|
|
McAfee VirusScan Privilege Escalation Vulnerability iDEFENSE Security Advisory 09.14.04: I. BACKGROUND McAfee VirusScan is a popular real-time virus protection application. For more information see http://www.mcafee.com. II. DESCRIPTION Local exploitation of a design error vulnerability in Networks Associates Technology Inc.'s McAfee VirusScan could allow attackers to obtain increased privileges. The problem specifically exists because SYSTEM privileges are not dropped when accessing the "System Scan" properties from the System Tray applet. The vulnerability can be exploited by right-clicking the System Tray icon, choosing "Properties", selecting "System Scan", then, from the "Report" tab, selecting "Browse...". The opened file selected can be abused by navigating to C:\WINDOWS\SYSTEM32\, right-clicking cmd.exe, then selecting "Open"; doing so spawns a command shell with SYSTEM privileges. III. ANALYSIS Exploitation allows local users to obtain Local System privileges, thereby providing them with complete control of the affected system. IV. DETECTION McAfee VirusScan version 4.5.1 running on Windows 2000 Professional and Windows XP Professional operating systems is vulnerable. It is suspected that McAfee VirusScan 4.5 is also vulnerable. V. WORKAROUND iDEFENSE is currently unaware of any workarounds for this issue. VI. VENDOR FIX The vendor does not appear to have provided a patch for this issue. However, due to design changes in the GUI, this vulnerability does not appear to exist in later versions of the product. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2004-0831 to these issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 08/12/2004 Initial vendor notification - no response 08/12/2004 iDEFENSE clients notified 09/02/2004 Secondary vendor notification - no response 09/14/2004 Public disclosure Ian Vitek is credited with this discovery.