<<< Date Index >>>     <<< Thread Index >>>

McAfee SecurityCenter Privacy Service HTML Execution Vulnerability



[HSC] McAfee SecurityCenter Privacy Service HTML Execution Vulnerability


McAfee provides a proactive PC and Internet security service that helps you 
avoid 
online attacks and protects what you value from hackers, identity thieves and 
other 
online criminals. 

A HTML execution vulnerability may allow an attacker to execute HTML scripts on 
the system under the context of the user. These scripts can perform any action 
that the 
user would. The flaw lies in the processing of filtering that is saved after 
exiting.



Hackers Center Security Group (http://www.hackerscenter.com)
Credit: DoZ


Risk: Medium
Class: Input Validation Error
Local: Yes

Vendor: http://us.mcafee.com/
Product: McAfee SecurityCenter
Version: McAfee Privacy Service 8.1.0.136

Exploit: An exploit is not required.

An attacker may attack this issue to execute code in the context of the 
affected software, and distribute this code across Privacy Service 
infrastructure. Also making a patch that works
with this hole will allow attackers to use this hole as platform for other 
attacks.



Examples: 

1.
After turning your software into a web browser, you can inject
this website http://www.crashie.com/ and it will crash McAfee Privacy Service.
One can also use an Internet Explorer exploit to crash the McAfee Application.

<script>for (x in document.write) { document.write(x);}</script>

2.
Paste your slogan to see if software is vul to this attack.

<h1>Hello!</h1>



Proof of Concept:

http://www.hackerscenter.com/public/images/1.jpg
http://www.hackerscenter.com/public/images/2.jpg
http://www.hackerscenter.com/public/images/3.jpg



Only becoming a Ethical Hacker, you can stop Black Hat Hackers. Learn with out 
having to pay thousands!- http://kit.hackerscenter.com - The most comprehensive 
security pack you will ever find on the net!