exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

McAfee Security Scanner Plus Rogue Binary Execution

McAfee Security Scanner Plus Rogue Binary Execution
Posted Apr 17, 2014
Authored by Stefan Kanthak

Poor treatment of file paths may lead to rogue binary execution in McAfee Security Scanner Plus.

tags | advisory
SHA-256 | 1f27a310e8ba534f86eb471ef915bc94b1c682806e2c9e1eb7e4cbce7b1f69a1

McAfee Security Scanner Plus Rogue Binary Execution

Change Mirror Download
Hi @ll,

the $*&#§ware by the name of "McAfee Security Scanner Plus" that Adobe dares
to push to unsuspecting users of Microsoft Windows trying to get flash player
from their main distribution page <hxxp://get.adobe.com/flashplayer/> was
developed, packaged and tested by people who obviously never heard of "long"
filenames which may contain spaces.

>From <http://msdn.microsoft.com/library/cc144175.aspx>
or <http://msdn.microsoft.com/library/cc144101.aspx>:

| Note: If any element of the command string contains or might contain
| spaces, it must be enclosed in quotation marks. Otherwise, if the
| element contains a space, it will not parse correctly. For instance,
| "My Program.exe" starts the application properly. If you use
| My Program.exe without quotation marks, then the system attempts to
| launch My with Program.exe as its first command line argument. You
| should always use quotation marks with arguments such as "%1" that are
| expanded to strings by the Shell, because you cannot be certain that
| the string will not contain a space.


When the unsuspecting Joe Average clicks the "Install now" button on the
above mentioned download page, but forgets to deselect the "optional offer"
McAfee Security Scanner Plus before, a file named
"install_flashplayer13x32_mssa_aaa_aih.exe"
is downloaded to directory "C:\Users\Joe Average\Downloads".

Following the instructions displayed after the download, Joe Average opens
the download directory and double clicks
"install_flashplayer13x32_mssa_aaa_aih.exe"

On recent versions of Microsoft Windows this triggers the user account
control, asking Joe Average for consent to continue with administrative
privileges.

"install_flashplayer13x32_mssa_aaa_aih.exe"
now copies itself to the TEMP directory and executes its copy with the
argument (note the missing quotes.-)
{RemoveFile:C:\Users\Joe Average\Downloads\install_flashplayer13x32_mssa_aaa_aih.exe}

The copy then downloads its payload "gtbcheck.exe", "install_flash_player.exe"
and "SecurityScan_Release.exe" into the directory
"C:\Users\Joe Average\AppData\Local\Adobe\AIH.<40_hex_digits>\"
and executes these three programs in succession.

The last, "SecurityScan_Release.exe", an NSIS installer, unpacks its payload
into directory "C:\Program Files\McAfee Security Scan\<version>\" and calls
Windows' CreateProcess() function (see above) with the UNQUOTED command line
C:\Program Files\McAfee Security Scan\3.0.285\McCHSvc.exe /Service

This command line now runs the rogue program C:\Program.exe which was placed
there waiting for some dimwit of a developer to call CreateProcess() with an
unquoted command line.


Fortunately Joe Average (really: his Administrator) had a hunch and placed
<http://home.arcor.de/skanthak/download/SENTINEL.EXE> as C:\Program.exe on
his system which displayed a message box to Joe Average informing him that
some crappy software may have just run malware on his PC.

This caught the silly beginners mistake of a company that brags with

| For award-winning customer service, please visit our Web
| site that will have answers to almost all questions concerning
| our company:
| ==> http://service.mcafee.com

in automated replies to mail sent to <support@mcafee.com> but does not
provide a mailbox to report bugs or vulnerabilities.


JFTR: english versions of Windows have a "Program Files" directory for
nearly 20 years now. That should REALLY be enough time for EVERY
programmer to learn how to properly handle pathnames with spaces.


To complete the story: when Joe Average noticed what was done to him he
opened the Windows control panel and went to uninstall programs, then
selected "McAfee ..." and clicked "uninstall".

This started "C:\Program Files\McAfee Security Scan\uninstall.exe"
which unpacked its payload "Au_.exe" (see above: it's an NSIS installer)
to TEMP and called it with the argument (again note the missing quotes)
_?=C:\Program Files\McAfee Security Scan\

"Au_.exe" in turn called Windows' CreateProcess() function with the
(you guess it) UNQUOTED command line
C:\Program Files\McAfee Security Scan\3.0.285\McCHSvc.exe /unregserver
which again led to execution of C:\Program.exe


regards
Stefan Kanthak
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close