COMMAND
NAV
SYSTEMS AFFECTED
NAV
PROBLEM
Chris Foster found following. While testing escalation of
privileges from a normal user to admin he found that in his NTS
4.0/SP6 installation with Norton Antivirus 5.02 installed this is
very simple. Here are the details on how this is done:
1. Logon as a normal user. Try to run windisk from the run prompt
and you should get an access denied.
2. Browse to the root directory for the NAV installation and
rename navlu32.exe to navlu32.old. Create navlu32.exe that
executes the command:
net localgroup administrators {name of account to escalate} /ADD
3. Open the Norton Program Scheduler by executing nschednt.exe in
the installation directory. Since normal users are restricted
as to what they can run. (Display Message, Scan for Viruses,
Run LiveUpdate) Just schedule a LiveUpdate for a couple of mins
ahead. When your scheduled job runs it will execute your
navlu32.exe. Log back on and you now have admin privs and can
execute windisk or whatever you like for that matter.
This works due to the Norton Program Scheduler running with system
privs and a normal user being able to write to the Norton
installation directory.
Exactly the same problem exists with netshield 4.0.3 and
VirusscanNT 4.0.3 from Networkassociates (tested on NT4 SP5).
Just replace scan32.exe with e.g. cmd.exe schedule a scan some
minutes in the future and you'll get a shell running with more
privileges you had.
SOLUTION
Hmm... Interesting, but needs an idiot admin to exploit. This
requires you have write access to the NAV installation. Only a
very stupid admin would allow that to happen. The program
scheduler has a good argument for needing system privs (like,
updating system file, such as the NAV installation).
Solutions?
1) Don't let users have write access to /Program Files (or the NAV
installation, wherever it is)
2) Install trusted binaries in a different location (/WINNT isn't
an option, if you want certification from MS).