McAfee Subscription Manager Stack Buffer Overflow Release Date: August 7, 2006 Date Reported: July 19, 2006 Patch Development Time (In Days): 17 Days Severity: High (Remote Code Execution) Vendor: McAfee Systems Affected: McAfee AntiSpyware 1.x, 2.x McAfee Internet Security Suite 6.x, 7.x, 8.x McAfee Personal Firewall Plus 5.x, 6.x, 7.x McAfee Privacy Service 6.x, 7.x, 8.x McAfee QuickClean 4.x, 5.x, 6.x McAfee SpamKiller 5.x, 6.x, 7.x McAfee VirusScan 8.x, 9.x, 10.x McAfee Wireless Home Network Security 1.x Overview: eEye Digital Security has discovered a vulnerability in McAfee Security Center that ships with all McAfee consumer products. There is a remote code execution vulnerability that allows an attacker to take complete control of a remote computer by exploiting a vulnerability found in the Subscription Manager ActiveX control. Technical Details: A stack buffer overflow vulnerability exists in McAfee's Subscription Manager ActiveX control which is shipped with all Home and Home Business products. The McSubMgr.dll is a manager module used to control subscriptions of a particular product to ensure that the software has not exceeded its subscription time as well as various maintenance checks (i.e. Expirations, Old Applications, etc.). Unfortunately McSubMgr.dll is set as safe for scripting, so we are able to call various members from within the .dll from a webpage by referencing its CLSID and passing arguments to these members. The vulnerability occurs when we pass a string of over 3000 bytes using various members which are then passed on to a vulnerable vsprintf, causing a stack overflow to occur. .text:02B0B27F var_BB8 = byte ptr -0BB8h <-- 3000 bytes .text:02B0B27F arg_0 = dword ptr 8 .text:02B0B27F arg_4 = byte ptr 0Ch .text:02B0B27F .text:02B0B27F push ebp .text:02B0B280 mov ebp, esp .text:02B0B282 sub esp, 0BB8h .text:02B0B288 lea eax, [ebp+arg_4] .text:02B0B28B push eax ; va_list .text:02B0B28C push [ebp+arg_0] ; char * .text:02B0B28F lea eax, [ebp+var_BB8] .text:02B0B295 push eax ; char * .text:02B0B296 mov [ebp+var_BB8], 0 .text:02B0B29D call _vsprintf <-- Exploitable vsprintf .text:02B0B2A2 add esp, 0Ch .text:02B0B2A5 leave .text:02B0B2A6 retn .text:02B0B2A6 sub_2B0B27F endp Since there are literally no bounds checking on the vsprintf when a string exceeding 3000 bytes of data is passed to a 3000 byte buffer, an overflow occurs, and we are able to execute arbitrary code. To exploit this vulnerability over the internet we must first create a web page with some scripting to create the ActiveX object and call one of the affected methods so that we may pass data along to overflow the vulnerable vsprintf. <object classid='clsid:9BE8D7B2-329C-442A-A4AC-ABA9D7572602' id='Red' ></object> GK=String(165001, "a") Red.IsAppExpired GK The above example is a code snip that will send 165001 a's to the IsAppExpired ActiveX member therefore completely overflowing the stack. Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Blink Endpoint Vulnerability Prevention preemptively protects from this vulnerability. Vendor Status: McAfee has released patches for the affected products. The McAfee Security Bulletin is available here; http://ts.mcafeehelp.com/faq3.asp?docid=407052 Credit: Karl Lynn Related Links: Retina Network Security Scanner - http://www.eeye.com/html/products/retina Blink Endpoint Vulnerability Prevention - http://www.eeye.com/html/products/blink Greetings: Derek, Barnaby, Dre, Hugo, CSam, Barbara Parker, HD Moore, Mark Dowd, and GK for the intelligent conversation at the Shadow Bar.. See Ya Next Tuesday ;) Copyright (c) 1998-2006 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@private for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
This archive was generated by hypermail 2.1.3 : Wed Aug 09 2006 - 17:14:00 PDT