Fwd: Serious Privilege Escalation Vulnerability in McAfee VirusScan (fwd)

Julian Field mailscanner at ecs.soton.ac.uk
Fri Sep 17 15:03:50 IST 2004 

<x-flowed>
McAfee: gun in pocket. BANG! Ouch! There goes the other foot....

>An error in the programming for McAfee VirusScan can provide privilege
>escalation for normal users logged in interactively to a workstation.
>
>It has been initially tested on McAfee VirusScan version 4.5.1 running on
>Windows 2000 Professional and Windows XP Professional.
>
>You can exploit the vulnerability very easily!
>
>The problem specifically exists because SYSTEM privileges are not
>dropped when accessing the "System Scan" properties from the System
>Tray applet. The vulnerability can be exploited by right-clicking the
>System Tray icon, choosing "Properties", selecting "System Scan",
>then, from the "Report" tab, selecting "Browse...". The opened file
>selected can be abused by navigating to C:\WINDOWS\SYSTEM32\,
>right-clicking cmd.exe, then selecting "Open"; doing so spawns a
>command shell with SYSTEM privileges.
>
>Also it is reported the same problems can occur in version 7.1.0 and 8.0.0
>but I have yet to test these fully in a locked down environment.
>
>So far I have established you can do portbinds but not run a command
>prompt.
>
>Do a new task, for a example "Update" and choose a program to run after
>the task, set this task to run with a schedule, after this task is done
>the chosen program is running with SYSTEM privileges.
>
>Quite a serious hole for the machines running on campus with local access
>restrictions. You need to be able to create a new task though, so limited
>access via passwords could be possible!
>
>This is not remotely exploitable.

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
</x-flowed>

More information about the MailScanner mailing list