[VulnWatch] ePolicy Orchestrator multiple vulnerabilities

From: _at_stake Advisories (_at_stake)
Date: 07/31/03

Date: Thu, 31 Jul 2003 10:57:17 -0700
To: vulnwatch@vulnwatch.org

Hash: SHA1

                           @stake, Inc.

                        Security Advisory

Advisory Name: ePolicy Orchestrator multiple vulnerabilities
 Release Date: 07/31/2003
  Application: McAfee ePolicy Orchestrator 2.X and 3.0
     Platform: Windows
     Severity: Remote code execution
       Author: Andreas Junestam [andreas@atstake.com]
Vendor Status: Vendor had bulletin and patch
CVE Candidate: CAN-2003-0148, CAN-2003-0149, CAN-2003-0616
    Reference: www.atstake.com/research/advisories/2003/a073103-1.txt


     McAfee Security ePolicy Orchestrator
(http://www.mcafeeb2b.com/ products/epolicy/default-desktop-
protection.asp [line wrapped]) is an enterprise antivirus management
tool. ePolicy Orchestrator is a policy driven deployment and
reporting tool for enterprise administrators to effectivley manage
their desktop and server antivirus products.

Three vulnerabilities exist in the ePolicy Server and Agent
that allows an attacker to anonymously execute arbitrary code. To
attack a machine running ePO, an attacker would typically need to
be located within the corporate firewall and be able to connect over
the network to the host they wish to compromise. Once one of the
vulnerability is successfully exploited the attacker can execute
arbitrary code under the privileges used by ePO. SYSTEM is the


     The ePolicy Orchestrator (ePO) is built upon a client / server
solution with Agents running on all client hosts. This allows all
installation and administration of antivirus software to be
centralized to one host. To achive this, ePO relies on three parts:
Server, Agents and MSDE (to store configuration information). All
services are by default installed to run as SYSTEM on the host and
thus can be used to either elevate local privileges or remotely
compromise the host.

@stake has discovered 3 different vulnerabilities in the ePO
solution. 2 vulnerabilies concern the server and 1 concerns
the agent.

Server Issue #1

MSDE SA account compromise - This vulnerability applies to ePO 2.X
and 3.0 and is divided up into 3 different parts, that combined
allows an attacker to execute code on the host.

Information disclosure - By issuing a properly formatted HTTP
request to the ePO Server, it will respond with the server config
file. This config file contains username and encrypted password
for the database administrator of the MSDE installation.

Weak cryptography implementation - The encrypted password stored
in the ePO Server config file is encrypted with a DES variant and a
secret key. The secret key is stored in a dll, making decryption of
the password an easy task.

Default MSDE installation - The installation of MSDE is not
hardened, so once the attacker has the database administrator
username and password, he can execute OS commands as SYSTEM
through xp_cmdshell.

Server Issue #2

ComputerList format string vulnerability - This vulnerability
applies to ePO 2.X. Sending a POST request to the Server where the
ComputerList parameter contains a few format characters will cause
the service to crash when it tries to log a failed name resolution.
A properly constucted malicious string containing format string
characters will allow the execution of arbitrary code.

Client Issue #1

ePO Agent Heap Overflow - This vulnerability applies to ePO 2.X.
Sending a POST request to the Agent where parameters on the URL are
substituted by a large number of A's will cause the service to
crash. A properly formatted request will allow an attacker to
overwrite arbitrary data and thus execute code.

Vendor Response:

Initial contact: March 15, 2003
Confirmed issues: March 31, 2003
Fix available: July 31, 2003

NAI has released a bulletin and a patch that resolves these
issues. Bulletin:


@stake Recommendation:

When deploying new security products within the enterprise,
organizations should understand the risks that new security
solutions may introduce. Does the service need to be running as
the SYSTEM user? Does the service need to be accessed anonymously
from any machine? Usually the answer is no. Products should
be configured to use the least privilege required and only
send and recieve network data to the required machines.

@stake recommends installing the vendor patch.

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has
assigned the following names to these issues. These are candidates
for inclusion in the CVE list (http://cve.mitre.org), which
standardizes names for security problems.

CAN-2003-0148 ePolicy Orchestrator MSDE SA account compromise
CAN-2003-0149 ePolicy Orchestrator 2.x Post Parameters Heap Overflow
CAN-2003-0616 ePolicy Orchestrator 2.x Computerlist format string

@stake Vulnerability Reporting Policy:

@stake Advisory Archive:

PGP Key:

@stake is currently seeking application security experts to fill
several consulting positions. Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing. Please send resumes to jobs@atstake.com.

Copyright 2003 @stake, Inc. All rights reserved.

Version: PGP 8.0


Relevant Pages

  • [NEWS] ePolicy Orchestrator Multiple Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... and use a Thawte Digital Certificate on your MSIIS web server. ... To attack a machine running ePO, an attacker would typically need to be ... MSDE SA account compromise - This vulnerability applies to ePO 2.X and 3.0 ...
  • ePolicy Orchestrator multiple vulnerabilities
    ... Advisory Name: ePolicy Orchestrator multiple vulnerabilities ... Three vulnerabilities exist in the ePolicy Server and Agent ... arbitrary code under the privileges used by ePO. ... MSDE SA account compromise - This vulnerability applies to ePO 2.X ...
  • SecurityFocus Microsoft Newsletter #142
    ... MICROSOFT VULNERABILITY SUMMARY ... Mollensoft Enceladus Server Suite Clear Text Password Storage... ... FakeBO Syslog Format String Vulnerability ... Methodus 3 Web Server File Disclosure Vulnerability ...
  • SecurityFocus Microsoft Newsletter #139
    ... OFF any Windows 2000 Managed Dedicated Hosting Solution from Interland. ... Sun ONE Application Server Plaintext Password Vulnerability ... Batalla Naval Remote Buffer Overflow Vulnerability ...
  • SecurityFocus Microsoft Newsletter #140
    ... Cafelog b2 Remote File Include Vulnerability ... Webfroot Shoutbox Remote Command Execution Vulnerability ... Pablo Software Solutions Baby POP3 Server Multiple Connection... ... Microsoft Windows XP Nested Directory Denial of Service... ...