what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Atstake Security Advisory 03-07-31.1

Atstake Security Advisory 03-07-31.1
Posted Aug 5, 2003
Authored by Atstake, Andreas Junestam | Site atstake.com

Atstake Security Advisory A073103-1 - Three vulnerabilities exist in the McAfee Security ePolicy Orchestrator Server and Agent that allow an attacker to anonymously execute arbitrary code.

tags | advisory, arbitrary, vulnerability
advisories | CVE-2003-0148, CVE-2003-0149, CVE-2003-0616
SHA-256 | 39c4da258d3c16be42e6d5d36b203ec57d8400c5e932a4dfde6e4c3688971f66

Atstake Security Advisory 03-07-31.1

Change Mirror Download
Hash: SHA1

@stake, Inc.

Security Advisory

Advisory Name: ePolicy Orchestrator multiple vulnerabilities
Release Date: 07/31/2003
Application: McAfee ePolicy Orchestrator 2.X and 3.0
Platform: Windows
Severity: Remote code execution
Author: Andreas Junestam [andreas@atstake.com]
Vendor Status: Vendor had bulletin and patch
CVE Candidate: CAN-2003-0148, CAN-2003-0149, CAN-2003-0616
Reference: www.atstake.com/research/advisories/2003/a073103-1.txt


McAfee Security ePolicy Orchestrator
(http://www.mcafeeb2b.com/ products/epolicy/default-desktop-
protection.asp [line wrapped]) is an enterprise antivirus management
tool. ePolicy Orchestrator is a policy driven deployment and
reporting tool for enterprise administrators to effectivley manage
their desktop and server antivirus products.

Three vulnerabilities exist in the ePolicy Server and Agent
that allows an attacker to anonymously execute arbitrary code. To
attack a machine running ePO, an attacker would typically need to
be located within the corporate firewall and be able to connect over
the network to the host they wish to compromise. Once one of the
vulnerability is successfully exploited the attacker can execute
arbitrary code under the privileges used by ePO. SYSTEM is the


The ePolicy Orchestrator (ePO) is built upon a client / server
solution with Agents running on all client hosts. This allows all
installation and administration of antivirus software to be
centralized to one host. To achive this, ePO relies on three parts:
Server, Agents and MSDE (to store configuration information). All
services are by default installed to run as SYSTEM on the host and
thus can be used to either elevate local privileges or remotely
compromise the host.

@stake has discovered 3 different vulnerabilities in the ePO
solution. 2 vulnerabilies concern the server and 1 concerns
the agent.

Server Issue #1

MSDE SA account compromise - This vulnerability applies to ePO 2.X
and 3.0 and is divided up into 3 different parts, that combined
allows an attacker to execute code on the host.

Information disclosure - By issuing a properly formatted HTTP
request to the ePO Server, it will respond with the server config
file. This config file contains username and encrypted password
for the database administrator of the MSDE installation.

Weak cryptography implementation - The encrypted password stored
in the ePO Server config file is encrypted with a DES variant and a
secret key. The secret key is stored in a dll, making decryption of
the password an easy task.

Default MSDE installation - The installation of MSDE is not
hardened, so once the attacker has the database administrator
username and password, he can execute OS commands as SYSTEM
through xp_cmdshell.

Server Issue #2

ComputerList format string vulnerability - This vulnerability
applies to ePO 2.X. Sending a POST request to the Server where the
ComputerList parameter contains a few format characters will cause
the service to crash when it tries to log a failed name resolution.
A properly constucted malicious string containing format string
characters will allow the execution of arbitrary code.

Client Issue #1

ePO Agent Heap Overflow - This vulnerability applies to ePO 2.X.
Sending a POST request to the Agent where parameters on the URL are
substituted by a large number of A's will cause the service to
crash. A properly formatted request will allow an attacker to
overwrite arbitrary data and thus execute code.

Vendor Response:

Initial contact: March 15, 2003
Confirmed issues: March 31, 2003
Fix available: July 31, 2003

NAI has released a bulletin and a patch that resolves these
issues. Bulletin:


@stake Recommendation:

When deploying new security products within the enterprise,
organizations should understand the risks that new security
solutions may introduce. Does the service need to be running as
the SYSTEM user? Does the service need to be accessed anonymously
from any machine? Usually the answer is no. Products should
be configured to use the least privilege required and only
send and recieve network data to the required machines.

@stake recommends installing the vendor patch.

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has
assigned the following names to these issues. These are candidates
for inclusion in the CVE list (http://cve.mitre.org), which
standardizes names for security problems.

CAN-2003-0148 ePolicy Orchestrator MSDE SA account compromise
CAN-2003-0149 ePolicy Orchestrator 2.x Post Parameters Heap Overflow
CAN-2003-0616 ePolicy Orchestrator 2.x Computerlist format string

@stake Vulnerability Reporting Policy:

@stake Advisory Archive:

PGP Key:

@stake is currently seeking application security experts to fill
several consulting positions. Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing. Please send resumes to jobs@atstake.com.

Copyright 2003 @stake, Inc. All rights reserved.

Version: PGP 8.0


Login or Register to add favorites

File Archive:

June 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    18 Files
  • 2
    Jun 2nd
    13 Files
  • 3
    Jun 3rd
    0 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    32 Files
  • 6
    Jun 6th
    39 Files
  • 7
    Jun 7th
    0 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    0 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By