McAfee Advanced Threat Defense Sandbox Fingerprinting / Bypass

2015.01.20
Credit: David Coomber
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

McAfee Advanced Threat Defense - Sandbox Fingerprinting & Bypass -- http://www.info-sec.ca/advisories/McAfee-ATD.html Overview "McAfee Advanced Threat Defense protects against advanced malware, including zero-day and advanced persistent threats, providing the strongest advanced threat protection available." (www.mcafee.com/us/products/advanced-threat-defense.aspx) Issue The McAfee Advanced Threat Defense solution relies on a number of static configurations present across all deployments which, when chained together, could allow an attacker to detect the present of the sandbox within the environment. Impact A specially crafted binary could be created which, when analyzed by ATD, detects the present of the sandbox and runs benign code, but when run on the target, executes malicious code. To demonstrate this vulnerability, I created proof of concept code which detects the presence of the ATD sandbox via localhost FTP and the following static credentials: User: Administrator Password: cr@cker42 Timeline October 21, 2014 - Notified McAfee via security@mcafee.com November 4, 2014 - McAfee confirmed the vulnerability and provided a target date of December 31, 2014 to provide an updated version January 15, 2015 - McAfee released a security update to resolve this issue Solution Upgrade to version 3.4.4.14 or later https://kb.mcafee.com/corporate/index?page=content&id=SB10096

References:

http://cxsecurity.com/issue/WLB-2015010032
https://kb.mcafee.com/corporate/index?page=content&id=SB10096


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top