> -----Original Message-----
> From: eEye Advisories [mailto:Advisories@xxxxxxxx]
> Sent: Tuesday, August 08, 2006 2:10 AM
> To: vulnwatch@xxxxxxxxxxxxx; ntbugtraq@xxxxxxxxxxxxx;
> bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: [EEYEB-20060719] McAfee Subscription Manager Stack
> Buffer Overflow
> Importance: High
>
> McAfee Subscription Manager Stack Buffer Overflow
>
> Release Date:
> August 7, 2006
>
> Date Reported:
> July 19, 2006
>
> Patch Development Time (In Days):
> 17 Days
>
> Severity:
> High (Remote Code Execution)
>
> Vendor:
> McAfee
>
> Systems Affected:
> McAfee AntiSpyware 1.x, 2.x
> McAfee Internet Security Suite 6.x, 7.x, 8.x
> McAfee Personal Firewall Plus 5.x, 6.x, 7.x
> McAfee Privacy Service 6.x, 7.x, 8.x
> McAfee QuickClean 4.x, 5.x, 6.x
> McAfee SpamKiller 5.x, 6.x, 7.x
> McAfee VirusScan 8.x, 9.x, 10.x
> McAfee Wireless Home Network Security 1.x
>
> Overview:
> eEye Digital Security has discovered a vulnerability in
> McAfee Security
> Center that ships with all McAfee consumer products. There
> is a remote
> code execution vulnerability that allows an attacker to take complete
> control of a remote computer by exploiting a vulnerability
> found in the
> Subscription Manager ActiveX control.
>
> Technical Details:
> A stack buffer overflow vulnerability exists in McAfee's Subscription
> Manager ActiveX control which is shipped with all Home and
> Home Business
> products. The McSubMgr.dll is a manager module used to control
> subscriptions of a particular product to ensure that the software has
> not exceeded its subscription time as well as various
> maintenance checks
> (i.e. Expirations, Old Applications, etc.). Unfortunately
> McSubMgr.dll
> is set as safe for scripting, so we are able to call various members
> from within the .dll from a webpage by referencing its CLSID
> and passing
> arguments to these members. The vulnerability occurs when we pass a
> string of over 3000 bytes using various members which are
> then passed on
> to a vulnerable vsprintf, causing a stack overflow to occur.
>
> .text:02B0B27F var_BB8 = byte ptr -0BB8h <-- 3000 bytes
> .text:02B0B27F arg_0 = dword ptr 8
> .text:02B0B27F arg_4 = byte ptr 0Ch
> .text:02B0B27F
> .text:02B0B27F push ebp
> .text:02B0B280 mov ebp, esp
> .text:02B0B282 sub esp, 0BB8h
> .text:02B0B288 lea eax, [ebp+arg_4]
> .text:02B0B28B push eax ; va_list
> .text:02B0B28C push [ebp+arg_0] ; char *
> .text:02B0B28F lea eax, [ebp+var_BB8]
> .text:02B0B295 push eax ; char *
> .text:02B0B296 mov [ebp+var_BB8], 0
> .text:02B0B29D call _vsprintf <-- Exploitable
> vsprintf
> .text:02B0B2A2 add esp, 0Ch
> .text:02B0B2A5 leave
> .text:02B0B2A6 retn
> .text:02B0B2A6 sub_2B0B27F endp
>
> Since there are literally no bounds checking on the vsprintf when a
> string exceeding 3000 bytes of data is passed to a 3000 byte
> buffer, an
> overflow occurs, and we are able to execute arbitrary code.
> To exploit
> this vulnerability over the internet we must first create a web page
> with some scripting to create the ActiveX object and call one of the
> affected methods so that we may pass data along to overflow the
> vulnerable vsprintf.
>
> <object classid='clsid:9BE8D7B2-329C-442A-A4AC-ABA9D7572602' id='Red'
> ></object>
> GK=String(165001, "a")
> Red.IsAppExpired GK
>
> The above example is a code snip that will send 165001 a's to the
> IsAppExpired ActiveX member therefore completely overflowing
> the stack.
>
> Protection:
> Retina Network Security Scanner has been updated to identify this
> vulnerability.
> Blink Endpoint Vulnerability Prevention preemptively protects
> from this
> vulnerability.
>
> Vendor Status:
> McAfee has released patches for the affected products. The McAfee
> Security Bulletin is available here;
>
>
> Credit:
> Karl Lynn
>
> Related Links:
> Retina Network Security Scanner -
>
> Blink Endpoint Vulnerability Prevention -
>
>
> Greetings:
> Derek, Barnaby, Dre, Hugo, CSam, Barbara Parker, HD Moore, Mark Dowd,
> and GK for the intelligent conversation at the Shadow Bar..
> See Ya Next
> Tuesday ;)
>
> Copyright (c) 1998-2006 eEye Digital Security Permission is hereby
> granted for the redistribution of this alert electronically. It is not
> to be edited in any way without express consent of eEye. If
> you wish to
> reprint the whole or any part of this alert in any other medium
> excluding electronic medium, please email alert@xxxxxxxx for
> permission.
>
> Disclaimer
> The information within this paper may change without notice.
> Use of this
> information constitutes acceptance for use in an AS IS
> condition. There
> are no warranties, implied or express, with regard to this
> information.
> In no event shall the author be liable for any direct or indirect
> damages whatsoever arising out of or in connection with the use or
> spread of this information. Any use of this information is at
> the user's
> own risk.
>
