Vulnerability

    VirusScan

Affected

    McAfee VirusScan 4.5

Description

    Richard Fry found  following.  Create  a VB Executable  which does
    what ever it is that you want it to do (create new users,  elevate
    permissions etc.).

    Call the file COMMON.EXE.

    Place  this   executable  in   "C:\Program  Files"   (the  default
    installation  permissions  for  this  directory  are Everyone Full
    Control).

    Wait for a reboot (or restart the McShield Service).

    The Service Control manager will  pick up the file COMMON.EXE  and
    run it as Local System, the rest of the path name is passed as  an
    argument  to  the  COMMON.EXE  application  so  if you are feeling
    generous you can pass control to the original application.

    This  is  due  partly  to  a  feature  in  the  SCM but more to an
    oversight on the part of NAI.  They have omitted the quotes around
    a long file name in the service key

        ImagePath=C:\Program Files\Common Files\Network Associates\McShield\McShield.exe

    This works on  NT4 SP3 ->  SP6a and Windows  2000 - Microsoft  are
    aware of this and are unlikely to do anything further.

Solution

    NAI have agreed that this is  a problem and it has been  addressed
    in SP1 of the VirusScan Product.

    As  a  workaround  place  quotes  around  the  image  path for the
    McShield, AvSyncMgr Service  or Install Service  Pack 1 for  Virus
    Scan  or  Change  default  permissions  on  "C:\Program Files" and
    "C:\Program  Files\Common  Files"  can  only  be  written by Local
    Admin.