mcaffee.mycio.traversal.txt

2001-07-12T00:00:00
ID PACKETSTORM:24971
Type packetstorm
Reporter Ade245
Modified 2001-07-12T00:00:00

Description

                                        
                                            `----- Begin Hush Signed Message from ade245@hushmail.com -----  
  
-=[ SECURITY ADVISORY ]=-   
  
  
  
McAfee ASaP Virusscan - myCIO HTTP Server Directory Traversal Vulnerabilty  
  
  
  
Date: 28 June 2001  
  
Impact: HIGH  
  
Affected: Any machine running the McAfee Agent ASaP VirusScan Software  
  
Tested on: NT Workstation 4.0, 2000 Professional   
  
  
Overview  
--------  
  
McAfee ASap Virusscan is a Web-based, managed and updated Anti-Virus Service   
for the Desktop Environment. On setup agent software is installed on the   
client machine. This software incorporates what is known as "Rumour Technology"   
that facilitates in the transfer of virus definitions between neigbouring   
machines. This agent software runs as a service ("McAfee Agent") under   
the local system account and uses a light weight HTTP server that listens   
on port 6515.   
  
  
Description   
-----------  
  
This web server is restricted to serve files that are located under \winnt\mycio\agent\rmrcache   
, however it is possible to break out of this by using a specially formatted   
directory traversal URL. This means that an attacker can connect to the   
webserver and view and/or download any file that resides on the target box.   
Due to the fact that the service is running as local system NTFS permissions   
are redundant.  
  
  
Example  
-------  
  
To view the contents of WinNT/Repair enter the following URL into a web   
browser:  
  
  
HTTP://<Target IP Address>:6515/.../.../.../.../winnt/repair  
  
  
  
Workaround  
----------  
  
Disable the McAfee Agent service or alternatively run it under a local user   
account and set the NTFS permissions accordingly.  
  
  
Notes  
-----  
  
McAfee where notified of this issue 28-June-2001  
  
  
  
  
  
----- Begin Hush Signature v1.3 -----  
CqnHbxr849s+SIAlsEWQMkOyxzMYI0IxAT3Iu/barfSw92Cf5YKbosXkv8qdeNDKSUkS  
2R69rXhvAaDngmcreEcOvFZRrGQ1EWyQdczKYceg4sphiNwhRYYqbYWYPkhJyfMP4+Be  
MmfYg4runAF62i8PCzSqUgnQMAuFG3bWb4XFFwDbGIwREX7OIc6KFc3Xd7Cc3+k4VVgs  
/LUxchUhlKhWUDyCKbI76dfGyXW9+ulLKyjj8LwMaiq5iq6w3pqlkF12T/b4B9B3FCOW  
vLxjUlfS9H4si80WA4acwzpe+g0y6ffe7H4nQqcd6bJbQkwzjL3vQH/eNAVFvnEYQCxZ  
WVS7CubjbQGHWFclZBDfSHl2QOC+u9dC+fM17T6NZnoIIEwOpe6U5eQLGw16hyJY2G/9  
LlQAsYIQ5k8g6Ox5Of6lv8LLXmq4ZEqI0Gd8Bs7cy4WYttsYkyIAMyB0tGYoAIMKL0oo  
7VYt05ecR7XDHOvXUAaLeKjOBYXl6a3+A73roR84lH/A  
----- End Hush Signature v1.3 -----  
  
  
This message has been signed with a Hush Digital Signature.   
To verify the signature, please go to www.hush.com/tools  
  
  
Free, encrypted, secure Web-based email at www.hushmail.com  
`