[NT] McAfee Subscription Manager Stack Buffer Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



McAfee Subscription Manager Stack Buffer Overflow
------------------------------------------------------------------------


SUMMARY

eEye Digital Security has discovered a vulnerability in McAfee Security
Center that ships with all McAfee consumer products. There is a remote
code execution vulnerability that allows an attacker to take complete
control of a remote computer by exploiting a vulnerability found in the
Subscription Manager ActiveX control.

DETAILS

Vulnerable Systems:
* McAfee AntiSpyware 1.x, 2.x
* McAfee Internet Security Suite 6.x, 7.x, 8.x
* McAfee Personal Firewall Plus 5.x, 6.x, 7.x
* McAfee Privacy Service 6.x, 7.x, 8.x
* McAfee QuickClean 4.x, 5.x, 6.x
* McAfee SpamKiller 5.x, 6.x, 7.x
* McAfee VirusScan 8.x, 9.x, 10.x
* McAfee Wireless Home Network Security 1.x

A stack buffer overflow vulnerability exists in McAfee's Subscription
Manager ActiveX control which is shipped with all Home and Home Business
products. The McSubMgr.dll is a manager module used to control
subscriptions of a particular product to ensure that the software has not
exceeded its subscription time as well as various maintenance checks (i.e.
Expirations, Old Applications, etc.). Unfortunately McSubMgr.dll is set as
safe for scripting, so we are able to call various members from within the
dll from a webpage by referencing its CLSID and passing arguments to
these members. The vulnerability occurs when we pass a string of over 3000
bytes using various members which are then passed on to a vulnerable
vsprintf, causing a stack overflow to occur.

text:02B0B27F var_BB8 = byte ptr -0BB8h <-- 3000 bytes
text:02B0B27F arg_0 = dword ptr 8
text:02B0B27F arg_4 = byte ptr 0Ch
text:02B0B27F
text:02B0B27F push ebp
text:02B0B280 mov ebp, esp
text:02B0B282 sub esp, 0BB8h
text:02B0B288 lea eax, [ebp+arg_4]
text:02B0B28B push eax ; va_list
text:02B0B28C push [ebp+arg_0] ; char *
text:02B0B28F lea eax, [ebp+var_BB8] =20
text:02B0B295 push eax ; char *
text:02B0B296 mov [ebp+var_BB8], 0
text:02B0B29D call _vsprintf <-- Exploitable vsprintf
text:02B0B2A2 add esp, 0Ch
text:02B0B2A5 leave
text:02B0B2A6 retn
text:02B0B2A6 sub_2B0B27F endp

Since there are literally no bounds checking on the vsprintf when a string
exceeding 3000 bytes of data is passed to a 3000 byte buffer, an overflow
occurs, and we are able to execute arbitrary code. To exploit this
vulnerability over the Internet we must first create a web page with some
scripting to create the ActiveX object and call one of the affected
methods so that we may pass data along to overflow the vulnerable
vsprintf.

<object classid='clsid:9BE8D7B2-329C-442A-A4AC-ABA9D7572602'
id='Red'></object>
"GK=String(165001, "a") "
"Red.IsAppExpired GK"

The above example is a code snip that will send 165001 a's to the
IsAppExpired ActiveX member therefore completely overflowing the stack.

Vendor Status:
McAfee has released patches for the affected products. The McAfee Security
Bulletin is available here:
<http://ts.mcafeehelp.com/faq3.asp?docid=3D407052>
http://ts.mcafeehelp.com/faq3.asp?docid=3D407052


ADDITIONAL INFORMATION

The information has been provided by eEye Advisories.
The original article can be found at:
<http://www.eeye.com/html/research/advisories/AD2006807.html>
http://www.eeye.com/html/research/advisories/AD2006807.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • SecurityFocus Microsoft Newsletter #165
    ... Tenable Security ... distribute, manage, and communicate vulnerability and intrusion detection ... Microsoft Internet Explorer MHTML Forced File Execution Vuln... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #174
    ... This issue sponsored by: Tenable Network Security ... the worlds only 100% passive vulnerability ... MICROSOFT VULNERABILITY SUMMARY ... Novell Netware Enterprise Web Server Multiple Vulnerabilitie... ...
    (Focus-Microsoft)
  • [NT] Cumulative Security Update for Internet Explorer (MS04-038)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... CSS Heap Memory Corruption Vulnerability, ... Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 ...
    (Securiteam)
  • SecurityFocus Microsoft Newsletter #171
    ... Better Management for Network Security ... GoodTech Telnet Server Remote Denial Of Service Vulnerabilit... ... ASPApp PortalAPP Remote User Database Access Vulnerability ...
    (Focus-Microsoft)
  • [Full-disclosure] McAfee VirusScan DUNZIP32.dll Buffer Overflow Vulnerability
    ... McAfee VirusScan DUNZIP32.dll Buffer Overflow Vulnerability ... Networksecurity.fi Security Advisory ... McAfee ViruScan anti-virus software is confirmed as affected to remote type buffer overflow vulnerability. ... Vendor has issued a patch shipped with immune library version 5.00.06. ...
    (Full-Disclosure)