McAfee Security Scan Plus Remote Command Execution

### Vulnerability Summary The following advisory describes a Remote Command Execution found in McAfee Security Scan Plus version 3.11.587.1 McAfee Security Scan Plus is “a free diagnostic tool that ensures you are protected from threats by actively checking your computer for up-to-date anti-virus, firewall, and web security software. It also scans for threats in any open programs.” ### Credit An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program. ### Vendor response McAfee was informed of the vulnerability on August 3 2017, but while acknowledging the receipt of the vulnerability information (assigned case ID), refused to respond to the technical claims, to give a fix timeline or coordinate an advisory. ### Vulnerability details An active network attacker can achieve remote code execution on a machine that runs McAfee Security Scan Plus When the scan is complete, McAfee Security Scan Plus POST data to liteapps.mcafee.com over plaintext HTTP channel.   A man-in-the-middle attack can modify the response, by add ``` <script> window.external.LaunchApplication("c:\\windows\\system32\\calc.exe", ""); </script> ```