Researchers from SafeBreach have discovered a vulnerability within all editions of McAfee Anti-Virus that allows loading any unsigned DLL with the highest level of privilege. Fortunately, the vulnerability (assigned CVE-2019-3648) requires that the attacker must already have administrative privilege on the computer they are attempting to exploit. The researchers noticed that the software was trying to load the DLL “wbemcomn.dll” from “C:\Windows\System32\wbem” when it is actually located one directory up in the “C:\Windows\System32” directory. To test this, an unsigned DLL was placed at the location that McAfee searches for. The test DLL logs the name of any process that loads it, along with the username of that process, and the name of the DLL file. When the computer was rebooted, it was found that multiple processes, all signed by McAfee, had loaded the DLL with the highest level of privileges on a Windows computer.
Note: this post was originally shared on https://squiblydoo.blog/ by a member of the Binary Defense Team. In