-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SEC Consult Vulnerability Lab Security Advisory < 20150728-0 >
=======================================================================
              title: McAfee Application Control Multiple Vulnerabilities
            product: McAfee Application Control
 vulnerable version: verified in version 6.1.3.353
      fixed version: a fixed version is currently not available
             impact: high
           homepage: www.mcafee.com/us/products/application-control.aspx
              found: 28.04.2015
                 by: R. Freingruber (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Berlin - Frankfurt/Main - Montreal - Singapore
                     Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com
=======================================================================

Vendor description:
- -------------------
"McAfee Application Control software provides an effective way to block
unauthorized applications and code on servers, corporate desktops, and
fixed-function devices. This centrally managed whitelisting solution
uses a dynamic trust model and innovative security features that thwart
advanced persistent threats — without requiring signature updates or
labor-intensive list management."

Source: http://www.mcafee.com/us/products/application-control.aspx


Business recommendation:
- ------------------------
By combining the vulnerabilities documented in this advisory an attacker
can completely bypass the mitigations provided by McAfee Application
Control. This especially includes the application whitelisting as well as
the read and write protections. Moreover, an attacker can attack the
availability of the system.

SEC Consult recommends not to use this software until a thorough security
review has been performed by security professionals and all identified
issues have been resolved.


Vulnerability overview/description:
- -----------------------------------
1) Injected library bypasses protections of the operating system
To add memory corruption protections (mp, mp-casp, mp-vasr,
mp-vasr-forced-relocation) McAfee Application Control injects it's own
library scinject.dll into all running processes. The library allocates a
write- and executable location which can be used to bypass the mitigation
technique Data Execution Protection (DEP) of the underlying operating
system. Moreover, it can also be used to bypass the mitigation technique
mp-casp from McAfee Application Control. This increases the possibility
to successfully exploit a memory corruption vulnerability. Since memory
corruption vulnerabilities can be used to compromise a system and to bypass
the application whitelisting protection it is very important to not decrease
the security of protections provided by the operating system.


2) Software shipped with an application from 1999 which includes publicly known
vulnerabilities
McAfee Application Control installs per default a ZIP application from 1999.
The ZIP application contains publicly known vulnerabilities including a buffer
overflow. An attacker can exploit the buffer overflow vulnerability to bypass
application whitelisting. However, a public exploit is not available and
exploitation of the vulnerability is considered not trivial.


3) Multiple kernel driver vulnerabilities
An attacker can send manipulated IOCTL requests to the kernel which lead to a
system crash. These vulnerabilities can be used to affect the availability of
the system. It is expected that these vulnerabilities can also be used to
escalate privileges to kernel level.


4) Insufficient application whitelisting protection
The main feature of McAfee Application Control is application whitelisting.
SEC Consult Vulnerability Lab discovered multiple ways to bypass this protection.


5) Insufficient file system read-/write-protection
Because of the design of McAfee Application Control write protection is mandatory
to ensure the security of application whitelisting. SEC Consult managed to bypass
the write protection to overwrite whitelisted applications to achieve full code
execution. Moreover, read protection was bypassed to dump the contents of
McAfee's password file. By bypassing write protection it's also possible to
delete the password file to interact with McAfee Application Control without
requiring a password. This can be used to completely disable McAfee Application
Control.


Proof of concept:
- -----------------
Since no fix is available for any of the described vulnerabilities, the
proof of concept section was completely removed from the advisory.


Vulnerable / tested versions:
- -----------------------------
The version 6.1.3.353 was found to be vulnerable.
This was the latest version at the time of discovery.


Vendor contact timeline:
- ------------------------
2015-06-03: Contacting vendor through security-alerts@mcafee.com
      Sending PGP encrypted whitepaper to vendor.
      Informed McAfee about the latest possible release date: 2015-07-24.
2015-06-04: Vendor response - issues will be tracked with case ID SBC1506031
2015-06-08: SEC Consult asked for a release date of a fix.
2015-07-02: SEC Consult asked for a release date of a fix and the current status.
2015-07-13: SEC Consult asked for a release date of a fix and the current status.
2015-07-14: Vendor response - Vendor confirmed vulnerabilities 1) and 2).
      Vulnerabilities 3), 4) and 5) are classified as "not vulnerable"
      because an attacker requires code execution to exploit them.
      Vulnerabilities 1) and 2) are classified as low risk vulnerabilities.
      A patch will therefore not be available, a fix is planned for the next
      version update which will be released by end of Q3.
2015-07-21: SEC Consult informed McAfee that an advisory will be released on
      28.07.2015.  SEC Consult informed McAfee that vulnerabilities 3), 4)
      and 5) should be fixed as well because code execution can easily be
      achieved on a default installation of McAfee Application Control and
      therefore it's possible to exploit all the described vulnerabilities.
2015-07-28: Public release of the advisory


Solution:
- ---------
At the time of writing, no solution exists.
The vendor plans to release an update by the end of Q3 2015.
However, this update only fixes some of the found vulnerabilities.

SEC Consult Vulnerability Lab strongly suggests to apply workarounds described
in this advisory, to lower the risk of an attack.


Workaround:
- -----------
The following list contains configuration settings, hardening guidelines and
measures to secure the system.

*) Configure a strong password to protect McAfee Application Control
Without specifying a password for McAfee Application Control an attacker can
simply interact with the software to disable all protections.
McAfee Application Control does not enforce a strong password complexity.
It is recommended to use a strong password.
Command: sadmin passwd


*) Remove powershell.exe from the list of default whitelisted applications
Command: sadmin.exe unsolidify C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
Command: sadmin.exe unsolidify C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
(and all other occurrences of powershell.exe, e.g. in C:\Windows\winsxs\...)


*) Remove the default whitelisted ZIP application from the whitelist
Command: sadmin.exe unsolidify C:\Program Files\McAfee\Solidcore\Tools\GatherInfo\zip.exe


*) Remove interpreters (e.g. python, perl), debuggers, outdated software and other
applications which can be abused (e.g. java) from the whitelist


*) Only whitelist required software
To decrease the attack surface the list of whitelisted software should be as minimal
as possible.


*) Disable memory corruption protections from McAfee Application Control
This ensures that scinject.dll does not allocate a write- and executable
section in all applications. Since the protections offered by McAfee
Application Control correlate to the protections from the operating system,
these protections can be disabled. Only in some special situations
(e.g. the underlying hardware does not support hardware based DEP)
these protections should not be disabled.
Command: sadmin features disable mp
Command: sadmin features disable mp-casp
Command: sadmin features disable mp-vasr
Command: sadmin features disable mp-vasr-forced-relocation


*) Add JS and HTA files to the list of protected scripts
Per default McAfee Application Control does not protect the system from
malicious JS or HTA files. To secure this the hidden scripts command
can be used:
Command: sadmin.exe scripts add .js cscript.exe wscript.exe
Command: sadmin.exe scripts add .hta mshta.exe


*) Remove processes from the list of updaters / do not use the updater list
This recommendation is hard to follow because systems should
regularly be updated. However, the list of update process can be abused by
attackers. Therefore it's recommended to remove all elements from
the list. The recommended way to deal with updates is to add the
update process just before applying the update and remove the update process
after the system is successfully updated.
Command: sadmin.exe updaters list (get a list of all configured updaters)
Command: sadmin.exe updaters remove *name* (remove the identified updaters)


*) Do not configure trusted volumes
Trusted volumes completely bypass application whitelisting.
Therefore trusted volumes should not be configured.
Command: sadmin.exe trusted -l (get a list of all configured trusted volumes)
Command: sadmin.exe trusted -r *name* (remove the identified trusted volumes)


*) Regularly apply software and system updates.
This recommendation is not directly related to McAfee Application Control,
however SEC Consult Vulnerability Lab sees the importance to explicitly
mention this here. Keeping the system and all installed software
up-to-date is absolutely mandatory for the security of the system.


Advisory URL:
- -------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF R. Freingruber / @2015
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQIcBAEBAgAGBQJVt0cgAAoJEC0t17XG7og/AREQAKcO6L1XMsOohTIV2I/6/Qhy
FYNW9h7iJ/cSij8by3ktaZzaU40OhZt0ix51A158TWuezHImEqh/uDpz+TCNwviY
/Qzl6uDSAqNKro6ZyhEGSpdv75yx5dllRMbhea0h4ugBr8yPKvIb35ZemqbyZ/sz
SmcNorYwyJ8u32tJ/FV6+nvsviGlf+6QXYKEt8AtQDUdqkydf/YN+np+Gcmz4wse
5GFp/lX9ZbTSy6jUSfVWaYqr36NdzdZvaxb66qRo0aAlXCPUiRIDy/+x5EdUs5fL
i5C1a4rV0qYzw8+Mf+VOj9TB2cwdOUZjftvU4DmKNvPcIA/IpiXXh5jd6B0t8qD1
S0WFglR5LL/MZ3eJts1NCAmgd3JaFBGUUfpy6PfrJGuvOaWIxI3MUJGJLlHcGpzM
UKKO056E7OT54FrtxbPyP/J3XjBuXclva0wTeBlw2+t1I8lCYy+iRgDvMk+lTsnS
Z+xwfqq46vaMDv7BdV2LEfe6le8q/DNhbVzSC0AqoW9FX7BT8sDwNEu8Ds0R2Ztu
Sw4kKPupffm/MU3ovQkRQSfQshlTvh/kz91uIjDhad5i+bKY33eQ442GaHzuM++4
ONVigCzCSuobGjwz6emcq5jPbSkewXrgDaF9WYrIU6W4fNJRPRBCeOs+lsSiYUXL
1G020WXzemUseJZJC4t5
=3xKZ
-----END PGP SIGNATURE-----