[NT] McAfee ePolicy Orchestrator Format String Vulnerability

From: support@securiteam.com
Date: 03/17/03

  • Next message: support@securiteam.com: "[TOOL] Windows 2000 Dictionary Attacker against Active Directory"
    From: support@securiteam.com
    To: list@securiteam.com
    Date: 17 Mar 2003 18:50:35 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    In the US?

    Contact Beyond Security at our new California office
    housewarming rates on automated network vulnerability
    scanning. We also welcome ISPs and other resellers!

    Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
    - - - - - - - - -

      McAfee ePolicy Orchestrator Format String Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

     
    <http://www.mcafeeb2b.com/products/epolicy/default-desktop-protection.asp>
    McAfee Security ePolicy Orchestrator is an enterprise antivirus management
    tool. ePolicy Orchestrator is a policy driven deployment and reporting
    tool for enterprise administrators to effectively manage their desktop and
    server antivirus products.

    There is a vulnerability in the processing of network requests that allows
    an attacker to anonymously execute arbitrary code. To attack a machine
    running ePO, an attacker would typically need to be located within the
    corporate firewall with access to TCP port 8081 on the host they wish to
    compromise. Once the vulnerability is successfully exploited, the attacker
    gains SYSTEM level privileges on the host.

    This is a good example of why you should perform a risk analysis of all
    new solutions being introduced in to your environment even when the
    product is designed to enhance your overall security.

    DETAILS

    Vulnerable systems:
     * McAfee ePolicy Orchestrator 2.5.1

    The ePolicy Orchestrator Agent is a service that to allows the retrieval
    of log data. It should be noted that the Agent does not require password
    authentication to gain access and allows the retrieval of sensitive
    information (i.e. the source AV server, local paths etc.). By default, the
    agent runs as SYSTEM on the host and thus can be used to either elevate
    local privileges or remotely compromise the host.

    The ePO agent uses the HTTP protocol to communicate on port 8081. Sending
    a GET request with a request string containing a few format string
    characters will cause the service to terminate. An event will be written
    to the event log detailing the crash. A properly constructed malicious
    string containing format string characters will allow the execution or
    arbitrary code.

    Vendor Response:
    Initial contact: May, 2002
    The vendor has made a patch available. It is not directly downloadable.
    Call to request the patch. It is delivered via email.
     
    <http://www.nai.com/naicommon/aboutnai/contact/intro.asp#software-support>
    http://www.nai.com/naicommon/aboutnai/contact/intro.asp#software-support

    @stake Recommendation:
    If you have a support contract and are eligible for the patch, you should
    request it and install it.

    If you cannot patch, you should consider host based filtering so that only
    the network management systems that need to communicate with the hosts
    running ePO can connect on TCP port 8081. This requires a host based
    firewall.

    When deploying new security products within the enterprise, organizations
    should understand the risks that new security solutions may introduce.
    Does the service need to be running as the SYSTEM user? Does the service
    need to be accessed anonymously from any machine?

    In addition to the remote execution of arbitrary code issue there is an
    information disclosure issue that can be mitigated by host based network
    filtering.

    ADDITIONAL INFORMATION

    The original advisory can be downloaded from:
     <http://www.atstake.com/research/advisories/2003/a031703-1.txt>
    http://www.atstake.com/research/advisories/2003/a031703-1.txt

    The information has been provided by <mailto:advisories@atstake.com>
    @stake Advisories.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: support@securiteam.com: "[TOOL] Windows 2000 Dictionary Attacker against Active Directory"