Interesting stuff about how to bypass white-listing: https://www.sec-consult.com/fxdata/...tion_Control_Multiple_Vulnerabilities_v10.txt https://www.sec-consult.com/fxdata/..._for_critical_infrastructure_systems_v1 0.pdf
What... wow. "Memory corruption protection" actually introduces memory corruption vulnerabilities. Amazing. Also I like how they use an unaltered, known vulnerable binary from 1999. Edit: especially bothersome because Windows Enterprise versions already have AppLocker, which can be configured through group policies... So I suspect that breaking the OS like this is not even needed. Why on Earth doesn't McAfee use a frontend for the existing mechanisms? Edit 2: holy cow, people, just look at this. How can they even market this stuff?!
The one I love is a vulnerability dating back to 1999! Guess they forgot about it with all the ruckus of the world ending in 2000. Software shipped with an application from 1999 which includes publicly known vulnerabilities McAfee Application Control installs per default a ZIP application from 1999. The ZIP application contains publicly known vulnerabilities including a buffer overflow. An attacker can exploit the buffer overflow vulnerability to bypass application whitelisting. However, a public exploit is not available and exploitation of the vulnerability is considered not trivial.
Yes it all seems so silly LOL. But I still wonder if these kind of bugs are really that easy to exploit. And will we get to see more attacks on security tools like AV's? That would be a bit scary.
McAfee might not be the only culprit on this issue. Any security software that injects its own hook could also be guilty of the same. Also the question is why the hook injection into all running processes? Do I smell AppInit_DLLs loading here? If so, that's enough to send this software to the bit-bucket: 1) Injected library bypasses protections of the operating system. To add memory corruption protections (mp, mp-casp, mp-vasr, mp-vasr-forced-relocation) McAfee Application Control injects it's own library scinject.dll into all running processes. The library allocates a write- and executable location which can be used to bypass the mitigation technique Data Execution Protection (DEP) of the underlying operating system. Moreover, it can also be used to bypass the mitigation technique mp-casp from McAfee Application Control. This increases the possibility to successfully exploit a memory corruption vulnerability. Since memory corruption vulnerabilities can be used to compromise a system and to bypass the application whitelisting protection, it is very important to not decrease the security of protections provided by the operating system.
It's quite common for anti-exploit apps to inject code into running processes. For example, MBAE injects code only into protected apps, but HMPA (which offers more than only anti-exploit) injects code into all processes. But not all HIPS use this method, for example SpyShelter doesn't inject code at all AFAIK.
Eset also doesn't do hook injection unless its kernel detects some abnormal activity. The hook injection is done at next boot time and is used primarily to ensure no residual malware activity exists. The main difference between Eset and SpyShelter from other AVs is they both employ network filters to do their security monitoring. I don't know how HMP-A does its hook injection but strongly suspect that it is via AppInit_DLLs loading. If so, it can easily be disabled by malware. Additionally, loading of dlls from that registry key is a security risk in itself.
Alert injects from kernel into user mode before kernel32.dll is loaded. It is an in-house developed technique.
If you read carefully, the researcher is able to circumvent McAfee Application Control by executing "vulnerable" processes that are not black-listed by MAC by default - e.g. Powershell. From a quick look, it appears most, if not all, of these by-passes can be blocked by locking-down vulnerable processes - e.g. cmd.exe, powershell.exe, etc. One can achieve a higher level of security by simply using NVT ERP. NVT ERP is much - much - less installation, configuration and usability hassle... plus, it can be used on home versions of Windows.
Actually, there have been multiple bypasses of MAC with blacklisting employed. I posted a current .Net bypass a while back but the mods deleted the link I posted.
@itman - really ? Yeah. Some .NET objects should be black-listed as well, but user has to know which ones and what to do... Even if one does the above, there is a way around most security softs. The trick is finding the doorway\method. MAC is not perfect solution; I am not defending it.
and remember guys I was telling people in the hitman alert thread why system processes need hardening
This is what I expected, not a lot of security tools use the AppInit_DLL method anymore AFAIK. Injection is usually done via the driver. Yes but not with anti-exploit, protecting security tools and system applications can cause serious problems.