Home / vulnerabilitiesPDF  

mcafeeps-exec.txt

Posted on 04 December 2007
Source : packetstormsecurity.org Link

 

[HSC] McAfee SecurityCenter Privacy Service HTML Execution Vulnerability


McAfee provides a proactive PC and Internet security service that helps you avoid
online attacks and protects what you value from hackers, identity thieves and other
online criminals.

A HTML execution vulnerability may allow an attacker to execute HTML scripts on
the system under the context of the user. These scripts can perform any action that the
user would. The flaw lies in the processing of filtering that is saved after exiting.



Hackers Center Security Group (http://www.hackerscenter.com)
Credit: DoZ


Risk: Medium
Class: Input Validation Error
Local: Yes

Vendor: http://us.mcafee.com/
Product: McAfee SecurityCenter
Version: McAfee Privacy Service 8.1.0.136

Exploit: An exploit is not required.

An attacker may attack this issue to execute code in the context of the affected software, and distribute this code across Privacy Service infrastructure. Also making a patch that works
with this hole will allow attackers to use this hole as platform for other attacks.



Examples:

1.
After turning your software into a web browser, you can inject
this website http://www.crashie.com/ and it will crash McAfee Privacy Service.
One can also use an Internet Explorer exploit to crash the McAfee Application.

<script>for (x in document.write) { document.write(x);}</script>

2.
Paste your slogan to see if software is vul to this attack.

<h1>Hello!</h1>



Proof of Concept:

http://www.hackerscenter.com/public/images/1.jpg
http://www.hackerscenter.com/public/images/2.jpg
http://www.hackerscenter.com/public/images/3.jpg



Only becoming a Ethical Hacker, you can stop Black Hat Hackers. Learn with out
having to pay thousands!- http://kit.hackerscenter.com - The most comprehensive
security pack you will ever find on the net!

 

TOP