lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 16 Apr 2014 21:30:27 +0200
From: "Stefan Kanthak" <>
To: <>
Subject: [FD] Buggy insecure "security" software executes rogue binary
	during installation and uninstallation

Hi @ll,

the $*&#§ware by the name of "McAfee Security Scanner Plus" that Adobe dares
to push to unsuspecting users of Microsoft Windows trying to get flash player
from their main distribution page <hxxp://> was
developed, packaged and tested by people who obviously never heard of "long"
filenames which may contain spaces.

>From <>
or <>:

| Note: If any element of the command string contains or might contain
| spaces, it must be enclosed in quotation marks. Otherwise, if the
| element contains a space, it will not parse correctly. For instance,
| "My Program.exe" starts the application properly. If you use
| My Program.exe without quotation marks, then the system attempts to
| launch My with Program.exe as its first command line argument. You
| should always use quotation marks with arguments such as "%1" that are
| expanded to strings by the Shell, because you cannot be certain that
| the string will not contain a space.

When the unsuspecting Joe Average clicks the "Install now" button on the
above mentioned download page, but forgets to deselect the "optional offer"
McAfee Security Scanner Plus before, a file named
is downloaded to directory "C:\Users\Joe Average\Downloads".

Following the instructions displayed after the download, Joe Average opens
the download directory and double clicks

On recent versions of Microsoft Windows this triggers the user account
control, asking Joe Average for consent to continue with administrative

now copies itself to the TEMP directory and executes its copy with the
argument (note the missing quotes.-)
{RemoveFile:C:\Users\Joe Average\Downloads\install_flashplayer13x32_mssa_aaa_aih.exe}

The copy then downloads its payload "gtbcheck.exe", "install_flash_player.exe"
and "SecurityScan_Release.exe" into the directory
"C:\Users\Joe Average\AppData\Local\Adobe\AIH.<40_hex_digits>\"
and executes these three programs in succession.

The last, "SecurityScan_Release.exe", an NSIS installer, unpacks its payload
into directory "C:\Program Files\McAfee Security Scan\<version>\" and calls
Windows' CreateProcess() function (see above) with the UNQUOTED command line
C:\Program Files\McAfee Security Scan\3.0.285\McCHSvc.exe /Service

This command line now runs the rogue program C:\Program.exe which was placed
there waiting for some dimwit of a developer to call CreateProcess() with an
unquoted command line.

Fortunately Joe Average (really: his Administrator) had a hunch and placed
<> as C:\Program.exe on
his system which displayed a message box to Joe Average informing him that
some crappy software may have just run malware on his PC.

This caught the silly beginners mistake of a company that brags with

| For award-winning customer service, please visit our Web
| site that will have answers to almost all questions concerning
| our company:
|  ==>

in automated replies to mail sent to <> but does not
provide a mailbox to report bugs or vulnerabilities.

JFTR: english versions of Windows have a "Program Files" directory for
      nearly 20 years now. That should REALLY be enough time for EVERY
      programmer to learn how to properly handle pathnames with spaces.

To complete the story: when Joe Average noticed what was done to him he
opened the Windows control panel and went to uninstall programs, then
selected "McAfee ..." and clicked "uninstall".

This started "C:\Program Files\McAfee Security Scan\uninstall.exe"
which unpacked its payload "Au_.exe" (see above: it's an NSIS installer)
to TEMP and called it with the argument (again note the missing quotes)
 _?=C:\Program Files\McAfee Security Scan\

"Au_.exe" in turn called Windows' CreateProcess() function with the
(you guess it) UNQUOTED command line
C:\Program Files\McAfee Security Scan\3.0.285\McCHSvc.exe /unregserver
which again led to execution of C:\Program.exe

Stefan Kanthak

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists