Public Vulnerability Reports

McAfee VirusScan Privilege Escalation Vulnerability

09.14.04

BACKGROUND

McAfee VirusScan is a popular real-time virus protection application.
For more information see http://www.mcafee.com.

DESCRIPTION

Local exploitation of a design error vulnerability in Networks
Associates Technology Inc.'s McAfee VirusScan could allow attackers to
obtain increased privileges.

The problem specifically exists because SYSTEM privileges are not
dropped when accessing the "System Scan" properties from the System
Tray applet. The vulnerability can be exploited by right-clicking the
System Tray icon, choosing "Properties", selecting "System Scan",
then, from the "Report" tab, selecting "Browse...". The opened file
selected can be abused by navigating to C:WINDOWSSYSTEM32,
right-clicking cmd.exe, then selecting "Open"; doing so spawns a
command shell with SYSTEM privileges.

ANALYSIS

Exploitation allows local users to obtain Local System privileges,
thereby providing them with complete control of the affected system.

DETECTION

McAfee VirusScan version 4.5.1 running on Windows 2000 Professional
and Windows XP Professional operating systems is vulnerable. It is
suspected that McAfee VirusScan 4.5 is also vulnerable.

WORKAROUND

iDEFENSE is currently unaware of any workarounds for this issue.

VENDOR RESPONSE

"Apply Patch 48, available from https://mysupport.nai.com.

A valid Support contract grant number is required."

CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2004-0831 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

DISCLOSURE TIMELINE

08/12/2004    Initial vendor notification - no response
08/12/2004    iDEFENSE clients notified
09/02/2004    Secondary vendor notification - no response
09/14/2004    Public disclosure
09/15/2004    Initial vendor response

CREDIT

Ian Vitek is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

LEGAL NOTICES

Copyright © 2004 Verisign, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.