COMMAND

    VirusScan 4.03a

SYSTEMS AFFECTED

    Network Associates VirusScan 4.03a for NT, 2000

PROBLEM

    Following is based on a  EBE Security Advisory by Kevin  Beaumont.
    It is Registry permissions checking issue;  LOCAL and REMOTE  (see
    below)  comprise  of  system  security,  via  any user with either
    'User' or 'Power User' authentication on any workstation which  is
    running VirusScan.

    The 'Network  Associates Task  Scheduler Service',  which runs  as
    SYSTEM, has a  feature which allows  a program to  be scheduled to
    run after  a successful  DAT update.   The program  called is also
    passed full SYSTEM privileges.

    To edit the program called, you can bring up the VirusScan Console
    by right  clicking on  the VirusScan  icon in  your task  bar, and
    selecting 'Console'.   Now right click  on 'Automatic DAT  Update'
    and select 'Properties'.  Then choose 'Advanced'.

    Attempting  to  set  this  value  as  a  local user (either in the
    'User' or 'Power  User' group) via  the VirusScan console  fails -
    both the  tick box  to enable  the feature  and text  box used  to
    enter the program name are 'greyed out'.

    However, under the default installation options of VirusScan,  the
    registry key has full control to All authenicated users.

    The registry key in question is:

        HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VirusScan\Tasks\Update

    The keys in question are:

        bExecAfterUpdate       = dword:00000000
        szUpdateShellScript    = ""

    There is an additional key which can be used to cause the  program
    to be called even if the DAT update fails:

        bRetrieveOnly          = dword:00000000

    All users have permissions to  alter the actual scheduling of  the
    update itself via the VirusScan Console.

    Numerous attack methods  are available.   Here are a  few examples
    tested:

    1) Save the following text  as a file called 'userman.reg'.   Open
       the file so  the entries are  entered into the  registry.  Open
       the VirusScan Console, and change the schedule of the Automatic
       DAT update so it  runs within the next  few minutes.  Then  sit
       and wait for User Manager to  kick in.  Then add your  login ID
       into the local administrator group...

        [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VirusScan\Tasks\Update]
        "szUpdateShellScript"="c:\winnt\system32\musrmgr.exe"
        "bRetrieveOnly"=dword:00000001
        "bExecAfterUpdate"=dword:00000001
        "bSchedEnabled"=dword:00000001
        "bLogToFile"=dword:00000000

    2) Use  regedt32.exe  to  remotely  connect  to other PCs in  your
       organisation.  Set the above  registry keys.  Select a  program
       to  run  (eg  "\\file_server_1\share\trojanhorse.exe") and then
       wait for the Automatic DAT update to kick in.  The program will
       run transparently to the user.

SOLUTION

    Use      regedt32.exe      to      change      permissions      on
    HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VirusScan\Tasks     and     its
    subkeys.   All users  should be  READ access.   Administrators and
    SYSTEM should have full control.

    Under Microsoft Windows 2000 Professional test system, authors
    found  that  'Standard   Users'  did  NOT   have  permissions   to
    write/modify these registry keys.  However, 'Power Users' do  have
    permissions to modify them.   If you work in  a company that  uses
    Windows  2000   and  standard   users  are   given  'Power   User'
    permissions, you are affected.