McAfee VirusScan Lets Local Users Bypass the Password Protection Feature
SecurityTracker Alert ID: 1017791|
SecurityTracker URL: http://securitytracker.com/id/1017791
(Links to External Site)
Updated: May 19 2008|
Original Entry Date: Mar 19 2007
User access via local system|
Exploit Included: Yes |
Version(s): 8.5.0.i, possibly other versions|
A vulnerability was reported in McAfee VirusScan. A local user can bypass the password protection feature.|
A local user with write access to the Windows Registry can delete the UIP value from the registry to eliminate any password protection.
The UID value is stored in HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection\ or HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Entreprise\CurrentVersion.
NtWaK0 reported this vulnerability.
The original advisory is available at:
3APA3A reported that unprivileged users do not have write access to the 'HKEY_LOCAL_MACHINE\Software' registry section and should not be able to overwrite the password key unless the McAfee software applies weaker than normal access controls on their registry entries.
A local user can bypass the password protection feature.|
No solution was available at the time of this entry.|
Vendor URL: www.mcafee.com/ (Links to External Site)
Access control error|
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: Bypassing Mcafee Entreprise Password Protection|
Date : 03/16/2007
Affected Product / OS
Product Name and Version: McAfee VirusScan Entreprise 8.5.0.i maybe older version too.
Tested on OS: Windows XP, 2003
Type: Bad Design
Bypass Password Protection
Mcafee virusscan Enterprise version allow you to lock the user interface using a password. A user write access windows registry.
The password is saved in UIP under the key HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection
Or it can be under
HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Entreprise\CurrentVersion
If you remove the value of the UIP you will end up bypassing the password.
You can replace the value if you wish too with a known value, but why bother when you can remove the password.
I think this type of protection is not too secure.
Peace to you all