McAfee Virus Scan Enterprise has a feature to protect settings modification from server admins by setting a password. This password is stored into registry, before version 8.8 the hash of the password can be found into:
|
1
2
|
HKEY_LOCAL_MACHINE\Software\Network Associated\TVD\Virusscan Enterprise\CurrentVersion\UIP
HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection\UIP
|
the content was MD5(unicode(password)). The password “password” would generate UIP=b081dbe85e1ec3ffc3d4e7d0227400cd.
Since version 8.8 the password hashing scheme has changed, now the password can be found into:
|
1
2
|
HKEY_LOCAL_MACHINE\Software\Network Associated\TVD\Virusscan Enterprise\CurrentVersion\UIPEx
HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\DesktopProtection\UIPEx
|
The new hashing schema is: Base64(SHA1(unicode(“\x01\x0f\x0d\x33” + password))). For example the password “test” would generate UIPEx=”1Or2ZtCTFvnWGxR1M1OnPV+88Eg=”.
At lab you can download a little PoC that generates UIPEx hash.
