Vulnerabilities > CVE-2012-4598 - Denial-Of-Service vulnerability in Mcafee products

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

mcafee

critical

nessus

exploit available

metasploit

NVD

Published: 2012-08-22

Updated: 2012-08-22

Summary

An unspecified ActiveX control in McAfee Virtual Technician (MVT) before 6.4, and ePO-MVT, allows remote attackers to execute arbitrary code or cause a denial of service (Internet Explorer crash) via a crafted web site.

Vulnerable Configurations

Part	Description	Count
Application	Mcafee Mcafee Mcafee Virtual Technician 6.3.0.1911 Mcafee EPO Mcafee Virtual Technician 1.0 Mcafee EPO Mcafee Virtual Technician 1.0.4.0 Mcafee EPO Mcafee Virtual Technician 1.0.7	4

Exploit-Db

description	McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 - ActiveX GetObject() Exploit. CVE-2012-4598. Remote exploit for windows platform
id	EDB-ID:18805
last seen	2016-02-02
modified	2012-04-30
published	2012-04-30
reporter	rgod
source	https://www.exploit-db.com/download/18805/
title	McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 - ActiveX GetObject Exploit

description	McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability. CVE-2012-4598. Remote exploit for windows platform
id	EDB-ID:18812
last seen	2016-02-02
modified	2012-05-01
published	2012-05-01
reporter	metasploit
source	https://www.exploit-db.com/download/18812/
title	McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability

Metasploit

description	This module exploits a vulnerability found in McAfee Virtual Technician's MVTControl. This ActiveX control can be abused by using the GetObject() function to load additional unsafe classes such as WScript.Shell, therefore allowing remote code execution under the context of the user.
id	MSF:EXPLOIT/WINDOWS/BROWSER/MCAFEE_MVT_EXEC
last seen	2020-06-10
modified	2017-10-05
published	2012-04-30
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4598 https://kc.mcafee.com/corporate/index?page=content&id=SB10028
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/mcafee_mvt_exec.rb
title	McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability

Nessus

NASL family	Windows
NASL id	MCAFEE_VIRTUAL_TECHNICIAN_ACTIVEX.NASL
description	The remote Windows host has a version of the McAfee Virtual Technician / ePolicy Orchestrator ActiveX control that allows execution of arbitrary code. The
last seen	2020-06-01
modified	2020-06-02
plugin id	61719
published	2012-08-29
reporter	This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/61719
title	McAfee Virtual Technician ActiveX Control GetObject() Method Remote Command Execution (SB10028)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(61719); script_version("1.6"); script_cvs_date("Date: 2018/07/14 1:59:37"); script_cve_id("CVE-2012-4598"); script_bugtraq_id(53304); script_xref(name:"EDB-ID", value:"18805"); script_xref(name:"EDB-ID", value:"18812"); script_xref(name:"MCAFEE-SB", value:"SB10028"); script_name(english:"McAfee Virtual Technician ActiveX Control GetObject() Method Remote Command Execution (SB10028)"); script_summary(english:"Checks control's file version"); script_set_attribute( attribute:"synopsis", value: "An ActiveX control installed on the remote Windows host can be abused to execute arbitrary code." ); script_set_attribute( attribute:"description", value: "The remote Windows host has a version of the McAfee Virtual Technician / ePolicy Orchestrator ActiveX control that allows execution of arbitrary code. The 'GetObject()' method can be used to load any class on the underlying operating system. For example, by loading the 'WScript.Shell' class, attackers can then run arbitrary operating system commands. If an attacker can trick a user on the affected host into viewing a specially crafted HTML document, he can leverage this issue to execute arbitrary commands on the affected system subject to the user's privileges." ); script_set_attribute(attribute:"see_also", value:"https://kc.mcafee.com/corporate/index?page=content&id=SB10028"); script_set_attribute( attribute:"solution", value:" Upgrade to McAfee Virtual Technician 6.4 / ePolicy Orchestrator 1.0.8 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/04/30"); script_set_attribute(attribute:"patch_publication_date", value:"2012/05/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/29"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mcafee:mcafee_virtual_technician"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl"); script_require_keys("SMB/Registry/Enumerated"); script_require_ports(139, 445); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_activex_func.inc"); include("smb_reg_query.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/Registry/Enumerated"); registry_init(); hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE); key = 'SOFTWARE\\Classes\\MVT.MVTControl\\CLSID\\'; clsid = get_registry_value(handle:hklm, item:key); RegCloseKey(handle:hklm); close_registry(); if (isnull(clsid)) audit(AUDIT_NOT_INST, 'McAfee Virtual Technician'); if (activex_init() != ACX_OK) exit(1, "activex_init() failed."); info = ''; vuln_version = '6.3.0.1911'; fixed_version = '6.4'; file = activex_get_filename(clsid:clsid); if (isnull(file)) { activex_end(); exit(1, "activex_get_filename() returned NULL."); } if (!file) { activex_end(); audit(AUDIT_ACTIVEX_NOT_FOUND, clsid); } # Get its version. version = activex_get_fileversion(clsid:clsid); if (!version) { activex_end(); audit(AUDIT_VER_FAIL, file); } if(ver_compare(ver:version, fix:vuln_version) <= 0) { if (report_paranoia > 1 \|\| activex_get_killbit(clsid:clsid) == 0) { info += '\n Class identifier : ' + clsid + '\n Filename : ' + file + '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; } } activex_end(); # Report findings. if (info) { if (report_paranoia > 1) { report = info + '\n' + 'Note, though, that Nessus did not check whether the kill bit was\n' + "set for the control's CLSID because of the Report Paranoia setting" + '\n' + 'in effect when this scan was run.\n'; } else { report = info + '\n' + 'Moreover, its kill bit is not set so it is accessible via Internet\n' + 'Explorer.\n'; } if (report_verbosity > 0) security_hole(port:kb_smb_transport(), extra:report); else security_hole(kb_smb_transport()); exit(0); } else { if(ver_compare(ver:version, fix:vuln_version) > 0) audit(AUDIT_INST_VER_NOT_VULN, version, file); else exit(0, "The " + file + " control is installed, but its kill bit is set."); }

References

https://kc.mcafee.com/corporate/index?page=content&id=SB10028