Title:  McAfee SecurityCenter Product Registration Local Cleartext Credential Disclosure
Release Date:  2009-11-20
 Application:  McAfee SecurityCenter 8.1.173
   Cross Ref:  OSVDB 60377
   Reference:  http://osvdb.org/ref/60/mcafee-sc-disc.txt

Description:
------------

McAfee SecurityCenter Product Registration discloses login credentials for a registered user
in plaintext, which could allow a physically proximate attacker to visually intercept the
credentials. With the credentials to the SecurityCenter, an attacker could reconfigure
the product, install new products, change the account holder's password to the
subscription service, or cancel the subscription service.

Upon registration, the following is displayed to the user:

		Registration Completed

  Congratulations! You have successfully registered your McAfee programs. 
  You can now receive automatic updates that will keep your computer safe 
  with the latest and best protection.

  Please be sure to remember your login information:
          Email Address biscuit@vulnerable.dom
          Password: z3stY-gP1g#@

  You will need this when updating and renewing your subscription, or 
  purchasing a new McAfee program. 



Product Details:
----------------
     
 Vendor:  McAfee, Inc.
Product:  SecurityCenter
Version:  8.1.173

Proof of Concept:
-----------------

Product Version Information:
http://osvdb.org/ref/60/mcafee-1-sc-version.png

Disclosure of credentials:
http://osvdb.org/ref/60/mcafee-2-sc-disclosure.png

Solution:

Workaround: Only complete product registration when other people are not in physical proximity.

Disclosure Timeline:
--------------------

2008-06-24: Vulnerability Discovered
2008-07-05: Disclosed to Vendor
2008-07-07: Vendor Acknowledgement from R.P.
Vendor Patch
Public Disclosure

References:
-----------

OSVDB: http://osvdb.org/60377
Vendor: http://www.mcafee.com/us/small/products/demos/security_suite_solutions/security_center/

Creditee:
---------

Lyger (lyger@attrition.org)