what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Atstake Security Advisory 03-03-17.1

Atstake Security Advisory 03-03-17.1
Posted Mar 18, 2003
Authored by Atstake, Ollie Whitehouse | Site atstake.com

Atstake Security Advisory A031703-1 - McAfee ePolicy Orchestrater v2.5.1, an enterprise antivirus management tool for Windows 2000, contains a remote format string vulnerability which allows code execution as SYSTEM if tcp port 8081 is accessible.

tags | remote, tcp, code execution
systems | windows
SHA-256 | 57b85495432c8e5ec8fc8404b83aa9c7607157c7553eda5446874f8bbc55c20c

Atstake Security Advisory 03-03-17.1

Change Mirror Download
   
@stake Inc.
www.atstake.com

Security Advisory

Advisory Name: ePolicy Orchestrator Format String Vulnerability
Release Date: 03/17/2003
Application: McAfee ePolicy Orchestrator 2.5.1
Platform: Windows 2000 Server SP1
Windows 2000 Pro SP1
Severity: There is a format string vulnerability
that leads to the remote execution of code as
SYSTEM.
Author: Ollie Whitehouse [ollie@atstake.com]
Vendor Status: Vendor has patch available
CVE Candidate: CAN-2002-0690
Reference: www.atstake.com/research/advisories/2003/a031703-1.txt


Overview:

McAfee Security ePolicy Orchestrator
(http://www.mcafeeb2b.com/ products/epolicy/default-desktop-
protection.asp [line wrapped]) is an enterprise antivirus management
tool. ePolicy Orchestrator is a policy driven deployment and
reporting tool for enterprise administrators to effectively manage
their desktop and server antivirus products.

There is a vulnerability in the processing of network requests that
allows an attacker to anonymously execute arbitrary code. To attack
a machine running ePO, an attacker would typically need to be
located within the corporate firewall with access to TCP port 8081
on the host they wish to compromise. Once the vulnerability is
successfully exploited the attacker gains SYSTEM level privileges on
the host.

This is a good example of why you should perform a risk analysis of
all new solutions being introduced in to your environment even when
the product is designed to enhance your overall security.


Details:

The ePolicy Orchestrator Agent is a service that to allows
the retrieval of log data. It should be noted that the Agent does
not require password authentication to gain access and allows the
retrieval of sensitive information (i.e. the source AV server, local
paths etc.). By default the agent runs as SYSTEM on the host and
thus can be used to either elevate local privileges or remotely
compromise the host.

The ePO agent uses the HTTP protocol to communicate on port 8081.
Sending a GET request with a request string containing a few format
string characters will cause the service to terminate. An event
will be written to the event log detailing the crash. A properly
constructed malicious string containing format string characters
will allow the execution or arbitrary code.


Vendor Response:

Initial contact: May, 2002

The vendor has made a patch available. It is not directly
downloadable. Call to request the patch. It is delivered via
email.

http://www.nai.com/naicommon/aboutnai/contact/intro.asp#
software-support [URL wrapped]


@stake Recommendation:

If you have a support contract and are eligible for the patch you
should request it and install it.

If you cannot patch, you should consider host based filtering so
that only the network management systems that need to communicate
with the hosts running ePO can connect on TCP port 8081. This
requires a host based firewall.

When deploying new security products within the enterprise,
organizations should understand the risks that new security
solutions may introduce. Does the service need to be running as
the SYSTEM user? Does the service need to be accessed anonymously
from any machine?

In addition to the remote execution of arbitrary code issue there
is an information disclosure issue that can be mitigated by host
based network filtering.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has
assigned the following names to these issues. These are candidates
for inclusion in the CVE list (http://cve.mitre.org), which
standardizes names for security problems.

CAN-2002-0690 McAfee ePolicy Orchestrator Format String


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc


@stake is currently seeking application security experts to fill
several consulting positions. Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing. Please send resumes to jobs@atstake.com.


Copyright 2003 @stake, Inc. All rights reserved.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close