From advisories@atstake.com Thu Mar 20 02:04:11 2003 From: "@stake Advisories" To: vulnwatch@vulnwatch.org Date: Mon, 17 Mar 2003 09:31:58 -0500 Subject: [VulnWatch] ePolicy Orchestrator Format String Vulnerability (a031703-1) [ The following text is in the "ISO-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake, Inc. www.atstake.com Security Advisory Advisory Name: ePolicy Orchestrator Format String Vulnerability Release Date: 03/17/2003 Application: McAfee ePolicy Orchestrator 2.5.1 Platform: Windows 2000 Server SP1 Windows 2000 Pro SP1 Severity: There is a a format string vulnerability that leads to the remote execution of code as SYSTEM. Authors: Ollie Whitehouse [ollie@atstake.com] Andreas Junestam [andreas@atstake.com] Vendor Status: Vendor has patch available CVE Candidate: CAN-2002-0690 Reference: www.atstake.com/research/advisories/2003/a031703-1.txt Overview: McAfee Security ePolicy Orchestrator (http://www.mcafeeb2b.com/ products/epolicy/default-desktop- protection.asp [line wrapped]) is an enterprise antivirus management tool. ePolicy Orchestrator is a policy driven deployment and reporting tool for enterprise administrators to effectivley manage their desktop and server antivirus products. There is a vulnerability in the processing of network requests that allows an attacker to anonymously execute arbitrary code. To attack a machine running ePO, an attacker would typically need to be located within the corporate firewall with access to TCP port 8081 on the host they wish to compromise. Once the vulnerability is sucessfully exploited the attacker gains SYSTEM level privileges on the host. This is a good example of why you should perform a risk analysis of all new solutions being introduced in to your environment even when the product is designed to enhance your overall security. Details: The ePolicy Orchestrator Agent is a service that to allows the retrieval of log data. It should be noted that the Agent does not require password authentication to gain access and allows the retrieval of sensitive information (i.e. the source AV server, local paths etc.). By default the agent runs as SYSTEM on the host and thus can be used to either elevate local privileges or remotely compromise the host. The ePO agent uses the HTTP protocol to communicate on port 8081. Sending a GET request with a request string containing a few format string characters will cause the service to terminate. An event will be written to the event log detailing the crash. A properly constucted malicious string containing format string characters will allow the execution or arbitrary code. Vendor Response: Initial contact: May, 2002 The vendor has made a patch available. It is not directly downloadable. Call to request the patch. It is delivered via email. Contact information: http://www.nai.com/naicommon/aboutnai/contact/intro.asp# software-support [URL wrapped] @stake Recommendation: If you have a support contract and are eligible for the patch you should request it and install it. If you cannot patch, you should consider host based filtering so that only the network management systems that need to communicate with the hosts running ePO can connect on TCP port 8081. This requires a host based firewall. When deploying new security products within the enterprise, organizations should understand the risks that new security solutions may introduce. Does the service need to be running as the SYSTEM user? Does the service need to be accessed anonymously from any machine? In addition to the remote execution of arbitrary code issue there is an information disclosure issue that can be mitigated by host based network filtering. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2002-0690 McAfee ePolicy Orchestrator Format String @stake Vulnerability Reporting Policy: http://www.atstake.com/research/policy/ @stake Advisory Archive: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc @stake is currently seeking application security experts to fill several consulting positions. Applicants should have strong application development skills and be able to perform application security design reviews, code reviews, and application penetration testing. Please send resumes to jobs@atstake.com. Copyright 2003 @stake, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 - not licensed for commercial use: www.pgp.com iQA/AwUBPnXZuEe9kNIfAm4yEQIStwCfT5YS5dckLOLmowF0eH6dxnFdQlYAoLsL 03RASV2cRXv/Pmf7bILYWSa6 =q0ko -----END PGP SIGNATURE-----