Mcafee bad catalogz when updating
Before getting into the details of the vulnerabilities in this product, it helps to have a quick understanding of the system architecture.
This product contains two separate services; one running as root and one running as an unprivileged user called nails.
It's trivial to generate a shell script that will take a while to download, but will execute a given payload when run before the download is finished.
This can be done by creating a script that contains a desired payload and then appending the payload with a large comment.
To find how the update server was used, I cloned Mc Afee's update repository locally and then reconfigure the server to download updates from my server.
Two requests are made as part of the update process. The Site Stat file is just a standard XML file that says if a site is enabled and what version of the catalog it is serving.
At a first glance, Intel's Mc Afee Virus Scan Enterprise for Linux has all the best characteristics that vulnerability researchers love: it runs as root, it claims to make your machine more secure, it's not particularly popular, and it looks like it hasn't been updated in a long time.
The web interface doesn't do much to limit what data a malicious user can send to the root service.
There are no CSRF-tokens accompanying any forms on the web interface which allows attackers to submit authenticated requests when an authenticated user browsers to an attacker-controlled, external domain.
Seeing this basic of a vulnerability in an Anti Virus product in 2016 is quite surprising.
A subset of the parameters posted are shown here: The generates the following error in the web interface Attaching strace shows that this parameter is passed directly to execve from a process running as root.
By changing this variable to an executable on the system, an authenticated user can have that binary executed by the root user.