RE: [Full-disclosure] Privilege escalation in McAfeeVirusScan Enterprise8.0i (patch 11) and CMA 3.5 (patch 5)




How often does McAfee try to run this file?


-Jeff Wilder CISSP,CCE,C/EH



-----BEGIN GEEK CODE BLOCK-----
 Version: 3.1
	GIT/CM/CS/O d- s:+ a C+++ UH++ P L++ E- w-- N+++ o-- K- w O- M--
	V-- PS+ PE- Y++ PGP++ t+ 5- X-- R* tv b++ DI++ D++
	G e* h--- r- y+++*
------END GEEK CODE BLOCK------





From: "mattmurphy@xxxxxxxxx" <mattmurphy@xxxxxxxxx>
Reply-To: mattmurphy@xxxxxxxxx
To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: RE: [Full-disclosure] Privilege escalation in McAfeeVirusScan Enterprise8.0i (patch 11) and CMA 3.5 (patch 5)
Date: Thu, 22 Dec 2005 15:18:32 -0500
MIME-Version: 1.0
X-Originating-IP: 198.209.77.233
Received: from bay0-mc10-f7.bay0.hotmail.com ([65.54.245.47]) by imc1-s36.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 22 Dec 2005 12:19:06 -0800
Received: from lists.grok.org.uk ([195.184.125.51]) by bay0-mc10-f7.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 22 Dec 2005 12:19:05 -0800
Received: from lists.grok.org.uk (localhost [127.0.0.1])by lists.grok.org.uk (Postfix) with ESMTP id A5AF5A69;Thu, 22 Dec 2005 20:18:49 +0000 (GMT)
Received: from xrelay01.mail2web.com (xrelay01.mail2web.com [168.144.1.52])by lists.grok.org.uk (Postfix) with ESMTP id 7DB6096Bfor <full-disclosure@xxxxxxxxxxxxxxxxx>;Thu, 22 Dec 2005 20:18:35 +0000 (GMT)
Received: from [168.144.251.153] (helo=M2W047.mail2web.com)by xrelay01.mail2web.com with smtp (Exim 4.50) id 1EpWtU-0005h8-GXfor full-disclosure@xxxxxxxxxxxxxxxxx; Thu, 22 Dec 2005 15:18:34 -0500
X-Message-Info: 6sSXyD95QpUNcxZ19OmqjaTdH3I6TH9jnIBlqgClG1I=
X-Original-To: full-disclosure@xxxxxxxxxxxxxxxxx
Delivered-To: full-disclosure@xxxxxxxxxxxxxxxxx
X-URL: http://mail2web.com/
X-BeenThere: full-disclosure@xxxxxxxxxxxxxxxxx
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: An unmoderated mailing list for the discussion of security issues<full-disclosure.lists.grok.org.uk>
List-Unsubscribe: <https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, <mailto:full-disclosure-request@xxxxxxxxxxxxxxxxx?subject=unsubscribe>
List-Archive: <http://lists.grok.org.uk/pipermail/full-disclosure>
List-Post: <mailto:full-disclosure@xxxxxxxxxxxxxxxxx>
List-Help: <mailto:full-disclosure-request@xxxxxxxxxxxxxxxxx?subject=help>
List-Subscribe: <https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, <mailto:full-disclosure-request@xxxxxxxxxxxxxxxxx?subject=subscribe>
Errors-To: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
Return-Path: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
X-OriginalArrivalTime: 22 Dec 2005 20:19:06.0240 (UTC) FILETIME=[F5563800:01C60734]


Reed Arvin wrote:
>The issue occurs when the naPrdMgr.exe process attempts to run the
>C:\Program Files\Network Associates\VirusScan\EntVUtil.EXE file. Because of
>a lack of quotes the naPrdMgr.exe process first tries to run
C:\Program.exe.
>If that is not found it tries to run C:\Program Files\Network.exe. When
that
>is not found it finally runs the EntVUtil.EXE file that it was originally
>intending to run. A malicious user can create an application named
>Program.exe and place it on the root of the C:\ and it will be run with
>Local System privileges by the naPrdMgr.exe process. Source code for an
>example Program.exe is listed below.


While I agree this behavior is a bug, it is not a vulnerability.  Properly
secured installations of Windows aren't susceptible to this attack because
the ACL on the root of the installation volume denies users other than
Administrators the ability to write to files.

The same ACL is in place on the Program Files directory, for obvious
reasons, and it is inherited by software installations.

Any Windows system without these ACLs in place is vulnerable to a myriad of
attacks -- see Microsoft Security Bulletin MS02-064:

    http://www.microsoft.com/technet/security/bulletin/ms02-064.mspx

--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .


_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: [Full-disclosure] Ubuntu 11.10 now unsecure by default
    ... with Ubuntu's Wireless stack in installations more ... Full-Disclosure - We believe in it. ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ...
    (Full-Disclosure)
  • Re[2]: [Full-disclosure] Blocking Skype
    ... you can always add exceptions for popular sites that connect by IP, ... Subject: [Full-disclosure] Blocking Skype ... >> acl connect method CONNECT ...
    (Full-Disclosure)
  • RE: [Full-Disclosure] cisco acl
    ... To compare that with ... So I want to retrieve the ACL from the RAM (not NVRAM) ... Full-Disclosure - We believe in it. ...
    (Full-Disclosure)