Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] McAfee ePolicy Orchestrator Remote Compromise

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] McAfee ePolicy Orchestrator Remote Compromise
Date: 16 Jul 2006 13:00:47 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  McAfee ePolicy Orchestrator Remote Compromise
------------------------------------------------------------------------


SUMMARY

" 
<http://www.mcafee.com/us/enterprise/products/system_security_management/epolicy_orchestrator.html>
 McAfee ePolicy Orchestrator is a security management solution that gives you a 
coordinated defense against malicious threats and attacks."

Due to a directory traversal attack, it is possible to write any file with 
any contents to anywhere on the remote system.

DETAILS

Vulnerable Systems:
 * McAfee Common Management (EPO) Agent versions below version 3.5.5.438

A flaw within the Framework Service component of the McAfee EPO management 
console. The Framework service is enabled and running by default on all 
servers and agents. The framework service listens by default on port 8081 
and accepts requests over the HTTP protocol. The framework service allows 
for remotely submitting configuration and update changes. Each request is 
encrypted, SHA-1 hashed and DSA signed, and written to a file on disk. Due 
to a directory traversal attack, it is possible to write any file with any 
contents to anywhere on the remote system.

This flaw allows a remote attacker to anonymously compromise an affected 
system and execute code within the SYSTEM context.

The framework service accepts POST requests over the /spipe/pkg interface. 
These POST requests contain a header which indicates the type of package 
request, UUID, and computer hostname. Depending on the request, the block 
that follows may contain data specific to that request. In the case of 
this vulnerability, the type of request (PackageType) is "PropsResponse". 
The data that follows first specifies a directory and xml filename, and is 
followed by the contents of the xml file. Due to improper sanity checking 
on the directory and filename, it is possible to use a directory traversal 
attack to write a user defined filename, with user defined contents, 
anywhere on the system.
A factor that would hinder exploitation is the fact that the file is 
immediately deleted after use - this problem can be overcome by increasing 
the file data length field to exceed the actual data length.

Each package request is obfuscated by XOR'ing the package data with the 
static byte 0xAA, and is then SHA-1 hashed and DSA signed.

The vulnerable package format follows:

+00h WORD magic = "PO" (0x4F50)
+02h DWORD = 20000001h, 20001001h, or 30000001
+06h DWORD file offset of XML
+0Ah [E0h] fixed-length data
+0Ah DWORD
+0Eh DWORD
+12h DWORD length of XML
+16h [40h] ASCII ??? GUID
+56h [40h] ASCII ??? GUID
+96h DWORD
+9Ah [???] ASCII host name
..

+EAh [...] name-value pairs
X+00h DWORD length of following name string
+04h [...] ASCII name string (no null terminator)
X+00h DWORD length of following value data
+04h [...] value data (null terminated if ASCII string)

X+00h [...] XML
+00h WORD
+02h WORD length of following file name string
+04h [...] ASCII .xml file name string * traversal attack, may be any
directory and file extension
X+00h DWORD length of following XML * increase length to prevent
deletion
+04h [...] ASCII XML * filename data

X+00h DWORD length of signature data = 2Ch
+04h WORD (big-endian) number of bits in DSA signature 'r' component
+06h [14h] DSA signature 'r' component (technically it's
variable-length)
+1Ah WORD (big-endian) number of bits in DSA signature 's' component
+1Ch [14h] DSA signature 's' component (also variable-length)

Vendor Status:
McAfee customers must login to the McAfee customer website and download 
version 3.5.5.438 or higher of the Common Management Agent (ePO Framework) 
and upgrade existing ePO agent deployments.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:Advisories@eeye.com> eEye 
Advisories.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] McAfee ePolicy Orchestrator Remote Compromise, SecuriTeam <=
Previous by Date:  [NEWS] Cisco Intrusion Prevention System Malformed Packet Denial of Service, SecuriTeam
Next by Date:  [EXPL] Linux Kernel 2.6.x PRCTL Core Dump Handling (Exploit 2), SecuriTeam
Previous by Thread:  [NEWS] Cisco Intrusion Prevention System Malformed Packet Denial of Service, SecuriTeam
Next by Thread:  [EXPL] Linux Kernel 2.6.x PRCTL Core Dump Handling (Exploit 2), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]