Privilege Escalation via Antivirus Software



Similar documents

McAfee Optimized Virtual Environments for Servers. Installation Guide

McAfee Certified Product Specialist McAfee epolicy Orchestrator

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

Turning your managed Anti-Virus

McAfee Optimized Virtual Environments - Antivirus for VDI. Installation Guide

Sophos Deployment Packager user guide. Product version: 1.2

McAfee Endpoint Encryption for PC 7.0

Criteria for web application security check. Version

Snow Active Directory Discovery

McAfee Client Proxy Software

Pass-the-Hash. Solution Brief

Unprecedented Malware Growth

Sophos Endpoint Security and Control How to deploy through Citrix Receiver 2.0

Trend Micro Worry- Free Business Security st time setup Tips & Tricks

Installation Guide Revision B. McAfee epolicy Orchestrator Software

App Orchestration 2.5

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

InternetVista Web scenario documentation

Using Foundstone CookieDigger to Analyze Web Session Management

Locking down a Hitachi ID Suite server

Protecting the un-protectable Addressing Virtualisation Security Challenges

THE OPEN UNIVERSITY OF TANZANIA

Product Guide. McAfee epolicy Orchestrator Software

Thick Client Application Security

Product Guide. McAfee epolicy Orchestrator Software

Office of Education Technology (OET) Security Best Practices Guideline for Districts

Product Guide. McAfee Endpoint Security for Mac Threat Prevention

App Orchestration 2.0

McAfee Global Threat Intelligence File Reputation Service. Best Practices Guide for McAfee VirusScan Enterprise Software

Quick Start 5: Introducing and configuring Websense Cloud Web Security solution

i2b2: Security Baseline

Release Notes for McAfee epolicy Orchestrator 4.5

Where every interaction matters.

McAfee VirusScan Enterprise for Linux Software

Integrating Web Application Security into the IT Curriculum

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Installation Guide. McAfee epolicy Orchestrator Software

POC Installation Guide for McAfee EEFF v4.1.x using McAfee epo 4.6. New Deployments Only Windows Deployment

Product Guide. McAfee Endpoint Protection for Mac 2.1.0

Intel Security Certified Product Specialist Data Loss Prevention Endpoint (DLPe)

McAfee MOVE AntiVirus (Agentless) 3.6.0

GS1 Trade Sync Connectivity guide

Host/Platform Security. Module 11

Five Steps to Improve Internal Network Security. Chattanooga ISSA

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Introduction to the EIS Guide

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

McAfee Gateway 7.x Encryption and IronPort Integration Guide

McAfee VirusScan and epolicy Orchestrator Administration Course

In the recent past, there were several computer-based

McAfee DAT Reputation Implementation Guide. Version 1.0 for Enterprise

CLEARSWIFT SECURE Web Gateway HTTPS/SSL decryption

McAfee epolicy Orchestrator

Best Practices Guide. McAfee epolicy Orchestrator Software

McAfee MOVE / VMware Collaboration Best Practices

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

McAfee Data Loss Prevention Endpoint

Assuring Application Security: Deploying Code that Keeps Data Safe

Use Enterprise SSO as the Credential Server for Protected Sites

GFI Product Manual. Administration and Configuration Manual

SECURE Web Gateway. HTTPS/SSL Technical FAQ. Version 1.1. Date 04/10/12

That Point of Sale is a PoS

SOA Software API Gateway Appliance 7.1.x Administration Guide

How to hack VMware vcenter server in 60 seconds

Best Practices Guide Revision B. McAfee epolicy Orchestrator Software

McAfee Firewall Enterprise System Administration Intel Security Education Services Administration Course

GRAVITYZONE HERE. Deployment Guide VLE Environment

The User is Evolving. July 12, 2011

Centrify Cloud Connector Deployment Guide

McAfee Threat Intelligence Exchange Software

Installation Guide. McAfee epolicy Orchestrator Software

How To Update From The Network Associates Repository On A Virus Scan Enterprise 7.0 (Windows) On A Pc Or Macbook Or Macintosh (Windows 7) On An Ubuntu 7.5 (Windows 8) On Your Computer Or Mac Mac

McAfee Cloud Single Sign On

McAfee Enterprise Mobility Management 11.0 Software

Integrating with BarTender Integration Builder

Technology Blueprint. Secure Your Virtual Desktop Infrastructure. Optimize your virtual desktop infrastructure for performance and protection

HotZone. Theory of Operations Configuration Management

Setup Guide Revision A. WDS Connector

Installation Procedure For McAfee Agent

Intel Security Certified Product Specialist McAfee Network Security Platform (NSP)

McAfee Public Cloud Server Security Suite

The client transfer between epo servers guide. McAfee Drive Encryption 7.1.3

Copyright

Hardware Sizing and Bandwidth Usage Guide. McAfee epolicy Orchestrator Software

Setup Guide Revision B. McAfee SaaS Archiving for Microsoft Exchange Server 2010

Internal Penetration Test

Industrial Security for Process Automation

Data Security and Governance with Enterprise Enabler

Product Guide. McAfee epolicy Orchestrator Software

CAC/PIV PKI Solution Installation Survey & Checklist

Creating a User Profile for Outlook 2013

Microsoft Baseline Security Analyzer (MBSA)

Sophos Disk Encryption License migration guide. Product version: 5.61 Document date: June 2012

Configure Managed File Transfer Endpoints

Sophos Cloud Migration Tool Help. Product version: 1.0

Transcription:

Privilege Escalation via Antivirus Software A security vulnerability in the software component McAfee Security Agent, which is part of the antivirus software McAfee VirusScan Enterprise, can be leveraged in attacks against corporate networks. Dipl.-Inform. Matthias Deeg Dipl.-Inform. Sebastian Schreiber January 26, 2011

1 Introduction Today almost every client system and the majority of server systems in enterprise environments are protected by endpoint protection software, e.g. antivirus software, especially when Windows operating systems are in use. In recent years, it has been shown more than once that these protective software products sometimes also have severe security vulnerabilities which can be exploited by attackers (cf. [1]). In a security analysis of the antivirus software McAfee VirusScan Enterprise (VSE), the could find a security vulnerability in the software component McAfee Security Agent (MSA) which can be used under certain conditions in order to perform privilege escalation attacks within corporate networks. Several software versions of McAfee VirusScan Enterprise are affected by this security issue. According to McAfee, the McAfee Security Agent is the client component of the McAfee epolicy Orchestrator (epo), a central console which can be used to manage several McAfee software products. Therefore, the security vulnerability described below is not a security issue of the antivirus software McAfee VirusScan Enterprise, but a security issue of the used software component McAfee Security Agent which is part of McAfee VirusScan Enterprise but also used by other McAfee software products. 2 Security Assessment In enterprise environments, it is not unusual that software updates for endpoint protection software are not downloaded via the Internet from external sources by each software installation but that software updates are provided by a local update server within the corporate network. The software component McAfee Security Agent which is used for managing software updates of the antivirus software McAfee VirusScan Enterprise stores the configuration settings of the AutoUpdate repository list 1 in two XML files named SiteList.xml and ServerSiteList.xml. In the current software version McAfee VirusScan Enterprise 8.7.0i, these two configuration files are located in the directory %AllUsersProfile%Application Data\McAfee\Common Framework\ and they can be read by every user who has access to the Windows system, as figure 1 illustrates. 1 repositories for the update function, e.g. FTP servers or network shares 2

Figure 1: Read access for the file SiteList.xml for every user (German Windows) The password information for different repositories (FTP, HTTP, UNC or local paths) as well as for proxy servers are encrypted and stored as base64 -encoded value. The following listing shows the content of a sample configuration file SiteList.xml: 1 <?xml version=" 1.0" encoding=" UTF -8"?> 2 <n s : S i t e L i s t s xmlns:ns=" nasitelist " GlobalVersion=" 20030131003110 " 3 LocalVersion=" 20101203081306 " Type="Client"> 4 <S i t e L i s t Default="1" Name=" SomeGUID "> 5 <H t t p S i t e Type=" repository " Name=" NAIHttp " Order="1" Enabled="1" 6 Local="1" Server="update.nai.com:80"> 7 <RelativePath>products /commonupdater</ RelativePath> 8 <UseAuth>0</ UseAuth> 9 <UserName></UserName> 10 <Password Encrypted="1"> 11 f2mwbtzpqdtny6qnosvexh9psau8z0hbz2okdtrfxsr/abafpm9b3q== 12 </ Password> 13 </ HttpSite> 14 <FTPSite Type=" repository " Name=" NAIFtp" Order="2" 15 Server="ftp.nai.com:21" Enabled="1" Local="1"> 3

16 <RelativePath>CommonUpdater</ RelativePath> 17 <UserName>anonymous</UserName> 18 <Password Encrypted="1"> 19 MQCBNesmh4xsoov8E4KA/i9ukpwRoD3RDId9bU+InCJ/abAFPM9B3Q== 20 </ Password> 21 </ FTPSite><UNCSite Type=" repository " Name=" Enterprise Repository " 22 Order="3" S e r v e r=" 10.0.23.42 " Enabled="1" L o ca l="1"> 23 <ShareName>r e p o s i t o r y $</ShareName> 24 <RelativePath>mcafee</ RelativePath> 25 <UseLoggedonUserAccount>0</ UseLoggedonUserAccount> 26 <DomainName>Domain</DomainName> 27 <UserName>AV ADMIN</UserName> 28 <Password Encrypted="1"> 29 b2x6afvmw6rbn+psiudccn9psau8z0hbz2okdtrfxsr/abafpm9b3q== 30 </ Password> 31 </UNCSite> 32 <ProxyConfigList> 33 <ProxyConfig Name="" UseIEConfig="1" L o ca l="1"> 34 <AllowUserToConfigureProxy>0</ AllowUserToConfigureProxy> 35 <BypassLocalAddress>0</ BypassLocalAddress> 36 <E x c l u s i o n L i s t /><FtpUseAuth>0</FtpUseAuth> 37 <HttpUseAuth>0</ HttpUseAuth> 38 <HttpProxyUser></ HttpProxyUser> 39 <HttpProxyPassword Encrypted="1"> 40 f2mwbtzpqdtny6qnosvexh9psau8z0hbz2okdtrfxsr/abafpm9b3q== 41 </ HttpProxyPassword> 42 <FtpProxyUser></ FtpProxyUser> 43 <FtpProxyPassword Encrypted="1"> 44 f2mwbtzpqdtny6qnosvexh9psau8z0hbz2okdtrfxsr/abafpm9b3q== 45 </ FtpProxyPassword> 46 <AlternateFtpUseAuth>0</ AlternateFtpUseAuth> 47 <AlternateHttpUseAuth>0</ AlternateHttpUseAuth> 48 <AlternateHttpProxyUser></ AlternateHttpProxyUser> 49 <AlternateHttpProxyPassword Encrypted="1"> 50 f2mwbtzpqdtny6qnosvexh9psau8z0hbz2okdtrfxsr/abafpm9b3q== 51 </ AlternateHttpProxyPassword> 52 <AlternateFtpProxyUser></ AlternateFtpProxyUser> 53 <AlternateFtpProxyPassword Encrypted="1"> 54 f2mwbtzpqdtny6qnosvexh9psau8z0hbz2okdtrfxsr/abafpm9b3q== 55 </ AlternateFtpProxyPassword> 56 </ ProxyConfig> 57 </ ProxyConfigList> 58 </ S i t e L i s t> 59 </ n s : S i t e L i s t s> Listing 1: Content of a sample configuration file SiteList.xml An analysis of the used encryption method by the showed, that the encryption algorithm Triple DES (3DES) 2 in combination with a simple XOR encryption is used. The fact that not only the encryption key for the 3DES but also for the XOR encryption is static, is of particular interest. 2 further information can be found at http://de.wikipedia.org/wiki/data_encryption_standard 4

Further investigations by the showed that the password information of the following software versions are all encrypted with the same encryption keys: McAfee VirusScan Enterprise 7.1.0 McAfee VirusScan Enterprise 8.0.0i McAfee VirusScan Enterprise 8.5.0i McAfee VirusScan Enterprise 8.7.0i The fact that every user can read the configuration files of the McAfee VirusScan Enterprise installation respectively the McAfee Security Agent, in which user credentials for internal update or proxy servers are stored with a very high probability in enterprise environments, makes it possible to perform privilege escalation attacks under certain conditions. In this kind of attack, the attacker elevates his privileges in order to gain access to resources he usually has no access to. In the context of a Windows domain within a corporate network, for example, an attacker can elevate his privileges by stealing credentials of other domain users. Especially user accounts for software deployment and endpoint protection software are interesting targets for such an attack, as these user accounts usually have higher privileges in order to accomplish administrative tasks. The encrypted password information in the configuration files, which are possibly useful for privilege escalation attacks, can be decrypted very easily. An attacker only has to copy the corresponding configuration files, import them in an installation of McAfee VirusScan Enterprise 3 of his own and afterwards reveal the passwords with a password revealer 4 of his choice. Figure 2 shows the configuration of a sample repository named Enterprise Repository with and without revealed password information for the user AV-ADMIN. 3 Evaluation versions can be obtained from McAfee free of charge 4 e.g. http://win32assembly.online.fr/files/revealer.zip 5

Figure 2: Configuration of the sample repository Enterprise Repository with and without revealed password information Furthermore, the developed a software tool called McAfee Password Decryptor which is able to decrypt all password information of the configuration files SiteList.xml and ServerSiteList.xml independent of a McAfee VirusScan Enterprise installation. The following output of this software tool shows the decryption of password information of a configuration file copied from a McAfee VirusScan Enterprise 8.7.0i installation. 6

$./mpd.py SiteList.xml / \ / / / / \ \ --. \ --.\ --. --. \ --. \ --. \ /\ / / _ /\ / /\ / / \ \ / \, \ /\ /... decrypts your passwords! / \ / / / / / / / ( ) /_/ (oo) /------\/ / * ^^ ^^ McAfee Password Decryptor v1.0 by Matthias Deeg <matthias.deeg@syss.de> - (c) 2010 [*] Found 3 user credentials in SiteList.xml Username Password Account Type ------------------------------------------------------------------------------------------------- anonymous CommonUpdater@McAfeeB2B.com FTP (NAIFtp, ftp.nai.com:21) <empty> <empty> HTTP (NAIHttp, update.nai.com:80) AV-ADMIN ~Z.Beebl3br0x~ UNC (Enterprise Repository, \\10.0.23.42\repository$\mcafee) In the course of conducted security assessments, the could successfully perform privilege escalation attacks within corporate networks by exploiting the described security vulnerbality in order to gain administrative privileges for Windows domains. 3 Conclusion The rates the found security vulnerability as high security risk, because under certain conditions it is possible to perform privilege escalation attacks by exploiting this security weakness, which can even result in administrative privileges for Windows domains. Generally, the access to password information, no matter whether encrypted or not, should be restricted as much as possible. Configuration files that are readable by every system user are not the proper place to store such data. The fact that different software versions of McAfee VirusScan Enterprise respectively different software versions of the McAfee Security Agent use the same encryption method and the same encryption keys for several years now, facilitates privilege escalation attacks concerning this software. 7

Besides the antivirus software McAfee VirusScan Enterprise, the knows about further software products of other manufacturers which are also prone to the described type of security vulnerability. Therefore, these software products can also be levereged under certain conditions to gain elevated privileges within corporate networks. The recommends to use least-privileged user accounts (LUA) for software updates in order to reduce the risk of possible privilege escalation attacks with the access to corresponding password information. The contacted the software manufacturer McAfee and informed him about the found security issue. McAfee responded quickly and released a knowledge base article titled Important information on using Download Credentials (see [2]) in which the proper and secure configuration of the affected software component McAfee Security Agent is described. Furthermore, according to McAfee any additional code changes concerning this security issue will also be included in an update to this knowledge base article in the future. References [1] Jürgen Schmidt, Antivirus software as a malware gateway, http://www.h-online. com/security/features/antivirus-software-as-a-malware-gateway-746143. html 2 [2] McAfee Knowledge Base article, Important information on using Download Credentials, https://kc.mcafee.com/corporate/index?page=content&id=kb70999 8 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information