BugTraq
SEC Consult whitepaper: Bypassing McAfee Application Whitelisting for Critical Infrastructure Systems Jan 12 2016 08:10AM
SEC Consult Vulnerability Lab (research sec-consult com)
SEC Consult Vulnerability Lab released a new whitepaper titled:

"Bypassing McAfee Application Whitelisting for Critical Infrastructure Systems"
- the dinosaurs want their vuln back

Link to blog overview:
----------------------
Including slides from presentations on this topic (with details & demos on
vulnerabilites & vendor responses):

http://blog.sec-consult.com/2016/01/mcafee-application-control-dinosaurs
.html

Direct link to whitepaper:
---------------------------
https://www.sec-consult.com/fxdata/seccons/prod/media/Whitepaper_Bypassi
ng_McAfees_Application_Whitelisting_for_critical_infrastructure_systems_
v1%200.pdf

Abstract:
---------
This paper describes the results of the research conducted by SEC Consult
Vulnerability Lab on the security of McAfee Application Control. This product is
an example of an application whitelisting solution which can be used to further
harden critical systems such as server systems in SCADA environments or client
systems with high security requirements like administrative workstations.
Application whitelisting is a concept which works by whitelisting all installed
software on a system and after that prevent the execution of not whitelisted
software. This should prevent the execution of malware and therefore protect
against advanced persistent threat (APT) attacks. McAfee Application Control is
an example of such a software. It can be installed on any system, however, the
main field of application is the protection of highly critical infrastructures.
While the core feature of the product is application whitelisting, it also
supports additional security features including write- and read-protection as
well as different memory corruption protections.

The paper will show:

* how application whitelisting can be bypassed in multiple ways
* how User-Account-Control can be bypassed on such protected systems
* how additional protections such as read- or write-protections can be
bypassed
* how additional memory corruption protections can easily be bypassed
* that the software can decrease the overall security of your operating
system

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

0? *?H?÷
 ?0?10
 `?He0? *?H?÷
 ? 0?¯0?? à#Ë?S?­anzTgk!0
 *?H?÷
 0o1 0 USE10U
 AddTrust AB1&0$U AddTrust External TTP Network1"0 UAddTrust External CA Root0
141222000000Z
200530104838Z0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0?"0
 *?H?÷
?0?
??±
ÚzSNpR¼V¦&·¸Ià?çQ«ñðZI£´?`¼zQB§y?¤"ßaN?Õv#
ÓJ¶ ?n¥=Ùº»þ¡?©.CRC|¯2PȦOZéØÏ?%?{?è0dæ¤øV?ý*$3?¬Dåi?£FKÂ3Ôé@?°±¬?@¹
µ?:?*S£Û= a<U?ÙNv%!)ú£|qvOîá_éûT?ÛÃ{5R·?Þ"=,0-1Y½R7°3i-CëúÖ¥ñ?wgQ?Ùî'ë¼¥8v?¤©
8ÿß?õ¬I¾Ê÷s?:2«??:=F:WtaP¾Æ@?Ëäâ?¢!£?0?0U#0?­½?z4´&÷
úÄ&Tï½à$ËT0U?ak?ᢠªOìgñ£÷´?Áì0Uÿ?0Uÿ0
ÿ0U%0++0U 
00U 0DU=0;09 7 5?3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
+)0'0%+0?http://ocsp.usertrust.com0
 *?H?÷
 ?*n¬UÁ:«?ÅØíÍUóªka+À #?Åfjo±õ´µw^aß}þ³¤??üû[jr
A¼ºÁXÕ&ÂêÕM?ûþ??ÏXã"c?Rø»6«}X¥Þ«;cåÚÕsïìàû{â£ÿðB#?ʶM>äK²¨-ÔØ»BKi
?Û¦74è{à¥?Ê:Ç?O?4n?eÐ?»©ÜÊÊ6ÑôüÂd)5¯Ö±§qÒC±>?ì?2Sôv?Ê?4¹,ÊæJØ?
Á?â?ûZBj#!éeÇõÕ»~ê?? bêÑ:,YÅ?3ò8?å¶ézyöJ&ú|?û?0?_0?G 1r?¸SµX@úäò ïÑ ±0
 *?H?÷
 0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0
150310000000Z
160309235959Z0?U1 0 UAT1
0 U270010UNiederoesterreich10U Wr. Neustadt10U Komarigasse 141.0,U
%SEC Consult Unternehmensberatung GmbH1I0GU @Issued through SEC Consult Unternehmensberatung GmbH E-PKI Manag10U Corporate Secure Email1&0$USEC Consult Vulnerability Lab1'0% *?H?÷
 research (at) sec-consult (dot) com0 [email concealed]?"0
 *?H?÷
?0?
?§Óx¾?ù´¨¼ää?¡Æo¼?8vMÙË?@P?ü*J±Û>ô¯°?¹?<7âÕ)Xt?ÈÙE.ðF?¨í« íx¤¦ü¢+
©?zp/Û#Û?p&Rèè¥Ü=?[ho/Â_·?[Ñ?ÉheM4ö?þ&ʼ¨â?v÷Èk5$c¿.ñVhÕßåz:?£ÐÅ?Ç
ÎX??¼?¶?êQ°¡°tàk~HæE×?Â?N
þÛ?zÇ/??³hL}4c79Ä[?»ìä"??°Ýú/M̪OÏ?lo<4 éÛÍY)?d?¢´(??sú¾w}U<!?¸ßÌlBè?E¢?ÌG¾Ç£?à0?Ü0U#0??ak?ᢠª
Oìgñ£÷´?Áì0U3¥UWFg ?ÛÝ?±S¯d±"0Uÿ 0 Uÿ00U%0++0FU ?0=0; +²10+0)+https://secure.comodo.net/CPS0]UV0T0R P
 N?Lhttp://crl.comodoca.com/COMODOSHA256ClientAuthenticationandSecureEma
ilCA.crl0+?0?0X+0?Lhttp://crt.comodoca.com/COMODOS
HA256ClientAuthenticationandSecureEmailCA.crt0$+0?http://ocsp.c
omodoca.com0#U0research (at) sec-consult (dot) com0 [email concealed]
 *?H?÷
 ??#`|òÌopÿ? ÔU.þKw ?=ÿ[?ÁúvqïC?¦0½ I= /s©ý?оlU¿Ç±O so>¨Òi?Õãý8?ãðï??ô?Äx½ñνëº?l̸éiÒ3o§¢CÈÑBháôxm?:HuBÚþ½ÚÌ*(ɧλ
zz?¢PÈ¢ñzD?Ðɺ&t8?¬¸ïHA¸,ó?PV3i~[©èÞTb.N?¼ì+iãY?ÙzZxÙ>£©?é?³´
(ÌLï@êAýLáo«ÄRC®ª ½nðÛ?)<Ð$·çvKÒ
6Ñ<$£]7®,?9:1?A0?=0°0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA1r?¸SµX@úäò ïÑ ±0
 `?He ?a0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
160112081025Z0/ *?H?÷
 1" FWï~xkZ?´ åq0QØoõþ{¦àUXiÚ?az0l *?H?÷
 1_0]0  `?He*0  `?He0
*?H?÷
0*?H?÷
?0
*?H?÷
@0+0
*?H?÷
(0Á +?71³0°0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA1r?¸SµX@úäò ïÑ ±0Ã *?H?÷
  1³ °0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA1r?¸SµX@úäò ïÑ ±0
 *?H?÷
?2t¶ré?s_ûáÔ>²ö¡Wir?©Ìy?[Q7­XB)_Ïÿß-?ß[@ u[¤.Øa,%{åÅËÑÚp3+®
ó¼åÎÌyÑ?`}¢?¸bò_¥î¤ÈMã­
4,õàÚþ´Zuv$ó¦(\?Ða?N°ãM öU??4aûrf?9w'I¿à9f(lÀ"£?ùo»s¢=¥&1?¦ÿfÙÁ?
?U@RG^#~Ø}õ3äpLº§??ÿÎÃÄ??ä?,OGÆIêøS`7?
Ò;?ù?[ÊI
ìÊ(Ð%:?ÒDD;X>Ç?À!s¬O=±?àø?²ù¥ÒoËMeyô

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus