Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:30575
HistoryMay 04, 2014 - 12:00 a.m.

Buggy insecure "security" software executes rogue binary during installation and uninstallation

2014-05-0400:00:00
vulners.com
11

Hi @ll,

the $*&#§ware by the name of "McAfee Security Scanner Plus" that Adobe dares
to push to unsuspecting users of Microsoft Windows trying to get flash player
from their main distribution page <hxxp://get.adobe.com/flashplayer/> was
developed, packaged and tested by people who obviously never heard of "long"
filenames which may contain spaces.

From <http://msdn.microsoft.com/library/cc144175.aspx&gt;
or <http://msdn.microsoft.com/library/cc144101.aspx&gt;:

| Note: If any element of the command string contains or might contain
| spaces, it must be enclosed in quotation marks. Otherwise, if the
| element contains a space, it will not parse correctly. For instance,
| "My Program.exe" starts the application properly. If you use
| My Program.exe without quotation marks, then the system attempts to
| launch My with Program.exe as its first command line argument. You
| should always use quotation marks with arguments such as "%1" that are
| expanded to strings by the Shell, because you cannot be certain that
| the string will not contain a space.

When the unsuspecting Joe Average clicks the "Install now" button on the
above mentioned download page, but forgets to deselect the "optional offer"
McAfee Security Scanner Plus before, a file named
"install_flashplayer13x32_mssa_aaa_aih.exe"
is downloaded to directory "C:\Users\Joe Average\Downloads".

Following the instructions displayed after the download, Joe Average opens
the download directory and double clicks
"install_flashplayer13x32_mssa_aaa_aih.exe"

On recent versions of Microsoft Windows this triggers the user account
control, asking Joe Average for consent to continue with administrative
privileges.

"install_flashplayer13x32_mssa_aaa_aih.exe"
now copies itself to the TEMP directory and executes its copy with the
argument (note the missing quotes.-)
{RemoveFile:C:\Users\Joe Average\Downloads\install_flashplayer13x32_mssa_aaa_aih.exe}

The copy then downloads its payload "gtbcheck.exe", "install_flash_player.exe"
and "SecurityScan_Release.exe" into the directory
"C:\Users\Joe Average\AppData\Local\Adobe\AIH.<40_hex_digits>\"
and executes these three programs in succession.

The last, "SecurityScan_Release.exe", an NSIS installer, unpacks its payload
into directory "C:\Program Files\McAfee Security Scan\<version>\" and calls
Windows' CreateProcess() function (see above) with the UNQUOTED command line
C:\Program Files\McAfee Security Scan\3.0.285\McCHSvc.exe /Service

This command line now runs the rogue program C:\Program.exe which was placed
there waiting for some dimwit of a developer to call CreateProcess() with an
unquoted command line.

Fortunately Joe Average (really: his Administrator) had a hunch and placed
<http://home.arcor.de/skanthak/download/SENTINEL.EXE&gt; as C:\Program.exe on
his system which displayed a message box to Joe Average informing him that
some crappy software may have just run malware on his PC.

This caught the silly beginners mistake of a company that brags with

| For award-winning customer service, please visit our Web
| site that will have answers to almost all questions concerning
| our company:
| ==> http://service.mcafee.com

in automated replies to mail sent to <[email protected]> but does not
provide a mailbox to report bugs or vulnerabilities.

JFTR: english versions of Windows have a "Program Files" directory for
nearly 20 years now. That should REALLY be enough time for EVERY
programmer to learn how to properly handle pathnames with spaces.

To complete the story: when Joe Average noticed what was done to him he
opened the Windows control panel and went to uninstall programs, then
selected "McAfee …" and clicked "uninstall".

This started "C:\Program Files\McAfee Security Scan\uninstall.exe"
which unpacked its payload "Au_.exe" (see above: it's an NSIS installer)
to TEMP and called it with the argument (again note the missing quotes)
_?=C:\Program Files\McAfee Security Scan\

"Au_.exe" in turn called Windows' CreateProcess() function with the
(you guess it) UNQUOTED command line
C:\Program Files\McAfee Security Scan\3.0.285\McCHSvc.exe /unregserver
which again led to execution of C:\Program.exe

regards
Stefan Kanthak