SSD Advisory – McAfee Security Scan Plus Remote Command Execution

Vulnerability Summary
The following advisory describes a Remote Command Execution found in McAfee Security Scan Plus version 3.11.587.1
McAfee Security Scan Plus is “a free diagnostic tool that ensures you are protected from threats by actively checking your computer for up-to-date anti-virus, firewall, and web security software. It also scans for threats in any open programs.”
Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Vendor response
A Security Bulletin, TS102723, was published for the vulnerability, available here:
http://service.mcafee.com/FAQDocument.aspx?lc=1033&id=TS102723

Vulnerability details
An active network attacker can achieve remote code execution on a machine that runs McAfee Security Scan Plus
When the scan is complete, McAfee Security Scan Plus POST data to liteapps.mcafee.com over plaintext HTTP channel.


A man-in-the-middle attack can modify the response, by add

<script>
window.external.LaunchApplication("c:\\windows\\system32\\calc.exe", "");
</script>