[HSC] McAfee SecurityCenter Privacy Service HTML Execution Vulnerability McAfee provides a proactive PC and Internet security service that helps you avoid online attacks and protects what you value from hackers, identity thieves and other online criminals. A HTML execution vulnerability may allow an attacker to execute HTML scripts on the system under the context of the user. These scripts can perform any action that the user would. The flaw lies in the processing of filtering that is saved after exiting. Hackers Center Security Group (http://www.hackerscenter.com) Credit: DoZ Risk: Medium Class: Input Validation Error Local: Yes Vendor: http://us.mcafee.com/ Product: McAfee SecurityCenter Version: McAfee Privacy Service 8.1.0.136 Exploit: An exploit is not required. An attacker may attack this issue to execute code in the context of the affected software, and distribute this code across Privacy Service infrastructure. Also making a patch that works with this hole will allow attackers to use this hole as platform for other attacks. Examples: 1. After turning your software into a MFEMFEMFEMF, you can inject this website http://www.crashie.com/ and it will crash McAfee Privacy Service. One can also use an Internet Explorer exploit to crash the McAfee Application. <script>for (x in document.write) { document.write(x);}</script> 2. Paste your slogan to see if software is vul to this attack. <h1>Hello!</h1> Proof of Concept: http://www.hackerscenter.com/public/images/1.jpg http://www.hackerscenter.com/public/images/2.jpg http://www.hackerscenter.com/public/images/3.jpg