Vulnerability

    McAfee ASaP Virusscan - myCIO HTTP Server

Affected

    Any machine running the McAfee Agent ASaP VirusScan Software

Description

    'ade245' found following.   McAfee ASap Virusscan is  a Web-based,
    managed   and   updated   Anti-Virus   Service   for  the  Desktop
    Environment.  On setup agent  software is installed on the  client
    machine.   This  software  incorporates  what  is known as "Rumour
    Technology" that facilitates in the transfer of virus  definitions
    between  neigbouring  machines.   This  agent  software  runs as a
    service ("McAfee Agent") under  the local system account  and uses
    a light weight HTTP server that listens on port 6515.

    This web  server is  restricted to  serve files  that are  located
    under \winnt\mycio\agent\rmrcache, however it is possible to break
    out of  this by  using a  specially formatted  directory traversal
    URL.  This means that an attacker can connect to the webserver and
    view and/or download any file that resides on the target box.  Due
    to  the  fact  that  the  service  is running as local system NTFS
    permissions are redundant.

    To view the contents of WinNT/Repair enter the following URL  into
    a web browser:

        HTTP://<Target IP Address>:6515/.../.../.../.../winnt/repair

Solution

    Disable the McAfee Agent service  or alternatively run it under  a
    local  user  account  and  set  the  NTFS permissions accordingly.
    McAfee where notified of this issue 28-June-2001