~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application: Mcafee FreeScan(activex) Vendors: http://us.mcafee.com/root/mfs/default.asp?cid=9914 Platforms: Windows Bug: Buffer Overflow and Private Information Disclosure Risk: High - Running Arbitary Code Exploitation: Remote with browser Date: 1 Apr 2004 Author: Rafel Ivgi, The-Insider e-mail: the_insider@mail.com web: http://theinsider.deep-ice.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1) Introduction 2) Bugs 3) The Code ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =============== 1) Introduction =============== McAfee FreeScan helps you detect thousands of viruses on your computer. Based on the award-winning McAfee VirusScan engine, FreeScan searches for viruses, including the latest known "in the wild" viruses, and displays a detailed list of any infected files. Should viruses be found, FreeScan even provides links to give you more information about the virus and what you can do to clean your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ====== 2) Bug ====== Mcafee FreeScan installs and registers "McFreeScan.CoMcFreeScan.1" COM object. After the first time FreeScan was used, this type of object can be created localy & remotely! For Example: Set object = CreateObject("McFreeScan.CoMcFreeScan.1" ) Mcafee FreeScan has a built in function which retrieves some of the users shell folders, such as %Windir%(windows folder) and "My Documents", which contains the user name. This means that : msgbox object.GetSpecialFolderLocation(&H0024) - will popup windows path msgbox object.GetSpecialFolderLocation(&H0005) - will popup the username+my documents path An even more dagerous vulnerability appears in the "ScanParam" property of the object. Which means that the following assignment: object.ScanParam = [Really Long String - 'A'>700000] Will cause a buffer overflow, allowing a remote user to run arbitary code. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =========== 3) The Code =========== This is Proof Of Concept Code: ------------------- CUT HERE ------------------- Press O.K
Press O.K
Now Close The Window ------------------- CUT HERE ------------------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- Rafel Ivgi, The-Insider http://theinsider.deep-ice.com "Only the one who sees the invisible , Can do the Impossible."