Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] McAfee Security Center IsOldAppInstalled ActiveX Buffer Overflow Vu

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] McAfee Security Center IsOldAppInstalled ActiveX Buffer Overflow Vulnerability
Date: 9 May 2007 10:54:57 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  McAfee Security Center IsOldAppInstalled ActiveX Buffer Overflow 
Vulnerability
------------------------------------------------------------------------


SUMMARY

McAfee Security Center is "a centralized configuration GUI utilized to 
control and monitor McAfee Security products such as their AntiVirus, 
Firewall and AntiSpam products". Remote exploitation of a buffer overflow 
in an ActiveX control distributed with McAfee Security Center could allow 
for the execution of arbitrary code.

DETAILS

Vulnerable Systems:
 * McAfee Virus Scan 10.0.27 running on Windows XP SP2
 * McAfee Subscription manager versions 6.x prior to 6.0.0.25
 * McAfee Subscription manager versions 7.x prior to 7.2.147

When McAfee Security products are installed, they register the following 
ActiveX control on the system:
  ProgId: McSubMgr.McSubMgr
  ClassId: 9BE8D7B2-329C-442A-A4AC-ABA9D7572602
  File: MCSUBMGR.DLL, (McAfee Subscription manager module 6.0.0.13)

This control is registered as safe for scripting and contains a buffer 
overflow in its IsOldAppInstalled() method.

Analysis:
Exploitation of this vulnerability is trivial and allows for the execution 
of arbitrary code as the currently logged in user.

In order to be successful, attackers would need to convince a victim to go 
to a malicious web site. Although this attack requires some social 
engineering, the level required is considered minimal.

Publicly available COM object fuzzing tools such as COMRaider can find 
this vulnerability using default settings.

Note that this vulnerability is similar to "McAfee Subscription Manager 
Stack Buffer Overflow" that was published by eEye Digital Security. At the 
time of eEye's publishing, iDefense was aware of two additional 
vulnerabilities within this control. One, located in the 
GetUserRegisteredForBackend method, appears to have been fixed along with 
the issue eEye reported. The other is detailed in this advisory.

Workaround:
The following workarounds are available for this vulnerability:

  Disable Active Scripting
  Unregister the vulnerable control
  Set the killbit for the vulnerable control

While these workarounds may prevent exploitation they may also adversely 
affect the operation of the McAfee product and should only be considered 
as short-term workarounds.

Vendor response:
"Security Center 7.2.147 and 6.0.25 address the risk associated with this 
security flaw. These updates were made available for download on March 22, 
2007. Most consumers will receive the updates automatically.

Consumers who have their McAfee products configured to update 
automatically should have already received the appropriate update and 
therefore will not need to take further action.

Consumers who have configured their McAfee products to update manually 
must run an update."

For information regarding the manual update process, refer to McAfee's 
Security Bulletin at the following URL:  
<http://ts.mcafeehelp.com/faq3.asp?docid=419189> 
http://ts.mcafeehelp.com/faq3.asp?docid=419189.


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:idlabs-advisories@idefense.com> iDefense Labs Security Advisories.
The original article can be found at:  
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=528> 
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=528



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] McAfee Security Center IsOldAppInstalled ActiveX Buffer Overflow Vulnerability, SecuriTeam <=
Previous by Date:  [NT] Microsoft Word RTF File Parsing Heap Corruption Vulnerability, SecuriTeam
Next by Date:  [NT] Microsoft Exchange Server 2000 IMAP Literal Processing DoS Vulnerability, SecuriTeam
Previous by Thread:  [NT] Microsoft Word RTF File Parsing Heap Corruption Vulnerability, SecuriTeam
Next by Thread:  [NT] Microsoft Exchange Server 2000 IMAP Literal Processing DoS Vulnerability, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]