|
Vulnerability VirusScan Affected McAfee VirusScan 4.5 Description Richard Fry found following. Create a VB Executable which does what ever it is that you want it to do (create new users, elevate permissions etc.). Call the file COMMON.EXE. Place this executable in "C:\Program Files" (the default installation permissions for this directory are Everyone Full Control). Wait for a reboot (or restart the McShield Service). The Service Control manager will pick up the file COMMON.EXE and run it as Local System, the rest of the path name is passed as an argument to the COMMON.EXE application so if you are feeling generous you can pass control to the original application. This is due partly to a feature in the SCM but more to an oversight on the part of NAI. They have omitted the quotes around a long file name in the service key ImagePath=C:\Program Files\Common Files\Network Associates\McShield\McShield.exe This works on NT4 SP3 -> SP6a and Windows 2000 - Microsoft are aware of this and are unlikely to do anything further. Solution NAI have agreed that this is a problem and it has been addressed in SP1 of the VirusScan Product. As a workaround place quotes around the image path for the McShield, AvSyncMgr Service or Install Service Pack 1 for Virus Scan or Change default permissions on "C:\Program Files" and "C:\Program Files\Common Files" can only be written by Local Admin.