[FD] SEC Consult SA-20150728-0 :: McAfee Application Control Multiple Vulnerabilities

[SEC Consult Vulnerability Lab]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

SEC Consult Vulnerability Lab Security Advisory  20150728-0 
===
  title: McAfee Application Control Multiple Vulnerabilities
product: McAfee Application Control
 vulnerable version: verified in version 6.1.3.353
  fixed version: a fixed version is currently not available
 impact: high
   homepage: www.mcafee.com/us/products/application-control.aspx
  found: 28.04.2015
 by: R. Freingruber (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Berlin - Frankfurt/Main - Montreal - Singapore
 Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com
===

Vendor description:
- ---
McAfee Application Control software provides an effective way to block
unauthorized applications and code on servers, corporate desktops, and
fixed-function devices. This centrally managed whitelisting solution
uses a dynamic trust model and innovative security features that thwart
advanced persistent threats — without requiring signature updates or
labor-intensive list management.

Source: http://www.mcafee.com/us/products/application-control.aspx


Business recommendation:
- 
By combining the vulnerabilities documented in this advisory an attacker
can completely bypass the mitigations provided by McAfee Application
Control. This especially includes the application whitelisting as well as
the read and write protections. Moreover, an attacker can attack the
availability of the system.

SEC Consult recommends not to use this software until a thorough security
review has been performed by security professionals and all identified
issues have been resolved.


Vulnerability overview/description:
- ---
1) Injected library bypasses protections of the operating system
To add memory corruption protections (mp, mp-casp, mp-vasr,
mp-vasr-forced-relocation) McAfee Application Control injects it's own
library scinject.dll into all running processes. The library allocates a
write- and executable location which can be used to bypass the mitigation
technique Data Execution Protection (DEP) of the underlying operating
system. Moreover, it can also be used to bypass the mitigation technique
mp-casp from McAfee Application Control. This increases the possibility
to successfully exploit a memory corruption vulnerability. Since memory
corruption vulnerabilities can be used to compromise a system and to bypass
the application whitelisting protection it is very important to not decrease
the security of protections provided by the operating system.


2) Software shipped with an application from 1999 which includes publicly known
vulnerabilities
McAfee Application Control installs per default a ZIP application from 1999.
The ZIP application contains publicly known vulnerabilities including a buffer
overflow. An attacker can exploit the buffer overflow vulnerability to bypass
application whitelisting. However, a public exploit is not available and
exploitation of the vulnerability is considered not trivial.


3) Multiple kernel driver vulnerabilities
An attacker can send manipulated IOCTL requests to the kernel which lead to a
system crash. These vulnerabilities can be used to affect the availability of
the system. It is expected that these vulnerabilities can also be used to
escalate privileges to kernel level.


4) Insufficient application whitelisting protection
The main feature of McAfee Application Control is application whitelisting.
SEC Consult Vulnerability Lab discovered multiple ways to bypass this 
protection.


5) Insufficient file system read-/write-protection
Because of the design of McAfee Application Control write protection is 
mandatory
to ensure the security of application whitelisting. SEC Consult managed to 
bypass
the write protection to overwrite whitelisted applications to achieve full code
execution. Moreover, read protection was bypassed to dump the contents of
McAfee's password file. By bypassing write protection it's also possible to
delete the password file to interact with McAfee Application Control without
requiring a password. This can be used to completely disable McAfee Application
Control.


Proof of concept:
- -
Since no fix is available for any of the described vulnerabilities, the
proof of concept section was completely removed from the advisory.


Vulnerable / tested versions:
- -
The version 6.1.3.353 was found to be vulnerable.
This was the latest version at the time of discovery.


Vendor contact timeline:
- 
2015-06-03: Contacting vendor through security-ale...@mcafee.com

[FD] Reflected XSS in Flickr Justified Gallery could allows unauthenticated attackers to do almost anything an admin can do (WordPress plugin)

[dxw Security]

Details

Software: Flickr Justified Gallery
Version: 3.3.6
Homepage: https://wordpress.org/plugins/flickr-justified-gallery/
Advisory report: 
https://security.dxw.com/advisories/reflected-xss-in-flickr-justified-gallery-could-allows-unauthenticated-attackers-to-do-almost-anything-an-admin-can-do/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)

Description

Reflected XSS in Flickr Justified Gallery could allows unauthenticated 
attackers to do almost anything an admin can do

Vulnerability

This plugin contains a reflected XSS vulnerability which would allow an 
unauthenticated attacker to do almost anything an admin user can do.
For this to happen, the administrator would have to be tricked into clicking on 
a link controlled by the attacker. It is easy to make these links very 
convincing.

Proof of concept

Visit a page containing the following in Firefox or any other browser with no 
reflected XSS mitigation strategies, and click submit:
form action=\http://localhost/wp-admin/options-general.php?page=fjgwpp.php\; 
method=\POST\
input type=\text\ name=\fjgwpp_userID\ 
value=\:quot;lt;scriptalert(1)lt;/script\
input type=\text\ name=\Submit\ value=\Save Changes\
input type=\submit\
/form

Mitigations

Upgrade to version 3.4.0 or later

Disclosure policy

dxw believes in responsible disclosure. Your attention is drawn to our 
disclosure policy: https://security.dxw.com/disclosure/

Please contact us on secur...@dxw.com to acknowledge this report if you 
received it via a third party (for example, plug...@wordpress.org) as they 
generally cannot communicate with us on your behalf.

This vulnerability will be published if we do not receive a response to this 
report with 14 days.

Timeline


2015-07-21: Discovered
2015-07-22: Reported to vendor via email
2015-07-22: Requested CVE
2015-07-23: Vendor responded confirming fixed in 3.4.0
2015-07-28: Published



Discovered by dxw:

Tom Adams
Please visit security.dxw.com for more information.
  


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/