CVE-2006-3961
published 2006-08-01CVE-2006-3961: Buffer overflow in McSubMgr ActiveX control (mcsubmgr.dll) in McAfee Security Center 6.0.23 for Internet Security Suite 2006, Wireless Home Network Security…
PriorityP342medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
33.82%
98.2th percentile
Buffer overflow in McSubMgr ActiveX control (mcsubmgr.dll) in McAfee Security Center 6.0.23 for Internet Security Suite 2006, Wireless Home Network Security, Personal Firewall Plus, VirusScan, Privacy Service, SpamKiller, AntiSpyware, and QuickClean allows remote user-assisted attackers to execute arbitrary commands via long string parameters, which are later used in vsprintf.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mcafee | antispyware | — | — |
| mcafee | antispyware | — | — |
| mcafee | internet_security_suite | — | — |
| mcafee | internet_security_suite | — | — |
| mcafee | internet_security_suite | — | — |
| mcafee | personal_firewall_plus | — | — |
| mcafee | personal_firewall_plus | — | — |
| mcafee | personal_firewall_plus | — | — |
| mcafee | privacy_service | — | — |
| mcafee | privacy_service | — | — |
| mcafee | privacy_service | — | — |
| mcafee | quickclean | — | — |
| mcafee | quickclean | — | — |
| mcafee | quickclean | — | — |
| mcafee | security_center | — | — |
| mcafee | security_center | — | — |
| mcafee | security_center | — | — |
| mcafee | security_center | — | — |
| mcafee | spamkiller | — | — |
| mcafee | spamkiller | — | — |
| mcafee | spamkiller | — | — |
| mcafee | virusscan | — | — |
| mcafee | virusscan | — | — |
| mcafee | virusscan | — | — |
| mcafee | wireless_home_network_security | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for ActiveX instantiation of the McSubMgr control (mcsubmgr.dll) in browser processes, particularly calls to the COM-exposed method IsAppExpired with abnormally large string arguments (>2972 bytes). ↗
- →The exploit targets Windows XP SP0/SP1 using a JMP ESP gadget at 0x7605122f in shell32.dll; alert on EIP/return address control pointing to this address in browser exploit context. ↗
- ·The Metasploit module only supports Windows XP SP0/SP1 as a target; Windows XP SP2 has a commented-out alternative RET address (comctl32.dll 0x773f346a) but is not enabled, meaning exploitation against SP2 requires a different gadget. ↗
- ·The vulnerable ActiveX control is present in multiple McAfee products under Security Center 6.0.23, including Internet Security Suite 2006, Wireless Home Network Security, Personal Firewall Plus, VirusScan, Privacy Service, SpamKiller, AntiSpyware, and QuickClean — scope detection broadly across all these products. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
McAfee Subscription Manager - Remote Stack Buffer Overflow (Metasploit)
exploitdb·2010-07-03
CVE-2006-3961 McAfee Subscription Manager - Remote Stack Buffer Overflow (Metasploit)
McAfee Subscription Manager - Remote Stack Buffer Overflow (Metasploit)
---
##
# $Id: mcafee_mcsubmgr_vsprintf.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'McAfee Subscription Manager Stack Buffer Overflow',
'Description' => %q{
This module exploits a flaw in the McAfee Subscription Manager ActiveX control.
Due to an unsafe use of vsprintf, it is possible to trigger a stack buffer overflow by
passing a large string to one of the COM-exposed routines, such as IsAppExpired.
This vulnerability was discov
Metasploit
McAfee Subscription Manager Stack Buffer Overflow
metasploit
McAfee Subscription Manager Stack Buffer Overflow
McAfee Subscription Manager Stack Buffer Overflow
This module exploits a flaw in the McAfee Subscription Manager ActiveX control. Due to an unsafe use of vsprintf, it is possible to trigger a stack buffer overflow by passing a large string to one of the COM-exposed routines, such as IsAppExpired. This vulnerability was discovered by Karl Lynn of eEye.
No writeups or analysis indexed.
http://secunia.com/advisories/21264http://securitytracker.com/id?1016614http://ts.mcafeehelp.com/faq3.asp?docid=407052http://www.eeye.com/html/research/advisories/AD2006807.htmlhttp://www.eeye.com/html/research/upcoming/20060719.htmlhttp://www.kb.cert.org/vuls/id/481212http://www.osvdb.org/27698http://www.securityfocus.com/archive/1/442495/100/100/threadedhttp://www.securityfocus.com/bid/19265http://www.vupen.com/english/advisories/2006/3096http://secunia.com/advisories/21264http://securitytracker.com/id?1016614http://ts.mcafeehelp.com/faq3.asp?docid=407052http://www.eeye.com/html/research/advisories/AD2006807.htmlhttp://www.eeye.com/html/research/upcoming/20060719.htmlhttp://www.kb.cert.org/vuls/id/481212http://www.osvdb.org/27698http://www.securityfocus.com/archive/1/442495/100/100/threadedhttp://www.securityfocus.com/bid/19265http://www.vupen.com/english/advisories/2006/3096
2006-08-01
Published