McAfee Family Protection - Epic Fail!
by Brian Van Stedum (brianvanstedum@gmail.com)
Last spring I took a security fundamentals class while pursuing my degree as a network specialist.
This class was the most challenging, yet rewarding, of all of the classes that I have ever taken. The final project for the class was to find a security software suite to analyze and ultimately to circumvent its security.
My instructor recommended choosing a suite that focused on parental controls, and I chose McAfee Family Protection (MFP). McAfee Family Protection is designed to give parents the ability to control and monitor how their children use the Internet in order to prevent them from accessing potentially harmful information. I chose it simply because of the name: McAfee. I wanted to be challenged and I figured, "Hey, the DoD recommends McAfee's anti-virus software. They must be pretty good, right?" It didn't take me long to realize just how wrong I was.
Just a little about the testing process: all tests were conducted using Windows 7 and most were conducted using Windows administrator account access. I performed the tests while using administrator access since circumventing Windows user account control security can be easily done by using a boot disk containing Ophcrack or NTPW.
The following analysis is the product of an in-depth audit conducted to discover any and all methods to circumvent the security of MFP. This was not a test of its effectiveness; I did not care if it let a couple of porn sites by its filters. The goal was to find any way to bypass its individual security features entirely. The analysis is broken down by each successful circumvention.
The majority of MFP's configuration settings, including authentication settings, are stored remotely on McAfee's own servers. The absence of locally stored configuration files initially made circumventing its security a little more challenging. However, after analyzing the software further, I discovered many other methods to successfully bypass the software's security. MFP also did a fairly decent job of protecting its own locally stored files from alteration and removal. However, it did not provide any type of protection for the Windows environment, which allowed me to perform tests and alter the system in order to bypass MFP's security.
MFP creates a usage log for all users that can send daily reports to the account administrator. I discovered that the log is stored locally and was only sent to the online servers once per day. Upon inspection of these log files, I determined that the file itself was not user readable and was also protected from alteration and deletion. However, I was able to change the file's attributes, and by setting it to read-only, I was able to prevent any future Internet usage logging for that day.
MFP's Program Blocking feature blocks programs from accessing Internet resources. An administrator can specify which programs to block based on a suggested set of programs or specify any other program to block. I was able to bypass this feature by simply changing the name of the executable file for the program that had been blocked.
MFP's website blocking feature allows the administrator to block certain websites that the content filter would not flag as harmful. This feature is easily bypassed by adding an entry in the Windows "hosts" file that points to the IP address of the blocked website, but uses a domain name from a site that is not blocked.
Although MFP is pretty decent at content filtering and protecting its own files, I was able to easily bypass the entire security suite by booting into Windows "Safe Mode with Networking". By logging into Safe Mode, I had unrestricted access to the Internet and was also able to circumvent McAfee's protection of its files.
The services that MFP uses cannot be disabled, stopped, or paused even while using the Windows administrator account. However, by using Windows Safe Mode, a user can change which services load at Windows start. By using Windows safe mode and registry editor, I was able to change the startup mode of the three main processes used by MFP by changing the DWORD "start" values from 2 to 4. Once I rebooted back into normal Windows mode, McAfee Family Protection was completely disabled and I had unfiltered Internet access.
MFP's literature boasts about how secure its uninstallation process is; it uses a unique uninstall key, which is only good for 24 hours, and requires an uninstall program that can only be used by the MFP administrator. As secure as they think this process is, it can be easily bypassed by using Windows' built-in system restore function. A Windows administrator can select a restore point prior to when MFP was installed to effectively remove it from the system.
After exploring the many files MFP installed on my test system, I observed that it installed all the language conversion files on the system (not just the version I chose). After decompiling a few of these DLL files, I discovered that the file MFPLOC_EN.DLL also contained the many keywords that were used by the safe search feature. I found that altering or deleting this file was nearly impossible, as it was protected by McAfee. By utilizing the Windows safe mode loophole that I mentioned earlier, I was able to remove the MFPLOC_EN.DLL file and rename MFPLOC_KO.DLL to MFPLOC_EN.DLL.
By doing this, I was able to change the language from English to Korean. Since it was now searching for Korean words rather than English words, I was able to search for any term I wanted to without being blocked.
Upon initial inspection, it appeared that MFP's greatest strength was that it saved the vast majority of its configuration files to McAfee's servers, rather than on the local machine. However, after examining the changes it made to the hard disk, I discovered that MFP sends most of its initial configuration changes via crafted HTML files that, once sent, are saved in the "Temporary Internet Files" of a Windows 7 system. After reviewing the saved configuration HTML files, I found one that used the administrator's username and password as an argument for the file, which it displayed in clear text.
After reviewing the saved HTML files that were sent by MFP, I discovered one named "239" that contained some local system information as an argument. After re-executing this file (by simply double-clicking on it), a web browser opened with an administrator login prompt that was meant to be used to associate the local installation with the online McAfee user account.
By going to McAfee's website and signing up to obtain a trial of MFP, I was able to create a username and password that would become an administrator account on any new installation of McAfee Home Protection. With this new account in hand, I entered the account information in the prompt that opened by executing the "239" file, and then associated the local installation of MFP with the administrator account that I had just created. Since this was a new account, it would be impossible for the administrator of the original account to discover this new admin user. Not only does this new administrator hijack the local installation of MFP, but it still permits the users of the original account to login on the same machine.
Throughout this analysis, I was continually shocked at just how easy it was to bypass McAfee Family Protection's security features. Additionally, I was able to bypass MFP's security by utilizing methods such as an online VPN service, a remote desktop connection, a live OS on bootable media, among others. I performed this analysis over the span of two weeks while having to study for other final exams, work a full time job, plus attend to my everyday family obligations. Yet I was able to completely circumvent MFP's security features. For a motivated teenager with nothing but time, bypassing MFP's security features would be a walk in the park.
After completing this analysis, I believe that McAfee Family Protection is ultimately useless due to the fact that a child with an average knowledge of computers could easily bypass its security.