McAfee VirusScan Enterprise 8.8 Security Bypass

2016-03-05T00:00:00
ID PACKETSTORM:136089
Type packetstorm
Reporter Maurizio Agazzini
Modified 2016-03-05T00:00:00

Description

                                        
                                            `Security Advisory @ Mediaservice.net Srl  
(#01, 13/04/2016) Data Security Division  
  
Title: McAfee VirusScan Enterprise security restrictions bypass  
Application: McAfee VirusScan Enterprise 8.8 and prior versions  
Platform: Microsoft Windows  
Description: A local Windows administrator is able to bypass the  
security restrictions and disable the antivirus engine  
without knowing the correct management password  
Author: Maurizio Agazzini <inode@mediaservice.net>  
Vendor Status: Fixed  
References: http://lab.mediaservice.net/advisory/2016-01-mcafee.txt  
http://lab.mediaservice.net/code/mcafee_unprotector.c  
  
1. Abstract.  
  
McAfee VirusScan Enterprise has a feature to protect the scan engine  
from local Windows administrators. A management password is needed to  
disable it, unless Windows is running in "Safe Mode".  
  
>From our understanding this feature is implemented insecurely: the  
McAfee VirusScan Console checks the password and requests the engine to  
unlock the safe registry keys. No checks are done by the engine itself,  
so anyone can directly request the engine to stop without knowing the  
correct management password.  
  
2. Example Attack Session.  
  
The attack can be reproduced in different ways, here are some examples.  
  
Example 1:  
  
Open the McAfee VirusScan Console and Sysinternals Process Explorer.  
  
Under Process Explorer:  
  
- Locate the mcconsol.exe process  
- Type CTRL+L (show lower pane)  
- Search for all "HKLM\SOFTWARE\McAfee\DesktopProtection" keys  
- Close all the handles of this registry key  
  
Go back to the McAfee Console and:  
  
- Go to: Tools -> General Options  
- Select the "Password Options" tab  
- Select "No password" and apply settings  
  
Now it is possible to stop the antivirus engine.  
  
Example 2:  
  
A specific tool has been written to request to disable password  
protection. After running the tool you can disable it via the VirusScan  
Console.  
  
Code: http://lab.mediaservice.net/code/mcafee_unprotector.c  
  
3. Affected Platforms.  
  
All McAfee Viruscan Enterprise versions prior to 8.8 without SB10151 are  
affected. Exploitation of this vulnerability requires that an attacker  
has local Windows administrator privileges.  
  
4. Fix.  
  
On 25 February 2016, version SB10151 hotfix has been relased by McAfee,  
which fixes the described vulnerability.  
  
https://kc.mcafee.com/corporate/index?page=content&id=SB10151  
  
5. Proof Of Concept.  
  
See Example Attack Session above.  
  
6. Timeline  
  
07/11/2014 - First communication sent to McAfee  
17/11/2014 - Second communication sent to McAfee  
17/11/2014 - McAfee: Request to send again vulnerability information  
18/11/2014 - Sent vulnerability information and PoC again  
11/12/2014 - McAfee: Problem confirmed  
09/03/2015 - Request for update to McAfee  
06/05/2015 - Request for update to McAfee  
06/05/2015 - McAfee: Patch release planned for Q3  
20/08/2015 - McAfee: Request for deadline delay (31/03/2016)  
25/02/2016 - McAfee: SB10151 patch has been relased  
  
Copyright (c) 2014-2016 @ Mediaservice.net Srl. All rights reserved.  
  
--   
Maurizio Agazzini CISSP, CSSLP, OPST  
Senior Security Advisor  
@ Mediaservice.net Srl Tel: +39-011-32.72.100  
Via Santorelli, 15 Fax: +39-011-32.46.497  
10095 Grugliasco (TO) ITALY http://mediaservice.net/disclaimer  
  
"C programmers never die. They are just cast into void"  
  
`