Potential security vulnerability in Network Associates McAfee VirusScan 4.5.1sp1 product with ability to run code of attackers choise BACKGROUND If Download Scan or Internet Filter is enabled program uses WebScanX.exe module. When running WebScanX.exe is hooked also in explorer.exe. If %HOMEDRIVE%, %HOMEPATH% and %HOMESHARE% variables are pointing to network, and possibly even if those variables point local disk, following action takes place. (I refer those variables as homedirectory.) DESCRIPTION Opening explorer and browsing local hard disk like c:\winnt creates traffic in network; WebScanX tries to locate various DLL files from users homedirectory. At least following DLLs have been noticed in network traffic capture: Mswsock.dll, regemul.dll, msjava.dll, psapi.dll, setupapi.dll, browseui.dll. All other DLL:s are called once or twice but browseui.dll approximately 60 times when opening winnt\system32 folder in explorer.exe. All DLLs are located in winnt\system32 folder. VirusScan and WebScanX are running in localsystem context. User may have only limited access to local resources. Normally user have full control to his homedirectory. I have not researched why WebScanX is trying to locate those DLLs from homedirectory but probably it uses those DLLs to do something. If DLLs are not needed by WebScanX behaviour is even more odd than it is now. At this point all a malicious user has to do is to research WebScanX’s behaviour and create a modified version of one of called DLLs and place in users homedirectory. This gives the process running as LocalSystem access to modified DLL and an opportunity to run it with the highest privileges possible (as seen from local computer). This action can be carried out from a Trojan program as well. ENVIROMENT This behaviour was seen with W2K sp2 and W2K sp3, IE 5.5sp2+rollups and with McAfee VirusScan 4.5.1sp1, Scan Engine 4.1.60. Other older versions might also be vulnerable. WinXP not tested. OTHER INFORMATION Network Associates has been informed with this problem 28.10.2002, because this slows computers down and generates unnecessary network load, especially over slow WAN links. At 20.11.2002, Network Associates answered: QUOTE “WebscanX creates some extra overhead for scanning - since it also hooks Explorer. I would suggest disabling the component, as there won't be a way to stop those requests if it's for scanning. Note: WebscanX also hooks Explorer because it can be used for browsing the Web. Customers need to be aware that this functionality is largely redundant, and is optional for layered VirusScan protection - but is not necessary.” END OF QUOTE At the same day (20.11.2002) Network Associates were informed also of the security aspect regarding this behaviour. Network Associates hasn’t contacted us after that. Yours Jari Helenius Mawaron Oy jari.helenius@mawaron.com
