-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
SEC Consult Vulnerability Lab Security Advisory 20150728-0
===
title: McAfee Application Control Multiple Vulnerabilities
product: McAfee Application Control
vulnerable version: verified in version 6.1.3.353
fixed version: a fixed version is currently not available
impact: high
homepage: www.mcafee.com/us/products/application-control.aspx
found: 28.04.2015
by: R. Freingruber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Berlin - Frankfurt/Main - Montreal - Singapore
Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
===
Vendor description:
- ---
McAfee Application Control software provides an effective way to block
unauthorized applications and code on servers, corporate desktops, and
fixed-function devices. This centrally managed whitelisting solution
uses a dynamic trust model and innovative security features that thwart
advanced persistent threats — without requiring signature updates or
labor-intensive list management.
Source: http://www.mcafee.com/us/products/application-control.aspx
Business recommendation:
-
By combining the vulnerabilities documented in this advisory an attacker
can completely bypass the mitigations provided by McAfee Application
Control. This especially includes the application whitelisting as well as
the read and write protections. Moreover, an attacker can attack the
availability of the system.
SEC Consult recommends not to use this software until a thorough security
review has been performed by security professionals and all identified
issues have been resolved.
Vulnerability overview/description:
- ---
1) Injected library bypasses protections of the operating system
To add memory corruption protections (mp, mp-casp, mp-vasr,
mp-vasr-forced-relocation) McAfee Application Control injects it's own
library scinject.dll into all running processes. The library allocates a
write- and executable location which can be used to bypass the mitigation
technique Data Execution Protection (DEP) of the underlying operating
system. Moreover, it can also be used to bypass the mitigation technique
mp-casp from McAfee Application Control. This increases the possibility
to successfully exploit a memory corruption vulnerability. Since memory
corruption vulnerabilities can be used to compromise a system and to bypass
the application whitelisting protection it is very important to not decrease
the security of protections provided by the operating system.
2) Software shipped with an application from 1999 which includes publicly known
vulnerabilities
McAfee Application Control installs per default a ZIP application from 1999.
The ZIP application contains publicly known vulnerabilities including a buffer
overflow. An attacker can exploit the buffer overflow vulnerability to bypass
application whitelisting. However, a public exploit is not available and
exploitation of the vulnerability is considered not trivial.
3) Multiple kernel driver vulnerabilities
An attacker can send manipulated IOCTL requests to the kernel which lead to a
system crash. These vulnerabilities can be used to affect the availability of
the system. It is expected that these vulnerabilities can also be used to
escalate privileges to kernel level.
4) Insufficient application whitelisting protection
The main feature of McAfee Application Control is application whitelisting.
SEC Consult Vulnerability Lab discovered multiple ways to bypass this
protection.
5) Insufficient file system read-/write-protection
Because of the design of McAfee Application Control write protection is
mandatory
to ensure the security of application whitelisting. SEC Consult managed to
bypass
the write protection to overwrite whitelisted applications to achieve full code
execution. Moreover, read protection was bypassed to dump the contents of
McAfee's password file. By bypassing write protection it's also possible to
delete the password file to interact with McAfee Application Control without
requiring a password. This can be used to completely disable McAfee Application
Control.
Proof of concept:
- -
Since no fix is available for any of the described vulnerabilities, the
proof of concept section was completely removed from the advisory.
Vulnerable / tested versions:
- -
The version 6.1.3.353 was found to be vulnerable.
This was the latest version at the time of discovery.
Vendor contact timeline:
-
2015-06-03: Contacting vendor through security-ale...@mcafee.com