P0wnographer finds remote code exec bug in McAfee enterprise

McAfee has taken six months to patch 10 critical vulnerabilities in its VirusScan Enterprise Linux client. And these were nasty bugs as when chained they resulted remote code execution as root.

Andrew Fasano, security researcher with MIT Lincoln Laboratory, says attackers can chain the flaws to compromise McAfee Linux clients by spinning up malicious update servers.

"At a first glance, Intel's McAfee VirusScan Enterprise for Linux has all the best characteristics that vulnerability researchers love: it runs as root, it claims to make your machine more secure, it's not particularly popular, and it looks like it hasn't been updated in a long time," Fasano writes.

"When I noticed all these, I decided to take a look."

His efforts now lead him to assert that "A system running Intel's McAfee VirusScan Enterprise for Linux can be compromised by remote attackers due to a number of security vulnerabilities [which] can be chained together to allow remote code execution as root."

Fasano reported the bugs on 23 June through the US computer emergency response team clearing house which passed the vulnerabilities on to McAfee. He says the security company asked for a six-month non-disclosure period, plus a couple of extensions that would take it significantly longer than the standard 90-days patch-or-perish guidance offered by the likes of Google.

McAfee made no subsequent contact after July, fixing the bugs on 9 December, four days after Fasano told the firm he would publish the vulnerabilities today.

The chained bugs showcase the dangers that antivirus platforms often present to the security of enterprises and users by way of its by-design root privileges and large attack surfaces.

@VessOnSecurity @Jindroush Kinda like how a lightbulb that sets things on fire is still high quality, so long as you only measure lumens?

— Tavis Ormandy (@taviso) November 19, 2016

Fasano detailed the exploitation process including a proof-of-concept.

The attack starts with twin flaws (CVE-2016-8022, CVE-2016-8023) that allow an authentication token to be brute-forced and used to connect with McAfee Linux clients.

From there attackers use another flaw (CVE-2016-8021) to force targeted McAfee installs to create malicious scripts.

Those scripts are then executed utilising the same vulnerability plus an authenticated remote code execution privelege escalation bug (CVE-2016-8020, CVE-2016-8021)

With those flaws combined the attacker's malicious script is then run as root on the victim machines.

Fasano says exploitation depends on valid login tokens generated when users log into McAfee web interfaces and lasting about an hour.

Other bugs Fasano found include a remote unauthenticated file read and existence test (CVE-2016-8016, CVE-2016-8017); cross-site request forgery tokens (CVE-2016-8018); cross-site scripting (CVE-2016-8019); HTTP response splitting (CVE-2016-8024), and an authenticated SQL injection bug (CVE-2016-8025). ®