Bypassing McAfee’s Application Whitelisting for Critical Infrastructure Systems

Posted on Posted in Paper, Tutorial's


“McAfee Application Control software provides an effective way to block unauthorized applications and code on servers, corporate desktops, and fixed-function devices. This centrally managed whitelisting solution uses a dynamic trust model and innovative security features that thwart advanced persistent threats — without requiring signature updates or labor-intensive list management.” (1)

McAfee Application Control is a software which can be used to further harden operating systems by whitelisting applications. This is especially useful to protect critical infrastructures. Infrastructures were updates may not be installed because of certain reliability and availability requirements are another field of application. Examples for such requirements can often be found in SCADA environments were updates are not applied to avoid the risk of a flaw from an update-package. In theory the application should block not whitelisted executables and therefore prevent the execution of attacker supplied code. The following cite can be found on the product homepage:

“Minimize patching while protecting memory — Allows you to delay patch deployment until your regular patch cycle. In addition, it prevents whitelisted applications from being exploited via memory buffer overflow attacks on Windows 32- and 64-bit systems.” (1)

The aim of this paper is to describe the results of the research conducted to verify if the protections provided by McAfee Application Control stop or prevent attacks and how hard it is for an attacker to bypass them.

Section 2 describes various ways to bypass the whitelisting protection to achieve arbitrary code execution. It is split into three parts whereby the first describes techniques to retrieve so called “basic code execution” which means a basic form of code execution without having the ability to execute arbitrary code. The second part discusses how such a basic code execution can be turned into full code execution to accomplish the goal of a complete whitelisting bypass. This also includes a discussion on the security of the memory corruption protections provided by McAfee Application Control and how these can be bypassed by attackers. The third part explains concepts to bypass the UAC (user account control) feature of Microsoft and how it can be bypassed on systems running with McAfee Application Control.

Section 3 deals with the concept of write and read protection and how these protections can easily be bypassed as soon as code execution is achieved. Section 4 describes the identified kernel driver vulnerabilities as well as the impact of them. The last chapters gives a conclusion of the research.

Quelle: Packetstormsecurity