CVE-2019-3648 flaw in all McAfee AV allows DLL Hijacking

Pierluigi Paganini November 14, 2019

McAfee a vulnerability in its antivirus software that could allow an attacker to escalate privileges and execute code with SYSTEM privileges.

Security experts at SafeBreach have discovered a vulnerability in McAfee antivirus software tracked as CVE-2019-3648 that could allow an attacker with Administrator privileges to escalate privileges and execute code with SYSTEM privileges.

The flaw impacts McAfee Total Protection (MTP), McAfee Anti-Virus Plus (AVP), and all McAfee Internet Security (MIS) versions including 16.0.R22.

The CVE-2019-3648 flaw could be exploited by attackers to load unsigned DLLs into multiple services that run as NT AUTHORITY\SYSTEM.

this vulnerability could have been used in order to bypass McAfee’s Self-Defense mechanism; and achieve defense evasion and persistence by loading an arbitrary unsigned DLL into multiple services that run as NT AUTHORITY\SYSTEM.” reads the analysis published by SafeBreach. 

“Multiple parts of the software run as a Windows service executed as “NT AUTHORITY\SYSTEM,” which provides it with very powerful permissions.” “this vulnerability can be exploited to achieve arbitrary code execution within the context of multiple McAfee services, gaining access with NT AUTHORITY\SYSTEM level privileges.

The experts discovered that multiple services of the McAfee software try to load a library from the path c:\Windows\System32\wbem\wbemcomn.dll, that cannot be found because it is located in System32 and not in the System32\Wbem folder.

An attacker can place a malicious dll named wbemcomn.dll. in the wbem folder and get it executed.

Experts explained that it is possible to bypass the self-defense mechanism of the antivirus because the antivirus doesn’t validate digital signature of the DLL file.

The researchers tested the flaw by compiling a proxy DLL (unsigned) out of the original wbemcomn.dll DLL file, which writes the name of the process which loaded it, the username which executed it and the name of the DLL file. Then the experts implanted it in C:\Windows\System32\Wbem, and restarted the computer:

“We were able to load an arbitrary DLL and execute our code within multiple processes which are signed by McAfee, LLC as NT AUTHORITY\SYSTEM, resulting in bypassing the self-defense mechanism of the program.” continue the experts.

Experts reported the flaw to McAfee in August and on November 12 Mcafee published a security advisory and releases a patch to address the issue. McAfee confirmed that it is not aware of the vulnerability being exploited in attacks in the wild.

SafeBreach discovered similar issues in other security solutions from other vendors, including Trend Micro, Check Point, Bitdefender, AVG and Avast.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – McAfee, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment