McAfee patches vulnerability in antivirus products

[German]McAfee had to patch a Local Privlege Escalation (LPE) vulnerability in all editions of its antivirus software for Windows, allowing potential attackers to gain SYSTEM privileges.

Affected by the Local Privlege Escalation bug are McAfee Total Protection (MTP), McAfee Anti-Virus Plus (AVP), and McAfee Internet Security (MIS) up to and including version 16.0.R22.

CVE-2019-3648: DLL-Hijacking

According to SafeBreach Labs security researcher Peleg Hadar, who discovered the vulnerability, the LPE bug CVE-2019-3648 however requires that attackers have administrator rights to exploit it. Only then the DLLs can be stored in the appropriate directories. Many users will dismiss this as unproblematic. But the vulnerability allows attackers to bypass McAfee's self defense mechanism by loading any unsigned DLL into multiple services running as NT AUTHORITY\SYSTEM.

The problem is once again DLL hijacking, where the DLL search order is used to load DLLs on an already infiltrated machine through system services and thus obtain their permissions. In the concrete case, during the investigation of the products, it was noticed that several McAfee services running as signed processes and as NT AUTHORITY\SYSTEM try to load:

c:\Windows\System32\wbem\wbemcomn.dll

This file can't be found because it is located in System32 and not in the System32\Wbem folder. The following graphic shows the futile attempts to load the DLL.

wbemcomn.dll

The security researchers suspected that this error could be exploited to load any unsigned DLL into these processes. This enables McAfee's protection mechanisms to be bypassed and at the same time the DLL NT AUTHORITY\SYSTEM permissions to be obtained. 

A proof of concept

As part of a Proof of Concept (PoC), the security researchers have compiled an unsigned proxy DLL that calls the original wbemcomn.dll features. This DLL should also write the name of the loading process, the username that called the file, and the name of the DLL file into a txt file.

The proxy DLL was then placed in C:\Windows\System32\Wbem (which requires administrator privileges) and the computer restarted. Security researchers were able to load any DLL in this way and execute their own code in the context of multiple McAfee processes running NT AUTHORITY\SYSTEM. This means that McAfee's protections have been bypassed. The vulnerability allows attackers to permanently load and execute malicious malicious code each time the services are loaded. Affected versions are:

  • McAfee Total Protection (MTP)
  • McAfee Anti-Virus Plus (AVP)
  • McAfee Internet Security (MIS)

up to and including 16.0.R22. McAfee has released version 16.0.R22 Refresh 1 to fix the problem.

The vulnerability was reported to McAfee on August 5, 2019. On August 21, 2019, there was an initial response from HackerOne, and on September 3, 2019, McAfee confirmed the vulnerability. After several status updates, McAfee provided an update for the affected products on October 23, 2019. On October 31, 2019, McAfee assigned a CVE-2019-3648 for the vulnerability. On November 12, 2019, McAfee released a security advisory (but the link provided by the SafeBreach Labs security researcher does not work for me). So if you use McAfee, you should install an update immediately. (via)

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *