Security experts at SafeBreach have discovered a vulnerability in McAfee antivirus software tracked as CVE-2019-3648 that could allow an attacker with Administrator privileges to escalate privileges and execute code with SYSTEM privileges.
The flaw impacts McAfee Total Protection (MTP), McAfee
The CVE-2019-3648 flaw could be exploited by attackers to load unsigned DLLs into multiple services that run as NT AUTHORITY\SYSTEM.
“Multiple parts of the software run as a Windows service executed as “NT AUTHORITY\SYSTEM,” which provides it with very powerful permissions.” “this vulnerability can be exploited to achieve arbitrary code execution within the context of multiple McAfee services, gaining access with NT AUTHORITY\SYSTEM level privileges.
The experts discovered that multiple services of the McAfee software try to load a library from the path c:\Windows\System32\wbem\wbemcomn.dll, that cannot be found because it is located in System32 and not in the System32\Wbem folder.
An attacker can place a malicious
Experts explained that it is possible to bypass the self-defense mechanism of the antivirus because the antivirus doesn’t validate
The researchers tested the flaw by compiling a proxy DLL (unsigned) out of the original wbemcomn.dll DLL file, which writes the name of the process which loaded it, the username which executed it and the name of the DLL file. Then the experts implanted it in C:\Windows\System32\Wbem, and restarted the computer:
“We were able to load an arbitrary DLL and execute our code within multiple processes which are signed by McAfee, LLC as NT AUTHORITY\SYSTEM, resulting in bypassing the self-defense mechanism of the program.” continue the experts.
Experts reported the flaw to McAfee in August and on November 12
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.