[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] ZDI-12-012 : (0Day) McAfee SaaS myCIOScn.dll ShowReport Method Remote Command Execution



On Mon, Jan 16, 2012 at 4:33 AM, Emanuel Rietveld <codehotter@xxxxxxxxx> wrote:
> I might be missing something, but if exploitation of this vulnerability
> requires the ability to instantiate the activeX control and calling a
> method, how is this a vulnerability?
>
> If the user allows arbitrary activeX controls to instantiate and allows
> scripting access, one could simply instantiate WScript.Shell and call
> WScript.Shell.Exec(). The control MyCioScan.Scan is not marked safe by
> default on my system, and attempting to instantiate it gives exactly the
> same security prompts as trying to instantiate WScript.Shell.
What happens under a bad-case scenario when the bad guy controls the
computer and allows it to run? Perhaps he/she gets access to the
computer when the receptionists ask the attacker to sign in for a
meeting, or there's an extra terminal in a conference room, etc.

> On 01/12/2012 07:58 PM, ZDI Disclosures wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> ZDI-12-012 : (0Day) McAfee SaaS myCIOScn.dll ShowReport Method Remote
>> Command Execution
>> http://www.zerodayinitiative.com/advisories/ZDI-12-012
>> January 12, 2012
>>
>> - -- CVE ID:
>>
>>
>> - -- CVSS:
>> 9, AV:N/AC:L/Au:N/C:P/I:P/A:C
>>
>> - -- Affected Vendors:
>>
>> McAfee
>>
>>
>>
>> - -- Affected Products:
>>
>> McAfee   Security-as-a-Service
>>
>>
>>
>> - -- TippingPoint(TM) IPS Customer Protection:
>> TippingPoint IPS customers have been protected against this
>> vulnerability by Digital Vaccine protection filter ID 11710.
>> For further product information on the TippingPoint IPS, visit:
>>
>>      http://www.tippingpoint.com
>>
>> - -- Vulnerability Details:
>> This vulnerability allows remote attackers to execute arbitrary code on
>> vulnerable installations of McAfee Security-as-a-Service. User
>> interaction is required to exploit this vulnerability in that the target
>> must visit a malicious page or open a malicious file.
>>
>> The specific flaws exists within myCIOScn.dll.
>> MyCioScan.Scan.ShowReport() will accept commands that are passed to a
>> function that simply executes them without authentication. This can be
>> leveraged by a malicious attacker to execute arbitrary code within the
>> context of the browser.
>>
>> - -- Vendor Response:
>>
>>
>>
>> - -- Mitigation:
>> The killbit can be set on this control to disable scripting within
>> Internet Explorer by modifying the data value of the Compatibilty Flags
>> DWORD within the following location in the registry:
>>
>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
>> Compatibility\209EBDEE-065C-11D4-A6B8-00C04F0D38B7
>>
>> If the Compatibility Flags value is set to 0x00000400 the control can no
>> longer be instantiated inside the browser. For more information, please
>> see: http://support.microsoft.com/kb/240797
>>
>>
>> - -- Disclosure Timeline:
>> 2011-04-01 - Vulnerability reported to vendor
>>
>> 2012-01-12 - 0Day advisory released in accordance with the ZDI 180 day
>> deadline policy
>>
>>
>>
>> - -- Credit:
>> This vulnerability was discovered by:
>>
>> * Andrea Micalizzi aka rgod
>>
>>
>>
>> - -- About the Zero Day Initiative (ZDI):
>> Established by TippingPoint, The Zero Day Initiative (ZDI) represents
>> a best-of-breed model for rewarding security researchers for responsibly
>> disclosing discovered vulnerabilities.
>>
>> Researchers interested in getting paid for their security research
>> through the ZDI can find more information and sign-up at:
>>
>>      http://www.zerodayinitiative.com
>>
>> The ZDI is unique in how the acquired vulnerability information is
>> used. TippingPoint does not re-sell the vulnerability details or any
>> exploit code. Instead, upon notifying the affected product vendor,
>> TippingPoint provides its customers with zero day protection through
>> its intrusion prevention technology. Explicit details regarding the
>> specifics of the vulnerability are not exposed to any parties until
>> an official vendor patch is publicly available. Furthermore, with the
>> altruistic aim of helping to secure a broader user base, TippingPoint
>> provides this vulnerability information confidentially to security
>> vendors (including competitors) who have a vulnerability protection or
>> mitigation product.
>>
>> Our vulnerability disclosure policy is available online at:
>>
>>      http://www.zerodayinitiative.com/advisories/disclosure_policy/
>>
>> Follow the ZDI on Twitter:
>>
>>      http://twitter.com/thezdi
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.17 (MingW32)
>>
>> iQEcBAEBAgAGBQJPDy1iAAoJEFVtgMGTo1sc1NsIALRdu4rAi5JGNXA65mVWe5J5
>> 9hOkq0X7rXKQtBOF+3bQZUGl0LaM5GwRVY+PxZ56PBArPRwjC7pcXrXOKHYQjcCn
>> /w5YjiL/wAhjGkjbpmyUaVrsFu5klazt1jj315NvEH6cNS7uTWuhJo+hQki1o9wA
>> SLlg8De1EiQDQ0UDUT9oAknnyKJFiye3tCWQqAiEOi0sxTxNsf/Qhwdk9gjPTjz8
>> iPkiN+A+TCpdHNmhvCykW5/sB2M8BJVGKUGTgnbCvCzEfdf2kXhsutIj7WQ3kmlR
>> qwwOd6f//q1ogn3ggif1d+wn64as+5pm88un0a5H+QGhJPBT1vMk1bLp80Pyggg=
>> =ldZO
>> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/