in McAfeeVirusScan Enterprise8.0i (patch 11) and CMA 3.5 (patch 5)

["wilder_jeff Wilder" <wilder_jeff () msn com>]

How often does McAfee try to run this file?


-Jeff Wilder
CISSP,CCE,C/EH



-----BEGIN GEEK CODE BLOCK-----
 Version: 3.1
        GIT/CM/CS/O d- s:+ a C+++ UH++ P L++ E- w-- N+++ o-- K- w O- M--
        V-- PS+ PE- Y++ PGP++ t+ 5- X-- R* tv b++ DI++ D++
        G e* h--- r- y+++*
------END GEEK CODE BLOCK------





> From: "mattmurphy () kc rr com" <mattmurphy () kc rr com>
> Reply-To: mattmurphy () kc rr com
> To: full-disclosure () lists grok org uk
> Subject: RE: [Full-disclosure] Privilege escalation in 
> McAfeeVirusScan	Enterprise8.0i (patch 11) and CMA 3.5 (patch 5)
> Date: Thu, 22 Dec 2005 15:18:32 -0500
> MIME-Version: 1.0
> X-Originating-IP: 198.209.77.233
> Received: from bay0-mc10-f7.bay0.hotmail.com ([65.54.245.47]) by 
> imc1-s36.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 22 Dec 2005 
> 12:19:06 -0800
> Received: from lists.grok.org.uk ([195.184.125.51]) by 
> bay0-mc10-f7.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 22 
> Dec 2005 12:19:05 -0800
> Received: from lists.grok.org.uk (localhost [127.0.0.1])by 
> lists.grok.org.uk (Postfix) with ESMTP id A5AF5A69;Thu, 22 Dec 2005 
> 20:18:49 +0000 (GMT)
> Received: from xrelay01.mail2web.com (xrelay01.mail2web.com 
> [168.144.1.52])by lists.grok.org.uk (Postfix) with ESMTP id 7DB6096Bfor 
> <full-disclosure () lists grok org uk>;Thu, 22 Dec 2005 20:18:35 +0000 (GMT)
> Received: from [168.144.251.153] (helo=M2W047.mail2web.com)by 
> xrelay01.mail2web.com with smtp (Exim 4.50) id 1EpWtU-0005h8-GXfor 
> full-disclosure () lists grok org uk; Thu, 22 Dec 2005 15:18:34 -0500
> X-Message-Info: 6sSXyD95QpUNcxZ19OmqjaTdH3I6TH9jnIBlqgClG1I=
> X-Original-To: full-disclosure () lists grok org uk
> Delivered-To: full-disclosure () lists grok org uk
> X-URL: http://mail2web.com/
> X-BeenThere: full-disclosure () lists grok org uk
> X-Mailman-Version: 2.1.5
> Precedence: list
> List-Id: An unmoderated mailing list for the discussion of security 
> issues<full-disclosure.lists.grok.org.uk>
> List-Unsubscribe: 
> <https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, 
> <mailto:full-disclosure-request () lists grok org uk?subject=unsubscribe>
> List-Archive: <http://lists.grok.org.uk/pipermail/full-disclosure>
> List-Post: <mailto:full-disclosure () lists grok org uk>
> List-Help: <mailto:full-disclosure-request () lists grok org uk?subject=help>
> List-Subscribe: 
> <https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, 
> <mailto:full-disclosure-request () lists grok org uk?subject=subscribe>
> Errors-To: full-disclosure-bounces () lists grok org uk
> Return-Path: full-disclosure-bounces () lists grok org uk
> X-OriginalArrivalTime: 22 Dec 2005 20:19:06.0240 (UTC) 
> FILETIME=[F5563800:01C60734]
>
> Reed Arvin wrote:
> >The issue occurs when the naPrdMgr.exe process attempts to run the
> >C:\Program Files\Network Associates\VirusScan\EntVUtil.EXE file. Because 
> of
> >a lack of quotes the naPrdMgr.exe process first tries to run
> C:\Program.exe.
> >If that is not found it tries to run C:\Program Files\Network.exe. When
> that
> >is not found it finally runs the EntVUtil.EXE file that it was originally
> >intending to run. A malicious user can create an application named
> >Program.exe and place it on the root of the C:\ and it will be run with
> >Local System privileges by the naPrdMgr.exe process. Source code for an
> >example Program.exe is listed below.
>
> While I agree this behavior is a bug, it is not a vulnerability.  Properly
> secured installations of Windows aren't susceptible to this attack because
> the ACL on the root of the installation volume denies users other than
> Administrators the ability to write to files.
>
> The same ACL is in place on the Program Files directory, for obvious
> reasons, and it is inherited by software installations.
>
> Any Windows system without these ACLs in place is vulnerable to a myriad of
> attacks -- see Microsoft Security Bulletin MS02-064:
>
>     http://www.microsoft.com/technet/security/bulletin/ms02-064.mspx
>
> --------------------------------------------------------------------
> mail2web - Check your email from the web at
> http://mail2web.com/ .
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/