NAVCE 7.51 default permission exploit

From: Micheal Espinola Jr (santeriasystems@YAHOO.COM)
Date: 11/22/01


Message-ID:  <20011121235551.30650.qmail@web14807.mail.yahoo.com>
Date:         Wed, 21 Nov 2001 15:55:51 -0800
From: Micheal Espinola Jr <santeriasystems@YAHOO.COM>
Subject:      NAVCE 7.51 default permission exploit
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM


============================================================

Topic:
=====

Default NTFS permissions (post-software install) allow
local user security context to modify "managed" Norton
AntiVirus Corporate Edition 7.51 client configuration.

Affected:
========

Norton AntiVirus Corporate Edition (NAVCE) 7.51
Clients.

Potentials:
==========

Other versions of NAVCE that incorporate the use of
GRC.DAT should be considered suspect to the same
exploit.

Background:
==========

The GRC.DAT file is a plain-text file that acts as a
repository of changes made for the clients of a NAVCE
server. Any client options that are modified by using
the Symantec System Center console at the server group
or sever level updates the GRC.DAT file. This file is
pulled by clients to impose configuration changes set
at the server level of which the client is managed by.
Configuration modifications are checked for when a
client starts the Norton AntiVirus Client service. The
GRC.DAT file will be transferred and processed if
required.

NAVCE 7.5x clients use the "All Users" Application
Data folder tree to process the GRC.DAT file. The
GRC.DAT is automatically processed by the system
within seven-minute intervals if present within the
folder; or it can be immediately processed by stopping
and then restarting the Norton AntiVirus Client
service. Once the file has been processed, it is
automatically deleted.

Assumptions:
===========

The default NTFS permissions on the “All Users” folder
tree do not allow write access to any non-Power User
or higher accounts. Although it should be considered a
security risk for Power User accounts to also have
write access here (that’s a topic for OS hardening
issues).

Reality:
=======

The Symantec sub-tree of the “All Users” folder
inherits permissions from its root until it reaches
the “7.5” folder. This is the folder that the GRC.DAT
file is placed when needed. The installation of NACVE
as negated the inherited permissions at this point in
the folder tree, and the permissions have been
modified to Everyone: Full Control for this folder and
all child objects.

Defaults:
========

\\<NAVCE>\VPLOGON\
   ----------
   Everyone: Full Control
   ----------

\\<NAVCE>\C$\PROGRA~1\NAV\logon\*.*
   ----------
   BUILTIN\Administrators: Full Control
   CREATOR OWNER: Full Control
   DOMAIN\Domain Users: Read
   BUILTIN\Power Users: Change
   NT AUTHORITY\SYSTEM: Full Control
   NT AUTHORITY\TERMINAL SERVER USER: Change
   BUILTIN\Users: Read
   ----------

<All_Users_Profile_Dir>\Application
Data\Symantec\Norton AntiVirus Corporate Edition\7.5
   ----------
   Everyone: Full Control
   ----------

Impact:
======

The GRC.DAT is accessible by virtually all users in
the domain, via the \\<NAVCE>\VPLOGON\ share. This
file could be copied, modified and deposited in a
client system's Application Data folder to override
and/or negate antivirus settings as well as corporate
policy.

If exploited, the local user security context has the
ability to modify all aspects of the configuration of
the NAVCE client. This could be done intentionally or
maliciously for further exploitation of the system
and/or network infrastructure.

Settings in this file not only govern local antivirus
protection, but the scanning of email and attachments
from Lotus Notes and Microsoft Exchange servers as
well.

Once a modified GRC.DAT file is deposited, the system
could potentially be compromised within seven minutes.

Failure:
=======

Symantec has failed three-fold: 1) Making the GRC.DAT
file plain text. This exposes configuration details as
well as making it easy for the file to be
impersonated. 2) Making the GRC.DAT available and
viewable through an open share (shared by default for
the auto-installation of antivirus client software).
3) Making the client updating mechanism a file
processing job done via a folder that is write-able by
any user of the target system.

Resolution:
==========

Modify the entire Symantec folder structure to Inherit
NTFS permissions. Remove NTFS Write privileges from
all accounts applied (except for the SYSTEM account,
and possibly administrator account depending on your
needs) from the “7.5” folder and all child objects.
The SYSTEM account should be all that is necessary for
any file creation of modifications, since the Norton
AntiVirus Client service runs under the SYSTEM
context.

Depending on your network architecture and procedure
for rolling out NAVCE client software, you may or may
not wish to apply further restrictions on the server
side of this issue.

============================================================

Micheal Espinola Jr
santeriasystems@yahoo.com

11/21/2001 : 6:32 PM EST

Have a happy Thanksgiving! Remember what this day is
supposed to symbolize...

__________________________________________________
Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&bi=245&ul=http://www.a
ntivirus.com/smex2000_rebate



Relevant Pages

  • Re: Problem accessing user machine.
    ... you can write to the shared folder. ... if you do use the connectcomputer wizard to join client computer ... Select Sharing tab, click Permissions button ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Office Docs wont Open? and BU Drive not Recognized?
    ... In addition to what Susan said, I don't see any reference to the NTFS security, on the share permissions. ... Go through the Security settings carefully, and watch out for "inherited", "ownership" and "apply to folders and files in this folder" settings. ... Client Desktop, which open fine there? ... (and similar drives) ...
    (microsoft.public.windows.server.sbs)
  • Strange Bug with XP client and Win2k Server !
    ... Here's a very strange problem with a Windows XP client ... off folder of share 2. ... permissions you won't be able to open the drop off ... Now enable file sharing for Macs on share 1 with the ...
    (microsoft.public.windowsxp.security_admin)
  • Strange sharing problem with winXP
    ... Here's a very strange problem with a Windows XP client ... off folder of share 2. ... permissions you won't be able to open the drop off ... Now enable file sharing for Macs on share 1 with the ...
    (microsoft.public.windowsxp.security_admin)
  • Strange Bug with WinXP client and Win2K Server
    ... Here's a very strange problem with a Windows XP client ... off folder of share 2. ... permissions you won't be able to open the drop off ... Now enable file sharing for Macs on share 1 with the ...
    (microsoft.public.win2000.security)