McAfee Application Control Multiple Vulnerabilities (PDF)

Discussion in 'other security issues & news' started by Rasheed187, Jan 12, 2016.

  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  2. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    What... wow. "Memory corruption protection" actually introduces memory corruption vulnerabilities. Amazing.

    Also I like how they use an unaltered, known vulnerable binary from 1999.

    :thumbd:

    Edit: especially bothersome because Windows Enterprise versions already have AppLocker, which can be configured through group policies... So I suspect that breaking the OS like this is not even needed. Why on Earth doesn't McAfee use a frontend for the existing mechanisms?

    Edit 2: holy cow, people, just look at this.

    How can they even market this stuff?! :eek:
     
    Last edited: Jan 12, 2016
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    So they tried to reinvent a wheel and ended up with square one.
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    The one I love is a vulnerability dating back to 1999! Guess they forgot about it with all the ruckus of the world ending in 2000.:D

    Software shipped with an application from 1999 which includes publicly known vulnerabilities

    McAfee Application Control installs per default a ZIP application from 1999. The ZIP application contains publicly known vulnerabilities including a buffer overflow. An attacker can exploit the buffer overflow vulnerability to bypass application whitelisting. However, a public exploit is not available and exploitation of the vulnerability is considered not trivial.
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Gee I wonder if this is why I've never thought much of McAfee.
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes it all seems so silly LOL. But I still wonder if these kind of bugs are really that easy to exploit. And will we get to see more attacks on security tools like AV's? That would be a bit scary.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    McAfee might not be the only culprit on this issue. Any security software that injects its own hook could also be guilty of the same. Also the question is why the hook injection into all running processes? Do I smell AppInit_DLLs loading here? If so, that's enough to send this software to the bit-bucket:

    1) Injected library bypasses protections of the operating system.

    To add memory corruption protections (mp, mp-casp, mp-vasr, mp-vasr-forced-relocation) McAfee Application Control injects it's own library scinject.dll into all running processes. The library allocates a write- and executable location which can be used to bypass the mitigation technique Data Execution Protection (DEP) of the underlying operating system. Moreover, it can also be used to bypass the mitigation technique mp-casp from McAfee Application Control. This increases the possibility to successfully exploit a memory corruption vulnerability. Since memory corruption vulnerabilities can be used to compromise a system and to bypass the application whitelisting protection, it is very important to not decrease the security of protections provided by the operating system.


     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    It's quite common for anti-exploit apps to inject code into running processes. For example, MBAE injects code only into protected apps, but HMPA (which offers more than only anti-exploit) injects code into all processes. But not all HIPS use this method, for example SpyShelter doesn't inject code at all AFAIK.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Eset also doesn't do hook injection unless its kernel detects some abnormal activity. The hook injection is done at next boot time and is used primarily to ensure no residual malware activity exists. The main difference between Eset and SpyShelter from other AVs is they both employ network filters to do their security monitoring.

    I don't know how HMP-A does its hook injection but strongly suspect that it is via AppInit_DLLs loading. If so, it can easily be disabled by malware. Additionally, loading of dlls from that registry key is a security risk in itself.
     
  10. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Alert injects from kernel into user mode before kernel32.dll is loaded. It is an in-house developed technique.
     
  11. hjlbx

    hjlbx Guest

    If you read carefully, the researcher is able to circumvent McAfee Application Control by executing "vulnerable" processes that are not black-listed by MAC by default - e.g. Powershell.

    From a quick look, it appears most, if not all, of these by-passes can be blocked by locking-down vulnerable processes - e.g. cmd.exe, powershell.exe, etc.

    One can achieve a higher level of security by simply using NVT ERP.

    NVT ERP is much - much - less installation, configuration and usability hassle... plus, it can be used on home versions of Windows.
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Actually, there have been multiple bypasses of MAC with blacklisting employed. I posted a current .Net bypass a while back but the mods deleted the link I posted.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Good to know. Also kudos to you for doing it right.
     
  14. hjlbx

    hjlbx Guest

    @itman - really ?

    Yeah. Some .NET objects should be black-listed as well, but user has to know which ones and what to do...

    Even if one does the above, there is a way around most security softs. The trick is finding the doorway\method.

    MAC is not perfect solution; I am not defending it.
     
  15. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    982
    Location:
    UK
    and remember guys I was telling people in the hitman alert thread why system processes need hardening :p
     
  16. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    This is what I expected, not a lot of security tools use the AppInit_DLL method anymore AFAIK. Injection is usually done via the driver.

    Yes but not with anti-exploit, protecting security tools and system applications can cause serious problems.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.