hi full-disclosure, McAfee ePolicy Orchestrator Multiple Remote Buffer Overflow Vulnerabilities by cocoruder of FSRT(Fortinet Security Research Team) hfli_at_fortinet.com Summary: Multiple remote buffer overflow vulnerabilities exist in the ActiveX Control named "SiteManager.Dll" of McAfee ePolicy Orchestrator. A remote attacker who successfully exploit these vulnerabilities can completely take control of the affected system. Affected Software Versions: McAfee ePolicy Orchestrator 3.6.1 McAfee ePolicy Orchestrator 3.5 patch 6 Details: 1.Function "ExportSiteList()" educed by "SiteManager.dll" stack overflow. InprocServer32: SiteManager.dll ClassID : 4124FDF6-B540-44C5-96B4-A380CEE9826A ProgID : SiteManager.SiteMgr.1 Function Name : ExportSiteList When we set the parameter of "ExportSiteList" a long string, there will cause a stack base overflow. The following is the related code: (SiteManager.dll,version=3.6.1.166) .text:5262B1DE ; func_ExportSiteList .text:5262B1DE ; Attributes: bp-based frame .text:5262B1DE .text:5262B1DE ; int __stdcall sub_5262B1DE(int,wchar_t *,int) .text:5262B1DE sub_5262B1DE proc near ; DATA XREF: .rdata:5265B504o .text:5262B1DE ; .rdata:5265B614o .text:5262B1DE .text:5262B1DE var_414 = word ptr -414h .text:5262B1DE var_20E = word ptr -20Eh .text:5262B1DE var_20C = word ptr -20Ch .text:5262B1DE var_4 = dword ptr -4 .text:5262B1DE arg_0 = dword ptr 8 .text:5262B1DE arg_4 = dword ptr 0Ch .text:5262B1DE arg_8 = dword ptr 10h .text:5262B1DE .text:5262B1DE push ebp .text:5262B1DF mov ebp, esp .text:5262B1E1 sub esp, 414h .text:5262B1E7 mov eax, dword_52670218 ; set stack cookie .text:5262B1EC push esi .text:5262B1ED push [ebp+arg_4] ; lpSrcBuff .text:5262B1F0 mov [ebp+var_4], eax .text:5262B1F3 lea eax, [ebp+var_20C] .text:5262B1F9 push eax ; lpDestBuff .text:5262B1FA call ds:wcscpy ; stack overflow 2.Moreover, we think that the following "swprintf" function also has carried out the copy action without attestation, as follows: .text:5262B257 push ebx .text:5262B258 push edi .text:5262B259 mov edi, offset aSitelist_xml ; "SiteList.xml" .text:5262B25E push edi .text:5262B25F lea eax, [ebp+var_20C] .text:5262B265 push eax .text:5262B266 lea eax, [ebp+var_414] .text:5262B26C push offset aSS_0 ; "%s\\%s" .text:5262B271 push eax ; lpSrcBuff .text:5262B272 call ds:swprintf ; stack overflow 3.Function "VerifyPackageCatalog()" educed by "SiteManager.dll" stack overflow. InprocServer32: SiteManager.dll ClassID : 4124FDF6-B540-44C5-96B4-A380CEE9826A ProgID : SiteManager.SiteMgr.1 Function Name : VerifyPackageCatalog When we set the parameter of "VerifyPackageCatalog" a long string, there will cause a stack base overflow. The following is the related code: (SiteManager.dll,version=3.6.1.166) part1: .text:5262CFAC func_VerifyPackageCatalog proc near .text:5262CFAC .text:5262CFAC mov eax, offset loc_52649F86 .text:5262CFB1 call __EH_prolog ... .text:5262D00C lea eax, [ebp-28h] .text:5262D00F push eax .text:5262D010 push ebx .text:5262D011 push esi .text:5262D012 push offset loc_5263AD1A .text:5262D017 push ebx .text:5262D018 push ebx .text:5262D019 call ds:_beginthreadex part2: .text:5263AD1A mov eax, offset loc_5264B221 .text:5263AD1F call __EH_prolog .text:52637229 push ecx .text:5263722A mov eax, 1774h .text:5263722F call __alloca_probe ; int .text:52637234 mov eax, dword_52670218 .text:52637239 mov [ebp-14h], eax ; set stack-cookie ... .text:5263AD9A lea ecx, [ebp-23Ch] .text:5263ADA0 push ecx .text:5263ADA1 push eax .text:5263ADA2 mov ecx, edi .text:5263ADA4 call sub_5263721F | |_____ .text:5263721F mov eax, offset loc_5264AD1C .text:52637224 call __EH_prolog ... .text:5263731A push dword ptr [ebp+8] ; lpSrcBuff,"AAA..." .text:5263731D lea eax, [ebp-62Ch] .text:52637323 push eax ; lpDestBuff .text:52637324 call ds:wcscpy ; stack overflow Solution: McAfee has released two patches and advisories which are available on: https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&sliceId=SAL_Public&externalId=612495 https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&sliceId=SAL_Public&externalId=612496 Disclosure Timeline: 2006.12.19 Submitted vul1 and vul2 via security-alerts@mcafee.com 2006.12.19 Vendor responded 2006.12.30 Submitted vul3 via security-alerts@mcafee.com 2006.12.30 Vendor responded 2007.03.12 Vendor noticed patches has been developed completely 2007.03.13 Coordinated public disclosure Disclaimer: Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. More specific information is available on request from Fortinet. Please note that Fortinet's product information does not constitute or contain any guarantee, warranty or legally binding representation, unless expressly identified as such in a duly signed writing. Fortinet Security Research secresearch@fortinet.com http://www.fortinet.com Best Regards,         hfli         hfli@fortinet.com           2007-03-14