what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Cryptzone / McAfee Bypass / Code Execution

Cryptzone / McAfee Bypass / Code Execution
Posted Jan 11, 2013
Authored by Arne Vidstrom

SE46 from Cryptzone and Application Control from McAfee suffer from file handling issues that can allow for arbitrary binary execution.

tags | exploit, arbitrary, bypass
SHA-256 | efbcdf48625ce7bc7327f19051a636ea8f8e2c3089629f3de29c07c0d05ac2b9

Cryptzone / McAfee Bypass / Code Execution

Change Mirror Download
Hi all,

The following vulnerabilities have not been reported at Bugtraq before, and unfortunately they seem to be largely unknown in public even though they are about a year old by now. They have both been patched by the vendors after I discovered them and reported it. It appears to be very hard (or perhaps impossible) to find anything about it at the vendors web sites though. Therefore I cannot tell you exactly which versions are patched and which ones are not, but any version released in 2012 should be ok. Since there haven't been many vulnerabilities reported in whitelisting software yet I thought it might be interesting for you with these two illustrative detailed examples:

The vulnerability in SE46 from Cryptzone:

"An EXE file starts with the letters 'MZ'. The first thing SE46 does is to look at these two bytes. If they are present it goes on to check for other things, like the PE header. If they are not present it takes a look at the extension of the file. If the extension is not BAT, CMD, COM or EXE it lets the file through for execution by Windows. How can we take advantage of this implementation? One way is if we have a file with native x86 code that does not start with the letters 'MZ' and does not have one of the four extensions. There is a kind of executable file that does not start with 'MZ' since it is completely headerless. It is the 16-bit COM file from MS-DOS. We can assemble any 16-bit COM file we wish and try to execute it. It will pass through the file header check, but it will be caught at the file extension check. All we need to do now is find an extension that Windows accepts as executable but which is not in the SE46 shortlist. PIF (Program Information File) is such an extension. Now we can run any 16-bit COM file just as long as we make sure it has a PIF extension. We can even let our executable rename a few core components of SE46 if we are running on a sufficiently privileged account. After the next reboot SE46 is no longer active on the computer and we can execute any file we wish without a single restriction."

The vulnerability in Application Control from McAfee:

"Application Control first of all checks if the file has a valid header, including the PE header, or not. If the header is not valid the file is let through to Windows for execution, presumably because it is assumed to be non-executable. This time, remember that the location of the PE header is specified at position 3Ch (hexadecimal) in an EXE file. The location is specified by a four byte long value, so that the positions 3Ch, 3Dh, 3Eh and 3Fh are used for this purpose. Now we create a file that is so small that it is missing the position 3Fh. This means that the file is really too small to be a PE-style file. Next, we set the legacy EXE header size to zero. Now it looks like the file is missing a legacy EXE header too. However, there is still the problem that the file ends with the extension EXE, so instead we change it to SCR (screensaver). If we execute such a file in Windows, without Application Control installed, it will execute despite all these problems. It will look like a legacy EXE file to Windows, and the execution will start from the very beginning of the file, with the letters 'MZ'. Fortunately these letters are in fact executable too, because when interpreted as machine code instead of as text, they mean something at least remotely comprehensible to the CPU. Next, the execution continues with the other items in the header. If we pick the right values for these we can make sure that the values are on the one hand executable, and on the other hand mean something as header values too. We also have more space following this, to the end of the file, where we can insert any code we like without worrying about what it means value-vise. Now we have a file which executes as a 16-bit legacy EXE file in Windows. If we run it in a system protected by Application Control it will execute whether it is in the whitelist database or not. Application Control finds the file invalid and simply passes it on to Windows for execution."

As I wrote in the beginning of the mail, both vulnerabilities have already been patched by the vendors.

Arne Vidström
Swedish Defence Research Agency (FOI)
http://www.foi.se/en/Our-Knowledge/Information-Security-and-Communication/Information-Security
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close