McAfee ASaP Virusscan - myCIO HTTP Server Directory Traversal Vulnerabilty

From: ade245at_private
Date: Wed Jul 11 2001 - 14:51:41 PDT

Next message: teleh0r: "Another exploit for cfingerd <= 1.4.3-8"

Previous message: zen-parseat_private: "Happy 3 month anniversary cfingerd remote bug!"
Next in thread: ade245at_private: "McAfee ASaP Virusscan - myCIO HTTP Server Directory Traversal Vulnerabilty"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Begin Hush Signed Message from ade245at_private -----

                                -=[ SECURITY ADVISORY ]=- 



                McAfee ASaP Virusscan - myCIO HTTP Server Directory Traversal Vulnerabilty



Date:                        28 June 2001

Impact:                 HIGH

Affected:                 Any machine running the McAfee Agent ASaP VirusScan Software

Tested on:                NT Workstation 4.0, 2000 Professional 


Overview
--------

McAfee ASap Virusscan is a Web-based, managed and updated Anti-Virus Service 
for the Desktop Environment.  On setup agent software is installed on the 
client machine.  This software incorporates what is known as "Rumour Technology" 
that facilitates in the transfer of virus definitions between neigbouring 
machines.  This agent software runs as a service ("McAfee Agent") under 
the local system account and uses a light weight HTTP server that listens 
on port 6515.  


Description 
-----------

This web server is restricted to serve files that are located under \winnt\mycio\agent\rmrcache 
, however it is possible to break out of this by using a specially formatted 
directory traversal URL.  This means that an attacker can connect to the 
webserver and view and/or download any file that resides on the target box. 
 Due to the fact that the service is running as local system NTFS permissions 
are redundant.


Example
-------

To view the contents of WinNT/Repair enter the following URL into a web 
browser:


http:// IP Address>:6515/.../.../.../.../winnt/repair



Workaround
----------

Disable the McAfee Agent service or alternatively run it under a local user 
account and set the NTFS permissions accordingly.


Notes
-----

McAfee where notified of this issue 28-June-2001





----- Begin Hush Signature v1.3 -----
CqnHbxr849s+SIAlsEWQMkOyxzMYI0IxAT3Iu/barfSw92Cf5YKbosXkv8qdeNDKSUkS
2R69rXhvAaDngmcreEcOvFZRrGQ1EWyQdczKYceg4sphiNwhRYYqbYWYPkhJyfMP4+Be
MmfYg4runAF62i8PCzSqUgnQMAuFG3bWb4XFFwDbGIwREX7OIc6KFc3Xd7Cc3+k4VVgs
/LUxchUhlKhWUDyCKbI76dfGyXW9+ulLKyjj8LwMaiq5iq6w3pqlkF12T/b4B9B3FCOW
vLxjUlfS9H4si80WA4acwzpe+g0y6ffe7H4nQqcd6bJbQkwzjL3vQH/eNAVFvnEYQCxZ
WVS7CubjbQGHWFclZBDfSHl2QOC+u9dC+fM17T6NZnoIIEwOpe6U5eQLGw16hyJY2G/9
LlQAsYIQ5k8g6Ox5Of6lv8LLXmq4ZEqI0Gd8Bs7cy4WYttsYkyIAMyB0tGYoAIMKL0oo
7VYt05ecR7XDHOvXUAaLeKjOBYXl6a3+A73roR84lH/A
----- End Hush Signature v1.3 -----


This message has been signed with a Hush Digital Signature. 
To verify the signature, please go to www.hush.com/tools


Free, encrypted, secure Web-based email at www.hushmail.com

Next message: teleh0r: "Another exploit for cfingerd <= 1.4.3-8"
Previous message: zen-parseat_private: "Happy 3 month anniversary cfingerd remote bug!"
Next in thread: ade245at_private: "McAfee ASaP Virusscan - myCIO HTTP Server Directory Traversal Vulnerabilty"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 11 2001 - 16:46:22 PDT