{"id":11852,"date":"2019-11-13T00:10:00","date_gmt":"2019-11-12T23:10:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=11852"},"modified":"2023-08-25T22:54:37","modified_gmt":"2023-08-25T20:54:37","slug":"mcafee-patcht-schwachstelle-in-antivirus-produkten","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2019\/11\/13\/mcafee-patcht-schwachstelle-in-antivirus-produkten\/","title":{"rendered":"McAfee patches vulnerability in antivirus products"},"content":{"rendered":"

[German<\/a>]McAfee had to patch a Local Privlege Escalation (LPE) vulnerability in all editions of its antivirus software for Windows, allowing potential attackers to gain SYSTEM privileges.<\/p>\n

<\/p>\n

Affected by the Local Privlege Escalation bug are McAfee Total Protection (MTP), McAfee Anti-Virus Plus (AVP), and McAfee Internet Security (MIS) up to and including version 16.0.R22.<\/p>\n

CVE-2019-3648: DLL-Hijacking<\/h2>\n

According to SafeBreach Labs security researcher Peleg Hadar<\/a>, who discovered the vulnerability, the LPE bug CVE-2019-3648<\/a> however requires that attackers have administrator rights to exploit it. Only then the DLLs can be stored in the appropriate directories. Many users will dismiss this as unproblematic. But the vulnerability allows attackers to bypass McAfee's self defense mechanism by loading any unsigned DLL into multiple services running as NT AUTHORITY\\SYSTEM. <\/p>\n

The problem is once again DLL hijacking, where the DLL search order is used to load DLLs on an already infiltrated machine through system services and thus obtain their permissions. In the concrete case, during the investigation of the products, it was noticed that several McAfee services running as signed processes and as NT AUTHORITY\\SYSTEM try to load: <\/p>\n

c:\\Windows\\System32\\wbem\\wbemcomn.dll <\/p>\n

This file can't be found because it is located in System32<\/em> and not in the System32\\Wbem<\/em> folder. The following graphic shows the futile attempts to load the DLL.<\/p>\n

\"wbemcomn.dll<\/a><\/p>\n

The security researchers suspected that this error could be exploited to load any unsigned DLL into these processes. This enables McAfee's protection mechanisms to be bypassed and at the same time the DLL NT AUTHORITY\\SYSTEM permissions to be obtained.  <\/p>\n

A proof of concept<\/h2>\n

As part of a Proof of Concept (PoC), the security researchers have compiled an unsigned proxy DLL that calls the original wbemcomn.dll<\/em> features. This DLL should also write the name of the loading process, the username that called the file, and the name of the DLL file into a txt file.<\/p>\n

The proxy DLL was then placed in C:\\Windows\\System32\\Wbem<\/em> (which requires administrator privileges) and the computer restarted. Security researchers were able to load any DLL in this way and execute their own code in the context of multiple McAfee processes running NT AUTHORITY\\SYSTEM. This means that McAfee's protections have been bypassed. The vulnerability allows attackers to permanently load and execute malicious malicious code each time the services are loaded. Affected versions are:<\/p>\n