[NT] Computer Associates eTrust EZ Antivirus Insecure File Permission
From: SecuriTeam (support_at_securiteam.com)
Date: 12/15/04
- Previous message: SecuriTeam: "[EXPL] wget Directory Traversal (Exploit)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 15 Dec 2004 18:37:52 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Computer Associates eTrust EZ Antivirus Insecure File Permission
------------------------------------------------------------------------
SUMMARY
Computer Associates eTrust EZ Antivirus is "antivirus protection software
for home and business use. It provides complete protection, detection and
elimination of thousands of computer viruses, worms, and Trojan Horse
programs".
Local exploitation of an insecure permission vulnerability in Computer
Associates eTrust EZ Antivirus allows attackers to escalate privileges or
disable protection.
DETAILS
Vulnerable Systems:
* eTrust EZ Antivirus version 7.0.1.4
* eTrust EZ Antivirus version 7.0.0 up to 7.0.4
Immune Systems:
* eTrust EZ Antivirus version 7.0.5
Computer Associates eTrust EZ Antivirus is a product used to protect a
personal computer from virus infections. The vulnerability specifically
exists in the default file Access Control List (ACL) settings that are
applied during installation. When an administrator installs eTrust EZ
Antivirus, the default ACL allows any user to modify the installed files.
Because of the fact that some of the programs run as system services, a
user can simply replace an installed eTrust EZ Antivirus file with their
own malicious code that will later be executed with system privileges. One
such file that would be a target for this is VetMsg.exe.
Analysis:
Successful exploitation allows local attackers to escalate privileges to
the system level. It is also possible to use this vulnerability to simply
disable protection by moving all of the executable files so that they
cannot start upon a reboot.
Workaround:
Apply proper Access Control List settings to the directory that eTrust EZ
Antivirus is installed in. The ACL rules should make sure that no regular
users can modify files in the directory.
Vendor Response:
"With the assistance of iDEFENSE, Computer Associates has identified a
medium-risk vulnerability in the installation and updating components of
eTrustTM EZ Antivirus which may allow a local user to escalate their user
privileges on a PC and disable protection.
Effected generally available releases of eTrust EZ Antivirus include:
* eTrust EZ Antivirus r7.0.0 - r7.0.4 installed on PC's
- running Windows NT, 2000 or XP
- with NTFS formatted drives
Computer Associates has actively addressed this issue in eTrust EZ
Antivirus r7.0.5 and above.
More information about this vulnerability and instructions on how to
upgrade to the latest version of eTrust EZ Antivirus can be found at:
<http://crm.my-etrust.com/login.asp?username=guest&target=DOCUMENT&openparameter=2222> http://crm.my-etrust.com/login.asp?username=guest&target=DOCUMENT&openparameter=2222
At Computer Associates, we take every report of exposure with the utmost
urgency, to ensure that no customer is left in a vulnerable situation. We
have assigned this vulnerability the ID number 32054."
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1149>
CAN-2004-1149
Disclosure Timeline:
10/26/2004 - Initial vendor notification
10/29/2004 - Initial vendor response
12/15/2004 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com> iDEFENSE.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=164&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=164&type=vulnerabilities
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] wget Directory Traversal (Exploit)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
