Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] [EEYEB-20060719] McAfee Subscription Manager Stack Buf

from [eEye Advisories] Network Security [Permanent Link]
Subject: [Full-disclosure] [EEYEB-20060719] McAfee Subscription Manager Stack Buffer Overflow
Date: Mon, 7 Aug 2006 15:09:36 -0700 
McAfee Subscription Manager Stack Buffer Overflow

Release Date:
August 7, 2006

Date Reported:
July 19, 2006

Patch Development Time (In Days):
17 Days     

Severity:
High (Remote Code Execution)

Vendor:
McAfee

Systems Affected:
McAfee AntiSpyware 1.x, 2.x
McAfee Internet Security Suite 6.x, 7.x, 8.x 
McAfee Personal Firewall Plus 5.x, 6.x, 7.x 
McAfee Privacy Service 6.x, 7.x, 8.x 
McAfee QuickClean 4.x, 5.x, 6.x 
McAfee SpamKiller 5.x, 6.x, 7.x 
McAfee VirusScan 8.x, 9.x, 10.x 
McAfee Wireless Home Network Security 1.x 

Overview:
eEye Digital Security has discovered a vulnerability in McAfee Security
Center that ships with all McAfee consumer products.  There is a remote
code execution vulnerability that allows an attacker to take complete
control of a remote computer by exploiting a vulnerability found in the
Subscription Manager ActiveX control.  

Technical Details:
A stack buffer overflow vulnerability exists in McAfee's Subscription
Manager ActiveX control which is shipped with all Home and Home Business
products.  The McSubMgr.dll is a manager module used to control
subscriptions of a particular product to ensure that the software has
not exceeded its subscription time as well as various maintenance checks
(i.e. Expirations, Old Applications, etc.).  Unfortunately McSubMgr.dll
is set as safe for scripting, so we are able to call various members
from within the .dll from a webpage by referencing its CLSID and passing
arguments to these members.  The vulnerability occurs when we pass a
string of over 3000 bytes using various members which are then passed on
to a vulnerable vsprintf, causing a stack overflow to occur.

.text:02B0B27F var_BB8         = byte ptr -0BB8h  <--  3000 bytes
.text:02B0B27F arg_0           = dword ptr  8
.text:02B0B27F arg_4           = byte ptr  0Ch
.text:02B0B27F
.text:02B0B27F                 push    ebp
.text:02B0B280                 mov     ebp, esp
.text:02B0B282                 sub     esp, 0BB8h
.text:02B0B288                 lea     eax, [ebp+arg_4]
.text:02B0B28B                 push    eax             ; va_list
.text:02B0B28C                 push    [ebp+arg_0]     ; char *
.text:02B0B28F                 lea     eax, [ebp+var_BB8]  
.text:02B0B295                 push    eax             ; char *
.text:02B0B296                 mov     [ebp+var_BB8], 0
.text:02B0B29D                 call    _vsprintf    <-- Exploitable
vsprintf
.text:02B0B2A2                 add     esp, 0Ch
.text:02B0B2A5                 leave
.text:02B0B2A6                 retn
.text:02B0B2A6 sub_2B0B27F     endp

Since there are literally no bounds checking on the vsprintf when a
string exceeding 3000 bytes of data is passed to a 3000 byte buffer, an
overflow occurs, and we are able to execute arbitrary code.  To exploit
this vulnerability over the internet we must first create a web page
with some scripting to create the ActiveX object and call one of the
affected methods so that we may pass data along to overflow the
vulnerable vsprintf.

<object classid='clsid:9BE8D7B2-329C-442A-A4AC-ABA9D7572602' id='Red'

</object> 

GK=String(165001, "a") 
Red.IsAppExpired GK

The above example is a code snip that will send 165001 a's to the
IsAppExpired ActiveX member therefore completely overflowing the stack.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability. 
Blink Endpoint Vulnerability Prevention preemptively protects from this
vulnerability.

Vendor Status:
McAfee has released patches for the affected products.  The McAfee
Security Bulletin is available here;
http://ts.mcafeehelp.com/faq3.asp?docid=407052

Credit:
Karl Lynn

Related Links:
Retina Network Security Scanner -
http://www.eeye.com/html/products/retina
Blink Endpoint Vulnerability Prevention -
http://www.eeye.com/html/products/blink

Greetings:
Derek, Barnaby, Dre, Hugo, CSam, Barbara Parker, HD Moore, Mark Dowd,
and GK for the intelligent conversation at the Shadow Bar.. See Ya Next
Tuesday ;)

Copyright (c) 1998-2006 eEye Digital Security Permission is hereby
granted for the redistribution of this alert electronically. It is not
to be edited in any way without express consent of eEye. If you wish to
reprint the whole or any part of this alert in any other medium
excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] [EEYEB-20060719] McAfee Subscription Manager Stack Buffer Overflow, eEye Advisories <=
Next by Date:  [Full-disclosure] Latinchat Denial Of Service, Vicente Perez
Next by Thread:  [Full-disclosure] Latinchat Denial Of Service, Vicente Perez
Indexes:  [Date] [Thread] [Top] [All Lists]