From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 9 May 2007 10:54:57 +0200
Subject: [NT] McAfee Security Center IsOldAppInstalled ActiveX Buffer Overflow Vulnerability
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20070509075924.29A4257B2@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
McAfee Security Center IsOldAppInstalled ActiveX Buffer Overflow
Vulnerability
------------------------------------------------------------------------
SUMMARY
McAfee Security Center is "a centralized configuration GUI utilized to
control and monitor McAfee Security products such as their AntiVirus,
Firewall and AntiSpam products". Remote exploitation of a buffer overflow
in an ActiveX control distributed with McAfee Security Center could allow
for the execution of arbitrary code.
DETAILS
Vulnerable Systems:
* McAfee Virus Scan 10.0.27 running on Windows XP SP2
* McAfee Subscription manager versions 6.x prior to 6.0.0.25
* McAfee Subscription manager versions 7.x prior to 7.2.147
When McAfee Security products are installed, they register the following
ActiveX control on the system:
ProgId: McSubMgr.McSubMgr
ClassId: 9BE8D7B2-329C-442A-A4AC-ABA9D7572602
File: MCSUBMGR.DLL, (McAfee Subscription manager module 6.0.0.13)
This control is registered as safe for scripting and contains a buffer
overflow in its IsOldAppInstalled() method.
Analysis:
Exploitation of this vulnerability is trivial and allows for the execution
of arbitrary code as the currently logged in user.
In order to be successful, attackers would need to convince a victim to go
to a malicious web site. Although this attack requires some social
engineering, the level required is considered minimal.
Publicly available COM object fuzzing tools such as COMRaider can find
this vulnerability using default settings.
Note that this vulnerability is similar to "McAfee Subscription Manager
Stack Buffer Overflow" that was published by eEye Digital Security. At the
time of eEye's publishing, iDefense was aware of two additional
vulnerabilities within this control. One, located in the
GetUserRegisteredForBackend method, appears to have been fixed along with
the issue eEye reported. The other is detailed in this advisory.
Workaround:
The following workarounds are available for this vulnerability:
Disable Active Scripting
Unregister the vulnerable control
Set the killbit for the vulnerable control
While these workarounds may prevent exploitation they may also adversely
affect the operation of the McAfee product and should only be considered
as short-term workarounds.
Vendor response:
"Security Center 7.2.147 and 6.0.25 address the risk associated with this
security flaw. These updates were made available for download on March 22,
2007. Most consumers will receive the updates automatically.
Consumers who have their McAfee products configured to update
automatically should have already received the appropriate update and
therefore will not need to take further action.
Consumers who have configured their McAfee products to update manually
must run an update."
For information regarding the manual update process, refer to McAfee's
Security Bulletin at the following URL:
<http://ts.mcafeehelp.com/faq3.asp?docid=419189>;
http://ts.mcafeehelp.com/faq3.asp?docid=419189.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com.> iDefense Labs Security Advisories.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=528>;
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=528
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
