[16153] in bugtraq
Re: Escalation of privileges
daemon@ATHENA.MIT.EDU (Nicolas Rachinsky)
Wed Aug 9 16:30:18 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <00fc01c00171$9bb2c350$b3ab603e@gottt>
Date: Tue, 8 Aug 2000 21:44:42 +0200
Reply-To: Nicolas Rachinsky <rnicolas@GMX.NET>
From: Nicolas Rachinsky <rnicolas@GMX.NET>
X-To: frostman@carolina.rr.com
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
Exactly the same problem exists with netshield 4.0.3 and VirusscanNT 4.0.3 from Networkassociates.
tested on NT4 SP5.
Just replace scan32.exe with e.g. cmd.exe schedule a scan some minutes in the future and you'll get a shell running with more privileges you had. I don't know yet, if the shell is running in the system account or the account for the backgroundscanner because we run it in the system account. I think the later one.
Nicolas
System Administrator
----- Original Message -----
From: Chris Foster <frostman@CAROLINA.RR.COM>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Monday, August 07, 2000 6:07 PM
Subject: Escalation of privileges
> While testing escalation of privileges from a normal user to admin I found
> that in my NTS 4.0/SP6 installation with Norton Antivirus 5.02 installed
> this is very simple. Here are the details on how this is done:
>
> 1. Logon as a normal user. Try to run windisk from the run prompt and you
> should get an access denied.
>
> 2. Browse to the root directory for the NAV installation and rename
> navlu32.exe to navlu32.old. Create navlu32.exe that executes the command:
>
> net localgroup administrators {name of account to escalate} /ADD
>
> 3. Open the Norton Program Scheduler by executing nschednt.exe in the
> installation directory. Since normal users are restricted as to what they
> can run. (Display Message, Scan for Viruses, Run LiveUpdate) Just schedule
> a LiveUpdate for a couple of mins ahead. When your scheduled job runs it
> will execute your navlu32.exe. Log back on and you now have admin privs and
> can execute windisk or whatever you like for that matter.
>
> This works due to the Norton Program Scheduler running with system privs and
> a normal user being able to write to the Norton installation directory.
>
> Frostman
>
