lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 16 Jan 2015 16:38:44 -0800
From: David Coomber <davidcoomber.infosec@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] McAfee Advanced Threat Defense - Sandbox Fingerprinting &
	Bypass

McAfee Advanced Threat Defense - Sandbox Fingerprinting & Bypass
--
http://www.info-sec.ca/advisories/McAfee-ATD.html

Overview
"McAfee Advanced Threat Defense protects against advanced malware,
including zero-day and advanced persistent threats, providing the
strongest advanced threat protection available."
(www.mcafee.com/us/products/advanced-threat-defense.aspx)

Issue
The McAfee Advanced Threat Defense solution relies on a number of
static configurations present across all deployments which, when
chained together, could allow an attacker to detect the present of the
sandbox within the environment.

Impact
A specially crafted binary could be created which, when analyzed by
ATD, detects the present of the sandbox and runs benign code, but when
run on the target, executes malicious code. To demonstrate this
vulnerability, I created proof of concept code which detects the
presence of the ATD sandbox via localhost FTP and the following static
credentials:

User: Administrator
Password: cr@...r42

Timeline
October 21, 2014 - Notified McAfee via security@...fee.com
November 4, 2014 - McAfee confirmed the vulnerability and provided a
target date of December 31, 2014 to provide an updated version
January 15, 2015 - McAfee released a security update to resolve this issue

Solution
Upgrade to version 3.4.4.14 or later

https://kb.mcafee.com/corporate/index?page=content&id=SB10096

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ