The following advisory describes a Remote Code Execution found in McAfee Security Scan Plus. An active network attacker could launch a man-in-the-middle attack on a plaintext-HTTP response to a client to run any residing executables with privileges of a logged in user.
McAfee Security Scan Plus is a free diagnostic tool that ensures you are protected from threats by actively checking your computer for up-to-date anti-virus, firewall, and web security software. It also scans for threats in any open programs.
An independent security research company, Silent Signal, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
The vendor has released patches to address this vulnerability.
For more information: https://service.mcafee.com/webcenter/portal/cp/home/articleview?articleId=TS102714
McAfee Security Scan Plus retrieves promotional and UI design information from different mcafee.com domains and displays them to the user, typically in the main application window.
The vulnerability is caused by multiple factors:
- Information is retrieved over plaintext HTTP that can be trivially modified by an active network attacker.
The McAfee Security Scan Plus downloads, after each scan, a UI element indicating the “protection level” of the target from the following URL:
<script> window.external.LaunchApplication("c:\\windows\\system32\\calc.exe", ""); </script>
Proof of Concept