[NT] McAfee ePolicy Orchestrator Format String Vulnerability
From: email@example.com To: firstname.lastname@example.org Date: 17 Mar 2003 18:50:35 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or email@example.com
- - - - - - - - -
McAfee ePolicy Orchestrator Format String Vulnerability
McAfee Security ePolicy Orchestrator is an enterprise antivirus management
tool. ePolicy Orchestrator is a policy driven deployment and reporting
tool for enterprise administrators to effectively manage their desktop and
server antivirus products.
There is a vulnerability in the processing of network requests that allows
an attacker to anonymously execute arbitrary code. To attack a machine
running ePO, an attacker would typically need to be located within the
corporate firewall with access to TCP port 8081 on the host they wish to
compromise. Once the vulnerability is successfully exploited, the attacker
gains SYSTEM level privileges on the host.
This is a good example of why you should perform a risk analysis of all
new solutions being introduced in to your environment even when the
product is designed to enhance your overall security.
* McAfee ePolicy Orchestrator 2.5.1
The ePolicy Orchestrator Agent is a service that to allows the retrieval
of log data. It should be noted that the Agent does not require password
authentication to gain access and allows the retrieval of sensitive
information (i.e. the source AV server, local paths etc.). By default, the
agent runs as SYSTEM on the host and thus can be used to either elevate
local privileges or remotely compromise the host.
The ePO agent uses the HTTP protocol to communicate on port 8081. Sending
a GET request with a request string containing a few format string
characters will cause the service to terminate. An event will be written
to the event log detailing the crash. A properly constructed malicious
string containing format string characters will allow the execution or
Initial contact: May, 2002
The vendor has made a patch available. It is not directly downloadable.
Call to request the patch. It is delivered via email.
If you have a support contract and are eligible for the patch, you should
request it and install it.
If you cannot patch, you should consider host based filtering so that only
the network management systems that need to communicate with the hosts
running ePO can connect on TCP port 8081. This requires a host based
When deploying new security products within the enterprise, organizations
should understand the risks that new security solutions may introduce.
Does the service need to be running as the SYSTEM user? Does the service
need to be accessed anonymously from any machine?
In addition to the remote execution of arbitrary code issue there is an
information disclosure issue that can be mitigated by host based network
The original advisory can be downloaded from:
The information has been provided by <mailto:firstname.lastname@example.org>
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: email@example.com
In order to subscribe to the mailing list, simply forward this email to: firstname.lastname@example.org
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.