McAfee VirusScan Enterprise 8.8 Security Bypass

Type packetstorm
Reporter Maurizio Agazzini
Modified 2016-03-05T00:00:00


                                            `Security Advisory @ Srl  
(#01, 13/04/2016) Data Security Division  
Title: McAfee VirusScan Enterprise security restrictions bypass  
Application: McAfee VirusScan Enterprise 8.8 and prior versions  
Platform: Microsoft Windows  
Description: A local Windows administrator is able to bypass the  
security restrictions and disable the antivirus engine  
without knowing the correct management password  
Author: Maurizio Agazzini <>  
Vendor Status: Fixed  
1. Abstract.  
McAfee VirusScan Enterprise has a feature to protect the scan engine  
from local Windows administrators. A management password is needed to  
disable it, unless Windows is running in "Safe Mode".  
>From our understanding this feature is implemented insecurely: the  
McAfee VirusScan Console checks the password and requests the engine to  
unlock the safe registry keys. No checks are done by the engine itself,  
so anyone can directly request the engine to stop without knowing the  
correct management password.  
2. Example Attack Session.  
The attack can be reproduced in different ways, here are some examples.  
Example 1:  
Open the McAfee VirusScan Console and Sysinternals Process Explorer.  
Under Process Explorer:  
- Locate the mcconsol.exe process  
- Type CTRL+L (show lower pane)  
- Search for all "HKLM\SOFTWARE\McAfee\DesktopProtection" keys  
- Close all the handles of this registry key  
Go back to the McAfee Console and:  
- Go to: Tools -> General Options  
- Select the "Password Options" tab  
- Select "No password" and apply settings  
Now it is possible to stop the antivirus engine.  
Example 2:  
A specific tool has been written to request to disable password  
protection. After running the tool you can disable it via the VirusScan  
3. Affected Platforms.  
All McAfee Viruscan Enterprise versions prior to 8.8 without SB10151 are  
affected. Exploitation of this vulnerability requires that an attacker  
has local Windows administrator privileges.  
4. Fix.  
On 25 February 2016, version SB10151 hotfix has been relased by McAfee,  
which fixes the described vulnerability.  
5. Proof Of Concept.  
See Example Attack Session above.  
6. Timeline  
07/11/2014 - First communication sent to McAfee  
17/11/2014 - Second communication sent to McAfee  
17/11/2014 - McAfee: Request to send again vulnerability information  
18/11/2014 - Sent vulnerability information and PoC again  
11/12/2014 - McAfee: Problem confirmed  
09/03/2015 - Request for update to McAfee  
06/05/2015 - Request for update to McAfee  
06/05/2015 - McAfee: Patch release planned for Q3  
20/08/2015 - McAfee: Request for deadline delay (31/03/2016)  
25/02/2016 - McAfee: SB10151 patch has been relased  
Copyright (c) 2014-2016 @ Srl. All rights reserved.  
Maurizio Agazzini CISSP, CSSLP, OPST  
Senior Security Advisor  
@ Srl Tel: +39-011-32.72.100  
Via Santorelli, 15 Fax: +39-011-32.46.497  
10095 Grugliasco (TO) ITALY  
"C programmers never die. They are just cast into void"