SafeBreach Labs discovered a new vulnerability in all the editions of McAfee Antivirus software.
In this post, we will demonstrate how this vulnerability could have been used in order to bypass McAfee’s Self-Defense mechanism; and achieve defense evasion and persistence by loading an arbitrary unsigned DLL into multiple services that run as NT AUTHORITY\SYSTEM.
Note: In order to exploit this vulnerability the attacker needs to have Administrator privileges.
McAfee Total Protection
McAfee Total Protection provides premium antivirus, identity and privacy protection.
Multiple parts of the software run as a Windows service executed as “NT AUTHORITY\SYSTEM,” which provides it with very powerful permissions.
In this post, we describe the vulnerability we found in all of the editions of McAfee Antivirus software.
We then demonstrate how this vulnerability can be exploited to achieve arbitrary code execution within the context of multiple McAfee services, gaining access with NT AUTHORITY\SYSTEM level privileges.
In our exploration, we found that multiple services of the McAfee software which run as signed processes and as NT AUTHORITY\SYSTEM try to load c:\Windows\System32\wbem\wbemcomn.dll, which cannot be found (since it is actually located in System32 and not in the System32\Wbem folder):.
We suspected that a vulnerability could be exploited if we could load an arbitrary unsigned DLL into these processes. This would enable us to bypass the self-defense mechanism of the antivirus software, mainly because the folders of the McAfee software are protected by a mini-filter filesystem driver, which restricts writing operations even by an Administrator.
If the mini-filter filesystem driver is effective, even if we run as an Administrator and implant a DLL which doesn’t exist in order to load it into McAfee’s processes, we won’t be able to do that.
In order to test this vulnerability, we compiled a proxy DLL (unsigned) out of the original wbemcomn.dll DLL file, which writes the following to the filename of a txt file:
- The name of the process which loaded it
- The username which executed it
- The name of the DLL file
We then implanted it in C:\Windows\System32\Wbem, and restarted the computer:
We were able to load an arbitrary DLL and execute our code within multiple processes which are signed by McAfee, LLC as NT AUTHORITY\SYSTEM, resulting in bypassing the self-defense mechanism of the program.
Root Cause Analysis
There are multiple components in multiple files which may cause this issue. We will analyze one of them because the root cause is always very similar.
Once the “McAfee Module Core Service” (ModuleCoreService.exe) is started, it loads the mcutil.dll library.
Using CoCreateInstance, the mcutil.dll library initializes a COM object of the IWbemLocator interface, in order to obtain the initial namespace pointer to the IWbemServices interface and perform WMI operations on the host computer.
A brief look at the CLSID registry key shows us that this COM class is implemented within the
“C:\Windows\System32\wbem\wbemprox.dll” library, which means that once the COM object is initialized, this library will be loaded and the exported “DllGetClassObject” function will be called:
Once the DllGetClassObject function of the wbemprox.dll library is called, the imported “CWin32DefaultArena::WbemMemAlloc” function is called multiple times:
We can see that this function is imported from wbemcomn.dll, which causes the service to try and load this DLL.
There are two root causes for this vulnerability:
No digital signature validation is made against the binary. The program does not validate whether the DLL that it is loading is signed (for example, using the WinVerifyTrust function). Therefore, it can load an arbitrary unsigned DLL.
The wbemprox.dll is trying to import the wbemcomn.dll from it’s current working directory (CWD), which is C:\Windows\System32\Wbem, while the file is actually located in the System32 folder.
Potential Malicious Uses and Impact
Below we show three possible ways that an attacker can leverage the vulnerability we discovered and documented above.
Defense Evasion, Signed Execution, Whitelisting Bypass
The vulnerability gives attackers the ability to load and execute malicious payloads using multiple signed services, within the context of McAfee’s signed processes. This ability might be abused by an attacker for different purposes such as execution and evasion, for example: Application Whitelisting Bypass. The antivirus might not detect the attacker’s binary, because it tries to load it without any verification against it.
The vulnerability gives attackers the ability to load and execute malicious payloads in a persistent way, each time the services are loaded. That means that once the attacker drops a malicious DLL, the services will load the malicious code each time the services are restarted.
- McAfee Total Protection (MTP)
- McAfee Anti-Virus Plus (AVP)
- McAfee Internet Security (MIS)
The versions affected are all up to and including 16.0.R22.
Version 16.0.R22 Refresh 1 being released to address the issue.
Aug 5th, 2019 – Vulnerability reported to McAfee
Aug 21st, 2019 – Initial Response from HackerOne
Sep 3rd, 2019 – McAfee confirmed the vulnerability
Sep 11th, 2019 – Status Update from McAfee
Sep 12th, 2019 – Status Update from McAfee
Oct 8th, 2019 – McAfee shared a timeline of a fix deployment
Oct 23rd, 2019 – McAfee provided the affected products
Oct 31st, 2019 – McAfee issued CVE-2019-3648 and provided affected versions.
Nov 12th, 2019 – Mcafee published a security advisory