GOODFELLAS Security Research TEAM http://goodfellas.shellcode.com.ar Greetings to str0ke McAfee, Inc. 3.6.0.608 Policy Manager naPolicyManager.dll Arbitrary Data Write ============================================================================== Internal ID: VULWAR20090616. ----------- Introduction ------------ naPolicyManager.dll is a library included in the Program Mc Afee inc. Tested In --------- - Windows XP SP1/SP2 french/english with IE 6.0 / 7.0. Summary ------- The WriteTaskDataToIniFile method doesn't check if it's being called from the application or from a malicious user. A Remote Attacker could craft a html page and overwrite arbitrary files in a system. Impact ------ The vulnerability could allow malicious users to write arbitrary data on a vulnerable system that uses this software. Workaround ---------- - Activate the Kill bit zero in the clsid corresponding to the software. - Unregister naPolicyManager.dll using regsvr32. Timeline -------- July 16 2009 -- Bug Discovery. July 16 2009 -- POC published. Credits ------- * callAX Technical Details ----------------- WriteTaskDataToIniFile method receives one argument filename in this format "c:\path\file". Proof of Concept ---------------