lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 6 Jan 2011 20:27:08 -0500
From: Technion <>
Subject: McAfee Commandline Updater

Product Affected
Updater for McAfee Virusscan Command Line 6.0
This product is available attached to this document: 
As far as can be determined, there has only ever been one version of this application.
It is stated by McAfee:
NOTE: The attached script is only an example of how to automate the update process and is not officially supported by McAfee Technical Support.
How can McAfee actually expect you to operate a virus scanner without a regular update process? Either we accept the product as effectively useless, or we produce a better update process. I would contend this is a more serious issue than the one presented in this exploit.
The updater script stores downloaded data in a known location under /tmp, which is vulnerable to a symlink based exploit.
UVscan itself has been the subject of an identical symlink bug, for which McAfee released a security fix back in 2008.
Full discussion and exploit has been documented here:
November 9, 2010: Issue found
circa November 17, 2010: Filled in McAfee's online support form. No reply.
December 10, 2010: Several painful hours on the phone to McAfee. Got nowhere.
January 7, 2010: Disclosure
A recommended replacement script is discussed at the above URL.

Powered by blists - more mailing lists