McAfee Subscription Manager Stack Buffer Overflow

Release Date:
August 7, 2006

Date Reported:
July 19, 2006

Patch Development Time (In Days):
17 Days     

Severity:
High (Remote Code Execution)

Vendor:
McAfee

Systems Affected:
McAfee AntiSpyware 1.x, 2.x
McAfee Internet Security Suite 6.x, 7.x, 8.x 
McAfee Personal Firewall Plus 5.x, 6.x, 7.x 
McAfee Privacy Service 6.x, 7.x, 8.x 
McAfee QuickClean 4.x, 5.x, 6.x 
McAfee SpamKiller 5.x, 6.x, 7.x 
McAfee VirusScan 8.x, 9.x, 10.x 
McAfee Wireless Home Network Security 1.x 

Overview:
eEye Digital Security has discovered a vulnerability in McAfee Security
Center that ships with all McAfee consumer products.  There is a remote
code execution vulnerability that allows an attacker to take complete
control of a remote computer by exploiting a vulnerability found in the
Subscription Manager ActiveX control.  

Technical Details:
A stack buffer overflow vulnerability exists in McAfee's Subscription
Manager ActiveX control which is shipped with all Home and Home Business
products.  The McSubMgr.dll is a manager module used to control
subscriptions of a particular product to ensure that the software has
not exceeded its subscription time as well as various maintenance checks
(i.e. Expirations, Old Applications, etc.).  Unfortunately McSubMgr.dll
is set as safe for scripting, so we are able to call various members
from within the .dll from a webpage by referencing its CLSID and passing
arguments to these members.  The vulnerability occurs when we pass a
string of over 3000 bytes using various members which are then passed on
to a vulnerable vsprintf, causing a stack overflow to occur.

.text:02B0B27F var_BB8         = byte ptr -0BB8h  <--  3000 bytes
.text:02B0B27F arg_0           = dword ptr  8
.text:02B0B27F arg_4           = byte ptr  0Ch
.text:02B0B27F
.text:02B0B27F                 push    ebp
.text:02B0B280                 mov     ebp, esp
.text:02B0B282                 sub     esp, 0BB8h
.text:02B0B288                 lea     eax, [ebp+arg_4]
.text:02B0B28B                 push    eax             ; va_list
.text:02B0B28C                 push    [ebp+arg_0]     ; char *
.text:02B0B28F                 lea     eax, [ebp+var_BB8]  
.text:02B0B295                 push    eax             ; char *
.text:02B0B296                 mov     [ebp+var_BB8], 0
.text:02B0B29D                 call    _vsprintf    <-- Exploitable
vsprintf
.text:02B0B2A2                 add     esp, 0Ch
.text:02B0B2A5                 leave
.text:02B0B2A6                 retn
.text:02B0B2A6 sub_2B0B27F     endp

Since there are literally no bounds checking on the vsprintf when a
string exceeding 3000 bytes of data is passed to a 3000 byte buffer, an
overflow occurs, and we are able to execute arbitrary code.  To exploit
this vulnerability over the internet we must first create a web page
with some scripting to create the ActiveX object and call one of the
affected methods so that we may pass data along to overflow the
vulnerable vsprintf.

<object classid='clsid:9BE8D7B2-329C-442A-A4AC-ABA9D7572602' id='Red'
></object> 
GK=String(165001, "a") 
Red.IsAppExpired GK

The above example is a code snip that will send 165001 a's to the
IsAppExpired ActiveX member therefore completely overflowing the stack.

Protection:
Retina Network Security Scanner has been updated to identify this
vulnerability. 
Blink Endpoint Vulnerability Prevention preemptively protects from this
vulnerability.

Vendor Status:
McAfee has released patches for the affected products.  The McAfee
Security Bulletin is available here;
http://ts.mcafeehelp.com/faq3.asp?docid=407052

Credit:
Karl Lynn

Related Links:
Retina Network Security Scanner -
http://www.eeye.com/html/products/retina
Blink Endpoint Vulnerability Prevention -
http://www.eeye.com/html/products/blink

Greetings:
Derek, Barnaby, Dre, Hugo, CSam, Barbara Parker, HD Moore, Mark Dowd,
and GK for the intelligent conversation at the Shadow Bar.. See Ya Next
Tuesday ;)

Copyright (c) 1998-2006 eEye Digital Security Permission is hereby
granted for the redistribution of this alert electronically. It is not
to be edited in any way without express consent of eEye. If you wish to
reprint the whole or any part of this alert in any other medium
excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are no warranties, implied or express, with regard to this information.
In no event shall the author be liable for any direct or indirect
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.