McAfee VirusScan Enterprise 'VirusScan On-Access Scan'组件 绕过安全限制漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193448 漏洞类型 未知
发布时间 2006-09-19 更新时间 2006-09-19
CVE编号 CVE-2006-4886 CNNVD-ID CNNVD-200609-352
漏洞平台 N/A CVSS评分 3.7
|漏洞来源
https://www.securityfocus.com/bid/84174
https://cxsecurity.com/issue/WLB-2006090133
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200609-352
|漏洞详情
McAfeeVirusScanEnterprise7.1.0和ScanEngine4.4.00中的VirusScanOn-AccessScan组件,本地具有特权的用户通过从任务栏中打开程序并快速单击"禁用"按钮来绕过安全限制并禁用On-AccessScan选项,这可能是因与接口相关的争用条件导致的。
|漏洞EXP
Suggested Risk Level: Low

Type of Risk: Disabling security component.

Affected Software: VirusScan Enterprise 7.1.0 (client side, managed
centrally by ePolicy Orchestrator), Scan Engine: 4.4.00, the "VirusScan
On-Access Scan" component.
OS Environment: Windows 2000 workstation w/SP4 and all the up-to-date
windows update security and operational patches (May be valid on Windows XP
as well, but was not tested on XP).

Local / Remote activated: Local.

Summary:
A McAfee administrator can choose to prevent a local user of the VirusScan
client to disable the "On-Access Scan" (the real-time memory virus
monitoring and cleaning component) by making the "disable" button un-active
within the "VirusScan On-Access Scan Statistics" dialog box.

But, just after a user logs on locally to the desktop, and after any period
of time, until the first time the "VirusScan On-Access Scan Statistics"
dialog box is opened ? the user can double click the "VirusScan On-Access
Scan" icon on the task bar and then the "disable" button will be active for
about 5 seconds, a sufficient time for the user to press the this button.

After pressing the "disable" button, the button will change its interface
text to "enable", the "On-Access Scan" icon will present a "no entrance"
sign, stating it is disabled, and the "Network Associates McShield" service
will be in a "paused" mode.

Once the 5 seconds period has passed ? the button will become disabled
(grayed out) in whatever state it is at that time, stabilizing the
"On-Access Scan" component to its last state, which is one of two:
1. The button was not pressed -> Button shows "disable" ; the "On-Access
Scan" is active and the "Network Associates McShield" service will be in a
"started" mode.
2. The button was pressed -> Button shows "enable" ; the "On-Access Scan" is
disabled and the "Network Associates McShield" service will be in a "paused"
mode.

I rated this issue as "low" because it is mostly an interface related issue,
and the user must be a member of a local users group that can pause a
service, i.e. "power users" or "Administrators", which are the most
privileged users groups in the OS.

This issue is relevant only in a cases where the OS, particularly the
interface, was heavily hardened (especially preventing access to the
"services" console and preventing running any command line interface), but
the user has access to the "VirusScan On-Access Scan Statistics" dialog box
and is a member of the "power users" or "Administrators" groups.

Possible Abuses: Disabling the VirusScan real-time virus protection,
exposing the OS to virus infection.

Reproduction:
1. Make sure the VirusScan policy is prohibiting users from disabling the
"On-Access Scan" component.
2. Log on locally to the OS with a user that is a member of the "power
users" or "administrators" group.
3. Wait any period time you wish.
4. Double click the "VirusScan On-Access Scan Statistics" icon placed on the
task bar.
5. Click the "disable" button within 5 seconds.
6. Wait a few seconds for the button to gray out, stabilizing the "On-Access
Scan" component in a "disabled" mode.

Exploit Code: No need.

Direct resolution: None at the time of publishing this advisory.


Workarounds: Enable the "Do not show the system tray icon" policy option ?
to prevent your users from opening the "VirusScan On-Access Scan Statistics"
dialog box, and thus prevent them from reaching the "disable" button.
(Using this workaround may alarm the users that the sudden absence of the
icon is a sign of a possible harm to the virus protection and thus
initiating multiple support calls).

Vendor Notification: McAfee was notified in May 2006 and has approved my
findings. McAfee choose to include a fix for this issue as part of a major
product update, which is scheduled to be released in the coming
month/months.

Credit:
Eitan Caspi
Israel
Email: eitancaspi (at) yahoo (dot) com [email concealed]


Past security advisories:

1.
http://online.securityfocus.com/bid/4053
http://www.microsoft.com/technet/security/bulletin/MS02-003.mspx
http://support.microsoft.com/kb/315085/en-us

2.
http://online.securityfocus.com/bid/5972
http://support.microsoft.com/?kbid=329350

3.
http://online.securityfocus.com/bid/6280
http://www.securityfocus.com/archive/1/301624

4.
http://online.securityfocus.com/bid/6736
http://online.securityfocus.com/archive/1/309442

5.
http://www.securityfocus.com/bid/7046
http://www.securityfocus.com/archive/1/314361

6.
http://www.securityfocus.com/archive/1/393800

7.
http://www.securityfocus.com/archive/1/archive/1/434704/100/0/threaded

Articles:
You can find some articles I have written at
http://www.themarker.com/eng/archive/one.jhtml
(filter: Author = Eitan Caspi (second name set), From year = 2000 , Until
year = 2002)

Eitan Caspi
Israel

Current Blog (Hebrew): http://www.notes.co.il/eitan
Past Blog (Hebrew): http://blog.tapuz.co.il/eitancaspi
Dead Blog (English): http://eitancaspi.blogspot.com

"Technology is like sex. No Hands On - No Fun." (Eitan Caspi)
|受影响的产品
McAfee VirusScan Enterprise 7.1
|参考资料

来源:XF
名称:mcafee-virusscan-onaccess-security-bypass(28971)
链接:http://xforce.iss.net/xforce/xfdb/28971
来源:BUGTRAQ
名称:20060915McAfeeVirusScanEnterprise-disablingtheclientside"On-AccessScan"
链接:http://www.securityfocus.com/archive/1/archive/1/446220/100/0/threaded
来源:SREASON
名称:1605
链接:http://securityreason.com/securityalert/1605