November 12, 2019
Security Researcher, SafeBreach Labs
SafeBreach Labs discovered a new vulnerability in all the editions of McAfee Antivirus software.
In this post, we will demonstrate how this vulnerability could have been used in order to bypass McAfee’s Self-Defense mechanism; and achieve defense evasion and persistence by loading an arbitrary unsigned DLL into multiple services that run as NT AUTHORITY\SYSTEM.
Note: In order to exploit this vulnerability the attacker needs to have Administrator privileges.
McAfee Total Protection provides premium antivirus, identity and privacy protection.
Multiple parts of the software run as a Windows service executed as “NT AUTHORITY\SYSTEM,” which provides it with very powerful permissions.
In this post, we describe the vulnerability we found in all of the editions of McAfee Antivirus software.
We then demonstrate how this vulnerability can be exploited to achieve arbitrary code execution within the context of multiple McAfee services, gaining access with NT AUTHORITY\SYSTEM level privileges.
In our exploration, we found that multiple services of the McAfee software which run as signed processes and as NT AUTHORITY\SYSTEM try to load c:\Windows\System32\wbem\wbemcomn.dll, which cannot be found (since it is actually located in System32 and not in the System32\Wbem folder):.
We suspected that a vulnerability could be exploited if we could load an arbitrary unsigned DLL into these processes. This would enable us to bypass the self-defense mechanism of the antivirus software, mainly because the folders of the McAfee software are protected by a mini-filter filesystem driver, which restricts writing operations even by an Administrator.
If the mini-filter filesystem driver is effective, even if we run as an Administrator and implant a DLL which doesn’t exist in order to load it into McAfee’s processes, we won’t be able to do that.
In order to test this vulnerability, we compiled a proxy DLL (unsigned) out of the original wbemcomn.dll DLL file, which writes the following to the filename of a txt file:
We then implanted it in C:\Windows\System32\Wbem, and restarted the computer:
We were able to load an arbitrary DLL and execute our code within multiple processes which are signed by McAfee, LLC as NT AUTHORITY\SYSTEM, resulting in bypassing the self-defense mechanism of the program.
There are multiple components in multiple files which may cause this issue. We will analyze one of them because the root cause is always very similar.
Once the “McAfee Module Core Service” (ModuleCoreService.exe) is started, it loads the mcutil.dll library.
Using CoCreateInstance, the mcutil.dll library initializes a COM object of the IWbemLocator interface, in order to obtain the initial namespace pointer to the IWbemServices interface and perform WMI operations on the host computer.
A brief look at the CLSID registry key shows us that this COM class is implemented within the “C:\Windows\System32\wbem\wbemprox.dll” library, which means that once the COM object is initialized, this library will be loaded and the exported “DllGetClassObject” function will be called:
Once the DllGetClassObject function of the wbemprox.dll library is called, the imported “CWin32DefaultArena::WbemMemAlloc” function is called multiple times:
We can see that this function is imported from wbemcomn.dll, which causes the service to try and load this DLL.
There are two root causes for this vulnerability:
Below we show three possible ways that an attacker can leverage the vulnerability we discovered and documented above.
The vulnerability gives attackers the ability to load and execute malicious payloads using multiple signed services, within the context of McAfee’s signed processes. This ability might be abused by an attacker for different purposes such as execution and evasion, for example: Application Whitelisting Bypass. The antivirus might not detect the attacker’s binary, because it tries to load it without any verification against it.
The vulnerability gives attackers the ability to load and execute malicious payloads in a persistent way, each time the services are loaded. That means that once the attacker drops a malicious DLL, the services will load the malicious code each time the services are restarted.
The versions affected are all up to and including 16.0.R22.
Version 16.0.R22 Refresh 1 being released to address the issue.
Aug 5th, 2019 - Vulnerability reported to McAfee
Aug 21st, 2019 - Initial Response from HackerOne
Sep 3rd, 2019 - McAfee confirmed the vulnerability
Sep 11th, 2019 - Status Update from McAfee
Sep 12th, 2019 - Status Update from McAfee
Oct 8th, 2019 - McAfee shared a timeline of a fix deployment
Oct 23rd, 2019 - McAfee provided the affected products
Oct 31st, 2019 - McAfee issued CVE-2019-3648 and provided affected versions.
Nov 12th, 2019 - Mcafee published a security advisory