[NEWS] McAfee ePolicy Orchestrator Remote Compromise
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 16 Jul 2006 13:00:47 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
McAfee ePolicy Orchestrator Remote Compromise
------------------------------------------------------------------------
SUMMARY
"
<http://www.mcafee.com/us/enterprise/products/system_security_management/epolicy_orchestrator.html> McAfee ePolicy Orchestrator is a security management solution that gives you a coordinated defense against malicious threats and attacks."
Due to a directory traversal attack, it is possible to write any file with
any contents to anywhere on the remote system.
DETAILS
Vulnerable Systems:
* McAfee Common Management (EPO) Agent versions below version 3.5.5.438
A flaw within the Framework Service component of the McAfee EPO management
console. The Framework service is enabled and running by default on all
servers and agents. The framework service listens by default on port 8081
and accepts requests over the HTTP protocol. The framework service allows
for remotely submitting configuration and update changes. Each request is
encrypted, SHA-1 hashed and DSA signed, and written to a file on disk. Due
to a directory traversal attack, it is possible to write any file with any
contents to anywhere on the remote system.
This flaw allows a remote attacker to anonymously compromise an affected
system and execute code within the SYSTEM context.
The framework service accepts POST requests over the /spipe/pkg interface.
These POST requests contain a header which indicates the type of package
request, UUID, and computer hostname. Depending on the request, the block
that follows may contain data specific to that request. In the case of
this vulnerability, the type of request (PackageType) is "PropsResponse".
The data that follows first specifies a directory and xml filename, and is
followed by the contents of the xml file. Due to improper sanity checking
on the directory and filename, it is possible to use a directory traversal
attack to write a user defined filename, with user defined contents,
anywhere on the system.
A factor that would hinder exploitation is the fact that the file is
immediately deleted after use - this problem can be overcome by increasing
the file data length field to exceed the actual data length.
Each package request is obfuscated by XOR'ing the package data with the
static byte 0xAA, and is then SHA-1 hashed and DSA signed.
The vulnerable package format follows:
+00h WORD magic = "PO" (0x4F50)
+02h DWORD = 20000001h, 20001001h, or 30000001
+06h DWORD file offset of XML
+0Ah [E0h] fixed-length data
+0Ah DWORD
+0Eh DWORD
+12h DWORD length of XML
+16h [40h] ASCII ??? GUID
+56h [40h] ASCII ??? GUID
+96h DWORD
+9Ah [???] ASCII host name
..
+EAh [...] name-value pairs
X+00h DWORD length of following name string
+04h [...] ASCII name string (no null terminator)
X+00h DWORD length of following value data
+04h [...] value data (null terminated if ASCII string)
X+00h [...] XML
+00h WORD
+02h WORD length of following file name string
+04h [...] ASCII .xml file name string * traversal attack, may be any
directory and file extension
X+00h DWORD length of following XML * increase length to prevent
deletion
+04h [...] ASCII XML * filename data
X+00h DWORD length of signature data = 2Ch
+04h WORD (big-endian) number of bits in DSA signature 'r' component
+06h [14h] DSA signature 'r' component (technically it's
variable-length)
+1Ah WORD (big-endian) number of bits in DSA signature 's' component
+1Ch [14h] DSA signature 's' component (also variable-length)
Vendor Status:
McAfee customers must login to the McAfee customer website and download
version 3.5.5.438 or higher of the Common Management Agent (ePO Framework)
and upgrade existing ePO agent deployments.
ADDITIONAL INFORMATION
The information has been provided by <mailto:Advisories@xxxxxxxx> eEye
Advisories.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] Cisco Intrusion Prevention System Malformed Packet Denial of Service
- Next by Date: [EXPL] Linux Kernel 2.6.x PRCTL Core Dump Handling (Exploit 2)
- Previous by thread: [NEWS] Cisco Intrusion Prevention System Malformed Packet Denial of Service
- Next by thread: [EXPL] Linux Kernel 2.6.x PRCTL Core Dump Handling (Exploit 2)
- Index(es):
Relevant Pages
|
|
