Free-AV AntiVir个人经典版本本地特权升级漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1195696 漏洞类型 设计错误
发布时间 2006-03-19 更新时间 2006-03-20
CVE编号 CVE-2006-1274 CNNVD-ID CNNVD-200603-316
漏洞平台 N/A CVSS评分 7.2
|漏洞来源
https://cxsecurity.com/issue/WLB-2006030065
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200603-316
|漏洞详情
在AntiVir个人版本经典7中的经典计划员,在执行外部程序前没有去掉特权,本地用户可通过notepad.exe取得特权,该特权被用于显示扫描报告。
|漏洞EXP
Application: AntiVir PersonalEdition Classic
Site:        http://www.free-av.de/
Version:     7 and maybe lower
OS:          Windows XP, Windows 2000
Bugs:        Local Privilige Escalation

Product:
=====
AntiVir PersonalEdition Classic Windows from Avira GmbH protects your
computer from viruses, malware, unwanted programs and other dangers.

About:
=====
A few days ago I discovered a little 'Local Privilege Escalation' Bug
in the current version of AntiVir PersonalEdition Classic.

Description:
=====
Part of AntiVir PersonalEdition Classic is a service called 'AntiVir
PersonalEdition Classic Planer' which runs with SYSTEM rights. If you
start the update process using the GUI, AntiVir will show you a status
window. After finishing the process AntiVir offers you a report. Open
the report using the button 'Report' and AntiVir will open the report
in the well known application 'notepad.exe'. Well, since the update was
initiated by the service 'AntiVir PersonalEdition Classic Planer',
which runs with SYSTEM rights, notepad.exe inherits these rights now.
Use 'notepad.exe' to *run* 'compmgmt.msc' for example and...
Well, you know what might happen now.

History:
=====
2006-03-04: Found the Bug and mailed Vendor
2006-03-05: Response from vendor, checking the problem
2006-03-09: Response from vendor, fix is on the way.

ports

-- 
SYS 64767
|参考资料

来源:BID
名称:17071
链接:http://www.securityfocus.com/bid/17071
来源:BUGTRAQ
名称:20060311AntiVirPersonalEditionClassic:LocalPriviligeEscalation
链接:http://www.securityfocus.com/archive/1/archive/1/427412/100/0/threaded
来源:VUPEN
名称:ADV-2006-0948
链接:http://www.frsirt.com/english/advisories/2006/0948
来源:SECUNIA
名称:19217
链接:http://secunia.com/advisories/19217
来源:FULLDISC
名称:20060311AntiVirPersonalEditionClassic:LocalPriviligeEscalation
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2006-March/042868.html
来源:XF
名称:antivir-notepad-gain-privilege(25244)
链接:http://xforce.iss.net/xforce/xfdb/25244
来源:OSVDB
名称:23843
链接:http://www.osvdb.org/23843
来源:SREASON
名称:573
链接:http://securityreason.com/securityalert/573