{"id":287,"date":"2020-07-14T05:37:11","date_gmt":"2020-07-14T05:37:11","guid":{"rendered":"http:\/\/labs.redyops.com\/?p=287"},"modified":"2020-09-22T06:57:25","modified_gmt":"2020-09-22T06:57:25","slug":"mcafee-total-protection-mtp-16-0-r26-escalation-of-privilege-cve-2020-7283","status":"publish","type":"post","link":"https:\/\/labs.redyops.com\/index.php\/2020\/07\/14\/mcafee-total-protection-mtp-16-0-r26-escalation-of-privilege-cve-2020-7283\/","title":{"rendered":"McAfee Total Protection (MTP) < 16.0.R26 Escalation of Privilege (CVE-2020-7283)"},"content":{"rendered":"
<\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/a><\/div><\/div>\n\n\n\n

Summary<\/strong><\/h1>\n\n\n\n

Assigned CVE<\/strong>: CVE-2020-7283<\/em> has been assigned and RedyOps Labs has been publicly acknowledged by the vendor.<\/p>\n\n\n\n

Known to Neurosoft’s RedyOps Labs since<\/strong>: 09\/03\/2020<\/p>\n\n\n\n

Exploit<\/strong> Code<\/strong>: https:\/\/github.com\/RedyOpsResearchLabs\/CVE-2020-7283-McAfee-Total-Protection-MTP-16.0.R26-EoP<\/a><\/p>\n\n\n\n

Vendor’s Advisory<\/strong>: https:\/\/service.mcafee.com\/webcenter\/portal\/oracle\/webcenter\/page\/scopedMD\/s55728c97_466d_4ddb_952d_05484ea932c6\/Page29.jspx?showFooter=false&articleId=TS103062&leftWidth=0%25&showHeader=false&wc.contextURL=%2Fspaces%2Fcp&rightWidth=0%25&centerWidth=100%25&_adf.ctrl-state=72mvomkv4_9&_afrLoop=1512627449091793#!<\/a> <\/p>\n\n\n\n

An Elevation of Privilege (EoP) exists in McAfee Total Protection (MTP) < 16.0.R26 . The latest version we tested is McAfee Total Protection (MTP) 16.0.R23. The exploitation of this EoP , gives the ability to a low privileged user to create a file anywhere in the system. The file is being created with a DACL , which allows any user to edit the file. Because of this, the attacker can create a file with any chosen name.extension and edit it in order to execute the code of his choice. <\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

If the file already exists, it will be overwritten, with an empty file. <\/p>\n\n\n\n

There are many ways to abuse this issue. We chose to create a bat file in the Users Startup folder C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\backdoor.bat .<\/p>\n\n\n\n

Description<\/strong><\/h1>\n\n\n\n

Whenever a scan is initiated, the process MMSSHOST.EXE which runs as an NT AUTHORITY\\SYSTEM, and without impersonation, creates the file c:\\ProgramData\\McAfee\\MSK\\settingsdb.dat . <\/p>\n\n\n\n

The permissions which are assigned to this file, allow to the “Authenticated Users” to have full control over the file.<\/p>\n\n\n\n

When we first log into the windows system and without performing any actions, the file c:\\ProgramData\\McAfee\\MSK\\settingsdb.dat and the files MSK*.dat in the same folder, are not locked (they are not used by any program) and we have the proper permissions in order to delete them.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

After we delete these files, we can make “C:\\ProgramData\\McAfee\\MSK\\settingsdb.dat”, a symlink to any chosen file. <\/p>\n\n\n\n

With the symlink in place, the initiation of a scan will trigger the execution of the MMSSHOST.EXE. <\/p>\n\n\n\n

At this very moment, If we initiate a scan, the MMSSHOST.EXE will try to create the file C:\\ProgramData\\McAfee\\MSK\\settingsdb.dat , it will follow the symlink and will actually create the file which is pointed by the symlink. <\/p>\n\n\n\n

After that, it will set the new permissions to that file, which allows to the “Authenticated Users” to have full control over the newly created file. Most of the times, the newly created file will remain locked and we will not be able to edit it until we reboot. After the reboot, the file is unlocked and we can edit the file and add any contents we like.<\/p>\n\n\n\n

Note<\/strong>: Although we exploited the issue by creating symlinks of the files under the path c:\\ProgramData\\McAfee\\MSK\\ , the files under the folder c:\\ProgramData\\McAfee\\MPF\\ seem to be affected as well.<\/p>\n\n\n\n

Exploitation<\/strong><\/h1>\n\n\n\n

In order to Exploit the issue, you can use our exploit from our GitHub<\/a> . <\/p>\n\n\n\n

In the following paragraph, a step by step explanation of the Video PoC where we use the exploit is provided.<\/p>\n\n\n\n

Video PoC Step By Step<\/strong><\/h1>\n\n\n\n

The exploit takes as an argument the file you want to create . <\/p>\n\n\n\n

\n