[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

McAfee Commandline Updater

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: McAfee Commandline Updater
From: Technion <technion@xxxxxxxxxxx>
Date: Thu, 6 Jan 2011 20:27:08 -0500

Product Affected
Updater for McAfee Virusscan Command Line 6.0
This product is available attached to this document:
https://kc.mcafee.com/corporate/index?page=content&id=KB67513 
As far as can be determined, there has only ever been one version of this 
application.
 
Background
It is stated by McAfee:
NOTE: The attached script is only an example of how to automate the update 
process and is not officially supported by McAfee Technical Support.
 
How can McAfee actually expect you to operate a virus scanner without a regular 
update process? Either we accept the product as effectively useless, or we 
produce a better update process. I would contend this is a more serious issue 
than the one presented in this exploit.
 
Problem
 
The updater script stores downloaded data in a known location under /tmp, which 
is vulnerable to a symlink based exploit.
UVscan itself has been the subject of an identical symlink bug, for which 
McAfee released a security fix back in 2008.
https://kc.mcafee.com/corporate/index?page=content&id=KB51216
 
Full discussion and exploit has been documented here:
http://www.lolware.net/uvscan.html
 
Timeline
 
November 9, 2010: Issue found
circa November 17, 2010: Filled in McAfee's online support form. No reply.
December 10, 2010: Several painful hours on the phone to McAfee. Got nowhere.
January 7, 2010: Disclosure
 
Fix
A recommended replacement script is discussed at the above URL.

Prev by Date: Re: Joomla! 1.0.x ~ 1.0.15 | Cross Site Scripting (XSS) Vulnerability
Next by Date: call for participation
Previous by thread: GNU libc/regcomp(3) Multiple Vulnerabilities
Next by thread: call for participation
Index(es):
- Date
- Thread