Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] McAfee Subscription Manager Stack Buffer Overflow

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] McAfee Subscription Manager Stack Buffer Overflow
Date: 8 Aug 2006 13:12:12 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  McAfee Subscription Manager Stack Buffer Overflow
------------------------------------------------------------------------


SUMMARY

eEye Digital Security has discovered a vulnerability in McAfee Security 
Center that ships with all McAfee consumer products. There is a remote 
code execution vulnerability that allows an attacker to take complete 
control of a remote computer by exploiting a vulnerability found in the 
Subscription Manager ActiveX control.

DETAILS

Vulnerable Systems:
 * McAfee AntiSpyware 1.x, 2.x
 * McAfee Internet Security Suite 6.x, 7.x, 8.x
 * McAfee Personal Firewall Plus 5.x, 6.x, 7.x
 * McAfee Privacy Service 6.x, 7.x, 8.x
 * McAfee QuickClean 4.x, 5.x, 6.x
 * McAfee SpamKiller 5.x, 6.x, 7.x
 * McAfee VirusScan 8.x, 9.x, 10.x
 * McAfee Wireless Home Network Security 1.x

A stack buffer overflow vulnerability exists in McAfee's Subscription 
Manager ActiveX control which is shipped with all Home and Home Business 
products. The McSubMgr.dll is a manager module used to control 
subscriptions of a particular product to ensure that the software has not 
exceeded its subscription time as well as various maintenance checks (i.e. 
Expirations, Old Applications, etc.). Unfortunately McSubMgr.dll is set as 
safe for scripting, so we are able to call various members from within the 
dll from a webpage by referencing its CLSID and passing arguments to 
these members. The vulnerability occurs when we pass a string of over 3000 
bytes using various members which are then passed on to a vulnerable 
vsprintf, causing a stack overflow to occur.

text:02B0B27F var_BB8 = byte ptr -0BB8h <-- 3000 bytes
text:02B0B27F arg_0 = dword ptr 8
text:02B0B27F arg_4 = byte ptr 0Ch
text:02B0B27F
text:02B0B27F push ebp
text:02B0B280 mov ebp, esp
text:02B0B282 sub esp, 0BB8h
text:02B0B288 lea eax, [ebp+arg_4]
text:02B0B28B push eax ; va_list
text:02B0B28C push [ebp+arg_0] ; char *
text:02B0B28F lea eax, [ebp+var_BB8] =20
text:02B0B295 push eax ; char *
text:02B0B296 mov [ebp+var_BB8], 0
text:02B0B29D call _vsprintf <-- Exploitable vsprintf
text:02B0B2A2 add esp, 0Ch
text:02B0B2A5 leave
text:02B0B2A6 retn
text:02B0B2A6 sub_2B0B27F endp

Since there are literally no bounds checking on the vsprintf when a string 
exceeding 3000 bytes of data is passed to a 3000 byte buffer, an overflow 
occurs, and we are able to execute arbitrary code. To exploit this 
vulnerability over the Internet we must first create a web page with some 
scripting to create the ActiveX object and call one of the affected 
methods so that we may pass data along to overflow the vulnerable 
vsprintf.

<object classid='clsid:9BE8D7B2-329C-442A-A4AC-ABA9D7572602' 
id='Red'></object>
"GK=String(165001, "a") "
"Red.IsAppExpired GK"

The above example is a code snip that will send 165001 a's to the 
IsAppExpired ActiveX member therefore completely overflowing the stack.

Vendor Status:
McAfee has released patches for the affected products. The McAfee Security 
Bulletin is available here:  
<http://ts.mcafeehelp.com/faq3.asp?docid=3D407052> 
http://ts.mcafeehelp.com/faq3.asp?docid=3D407052


ADDITIONAL INFORMATION

The information has been provided by eEye Advisories.
The original article can be found at:  
<http://www.eeye.com/html/research/advisories/AD2006807.html> 
http://www.eeye.com/html/research/advisories/AD2006807.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] McAfee Subscription Manager Stack Buffer Overflow, SecuriTeam <=
Previous by Date:  [NT] CA eTrust AntiVirus WebScan Automatic Update Code Execution (Technical Details), SecuriTeam
Next by Date:  [UNIX] Liblesstif Local Root (Exploit), SecuriTeam
Previous by Thread:  [NT] CA eTrust AntiVirus WebScan Automatic Update Code Execution (Technical Details), SecuriTeam
Next by Thread:  [UNIX] Liblesstif Local Root (Exploit), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]