Vulnerabilities > CVE-2012-4598 - Denial-Of-Service vulnerability in Mcafee products

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
mcafee
critical
nessus
exploit available
metasploit

Summary

An unspecified ActiveX control in McAfee Virtual Technician (MVT) before 6.4, and ePO-MVT, allows remote attackers to execute arbitrary code or cause a denial of service (Internet Explorer crash) via a crafted web site.

Exploit-Db

  • descriptionMcAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 - ActiveX GetObject() Exploit. CVE-2012-4598. Remote exploit for windows platform
    idEDB-ID:18805
    last seen2016-02-02
    modified2012-04-30
    published2012-04-30
    reporterrgod
    sourcehttps://www.exploit-db.com/download/18805/
    titleMcAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 - ActiveX GetObject Exploit
  • descriptionMcAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability. CVE-2012-4598. Remote exploit for windows platform
    idEDB-ID:18812
    last seen2016-02-02
    modified2012-05-01
    published2012-05-01
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/18812/
    titleMcAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability

Metasploit

descriptionThis module exploits a vulnerability found in McAfee Virtual Technician's MVTControl. This ActiveX control can be abused by using the GetObject() function to load additional unsafe classes such as WScript.Shell, therefore allowing remote code execution under the context of the user.
idMSF:EXPLOIT/WINDOWS/BROWSER/MCAFEE_MVT_EXEC
last seen2020-06-10
modified2017-10-05
published2012-04-30
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/mcafee_mvt_exec.rb
titleMcAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability

Nessus

NASL familyWindows
NASL idMCAFEE_VIRTUAL_TECHNICIAN_ACTIVEX.NASL
descriptionThe remote Windows host has a version of the McAfee Virtual Technician / ePolicy Orchestrator ActiveX control that allows execution of arbitrary code. The
last seen2020-06-01
modified2020-06-02
plugin id61719
published2012-08-29
reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/61719
titleMcAfee Virtual Technician ActiveX Control GetObject() Method Remote Command Execution (SB10028)
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(61719);
  script_version("1.6");
  script_cvs_date("Date: 2018/07/14  1:59:37");

  script_cve_id("CVE-2012-4598");
  script_bugtraq_id(53304);
  script_xref(name:"EDB-ID", value:"18805");
  script_xref(name:"EDB-ID", value:"18812");
  script_xref(name:"MCAFEE-SB", value:"SB10028");

  script_name(english:"McAfee Virtual Technician ActiveX Control GetObject() Method Remote Command Execution (SB10028)");
  script_summary(english:"Checks control's file version");

  script_set_attribute(
    attribute:"synopsis",
    value:
"An ActiveX control installed on the remote Windows host can be abused
to execute arbitrary code."
  );
  script_set_attribute(
    attribute:"description",
    value:
"The remote Windows host has a version of the McAfee Virtual Technician
/ ePolicy Orchestrator ActiveX control that allows execution of
arbitrary code.  The 'GetObject()' method can be used to load any class
on the underlying operating system.  For example, by loading the
'WScript.Shell' class, attackers can then run arbitrary operating system
commands.

If an attacker can trick a user on the affected host into viewing a
specially crafted HTML document, he can leverage this issue to execute
arbitrary commands on the affected system subject to the user's
privileges."
  );
  script_set_attribute(attribute:"see_also", value:"https://kc.mcafee.com/corporate/index?page=content&id=SB10028");
  script_set_attribute(
    attribute:"solution",
    value:"
Upgrade to McAfee Virtual Technician 6.4 / ePolicy Orchestrator 1.0.8 or
later."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/04/30");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/05/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/29");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mcafee:mcafee_virtual_technician");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl");
  script_require_keys("SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_activex_func.inc");
include("smb_reg_query.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/Registry/Enumerated");

registry_init();
hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
key = 'SOFTWARE\\Classes\\MVT.MVTControl\\CLSID\\';

clsid = get_registry_value(handle:hklm, item:key);

RegCloseKey(handle:hklm);

close_registry();

if (isnull(clsid)) audit(AUDIT_NOT_INST, 'McAfee Virtual Technician');

if (activex_init() != ACX_OK) exit(1, "activex_init() failed.");

info = '';

vuln_version = '6.3.0.1911';
fixed_version = '6.4';

file = activex_get_filename(clsid:clsid);

if (isnull(file))
{
  activex_end();
  exit(1, "activex_get_filename() returned NULL.");
}

if (!file)
{
  activex_end();
  audit(AUDIT_ACTIVEX_NOT_FOUND, clsid);
}

# Get its version.
version = activex_get_fileversion(clsid:clsid);
if (!version)
{
  activex_end();
  audit(AUDIT_VER_FAIL, file);
}

if(ver_compare(ver:version, fix:vuln_version) <= 0)
{
  if (report_paranoia > 1 || activex_get_killbit(clsid:clsid) == 0)
  {
      info += '\n  Class identifier  : ' + clsid +
              '\n  Filename          : ' + file +
              '\n  Installed version : ' + version +
              '\n  Fixed version     : ' + fixed_version + '\n';
   }
}

activex_end();

# Report findings.
if (info)
{
  if (report_paranoia > 1)
  {
    report = info +
      '\n' +
      'Note, though, that Nessus did not check whether the kill bit was\n' +
      "set for the control's CLSID because of the Report Paranoia setting" + '\n' +
      'in effect when this scan was run.\n';
  }
  else
  {
    report = info +
      '\n' +
      'Moreover, its kill bit is not set so it is accessible via Internet\n' +
      'Explorer.\n';
  }

  if (report_verbosity > 0) security_hole(port:kb_smb_transport(), extra:report);
  else security_hole(kb_smb_transport());

  exit(0);
}
else
{
  if(ver_compare(ver:version, fix:vuln_version) > 0)
    audit(AUDIT_INST_VER_NOT_VULN, version, file);
  else
    exit(0, "The " + file + " control is installed, but its kill bit is set.");
}