COMMAND

    NAV

SYSTEMS AFFECTED

    NAV

PROBLEM

    Chris  Foster  found  following.   While  testing  escalation   of
    privileges from a normal  user to admin he  found that in his  NTS
    4.0/SP6 installation with Norton Antivirus 5.02 installed this  is
    very simple.  Here are the details on how this is done:

    1. Logon as a normal user.  Try to run windisk from the run prompt
       and you should get an access denied.
    2. Browse  to  the  root  directory  for the NAV installation  and
       rename  navlu32.exe  to  navlu32.old.   Create navlu32.exe that
       executes the command:

        net localgroup administrators {name of account to escalate} /ADD

    3. Open the Norton Program Scheduler by executing nschednt.exe  in
       the installation directory.  Since normal users are  restricted
       as to what they can  run.  (Display Message, Scan  for Viruses,
       Run LiveUpdate) Just schedule a LiveUpdate for a couple of mins
       ahead.   When  your  scheduled  job  runs  it will execute your
       navlu32.exe.  Log back on and you now have admin privs and  can
       execute windisk or whatever you like for that matter.

    This works due to the Norton Program Scheduler running with system
    privs  and  a  normal  user  being  able  to  write  to the Norton
    installation directory.

    Exactly  the  same  problem   exists  with  netshield  4.0.3   and
    VirusscanNT  4.0.3  from  Networkassociates  (tested  on NT4 SP5).
    Just replace  scan32.exe with  e.g. cmd.exe  schedule a  scan some
    minutes in  the future  and you'll  get a  shell running with more
    privileges you had.

SOLUTION

    Hmm... Interesting,  but needs  an idiot  admin to  exploit.  This
    requires you have  write access to  the NAV installation.   Only a
    very  stupid  admin  would  allow  that  to  happen.   The program
    scheduler  has  a  good  argument  for needing system privs (like,
    updating system file, such as the NAV installation).

    Solutions?
    1) Don't let users have write access to /Program Files (or the NAV
       installation, wherever it is)
    2) Install trusted binaries in a different location (/WINNT  isn't
       an option, if you want certification from MS).