[THIN] FW: ePolicy Orchestrator multiple vulnerabilities

• From: "Chris Lynch" <lynch00@xxxxxxx>
• To: <THIN@xxxxxxxxxx>, <thin@xxxxxxxxxxxxx>
• Date: Thu, 31 Jul 2003 13:48:19 -0700

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FYI...  As I know that there are some users here that have ePolicy
running.

Chris

- -----Original Message-----
From: @stake Advisories [mailto:advisories@xxxxxxxxxxx] 
Sent: Thursday, July 31, 2003 10:58 AM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: ePolicy Orchestrator multiple vulnerabilities

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                           @stake, Inc.
                         www.atstake.com

                        Security Advisory

Advisory Name: ePolicy Orchestrator multiple vulnerabilities  Release Date:
07/31/2003
  Application: McAfee ePolicy Orchestrator 2.X and 3.0
     Platform: Windows
     Severity: Remote code execution
       Author: Andreas Junestam [andreas@xxxxxxxxxxx] Vendor Status: Vendor
had bulletin and patch CVE Candidate: CAN-2003-0148, CAN-2003-0149,
CAN-2003-0616
    Reference: www.atstake.com/research/advisories/2003/a073103-1.txt


Overview:

     McAfee Security ePolicy Orchestrator (http://www.mcafeeb2b.com/
products/epolicy/default-desktop- protection.asp [line wrapped]) is an
enterprise antivirus management tool.  ePolicy Orchestrator is a policy
driven deployment and reporting tool for enterprise administrators to
effectivley manage their desktop and server antivirus products.

Three vulnerabilities exist in the ePolicy Server and Agent that allows an
attacker to anonymously execute arbitrary code. To attack a machine running
ePO, an attacker would typically need to be located within the corporate
firewall and be able to connect over the network to the host they wish to
compromise. Once one of the vulnerability is successfully exploited the
attacker can execute arbitrary code under the privileges used by ePO. SYSTEM
is the default.

Details:

     The ePolicy Orchestrator (ePO) is built upon a client / server solution
with Agents running on all client hosts. This allows all installation and
administration of antivirus software to be centralized to one host. To
achive this, ePO relies on three parts:
Server, Agents and MSDE (to store configuration information). All services
are by default installed to run as SYSTEM on the host and thus can be used
to either elevate local privileges or remotely compromise the host.

@stake has discovered 3 different vulnerabilities in the ePO solution. 2
vulnerabilies concern the server and 1 concerns the agent.

Server Issue #1

MSDE SA account compromise - This vulnerability applies to ePO 2.X and 3.0
and is divided up into 3 different parts, that combined allows an attacker
to execute code on the host.

Information disclosure - By issuing a properly formatted HTTP request to the
ePO Server, it will respond with the server config file. This config file
contains username and encrypted password for the database administrator of
the MSDE installation.

Weak cryptography implementation - The encrypted password stored in the ePO
Server config file is encrypted with a DES variant and a secret key. The
secret key is stored in a dll, making decryption of the password an easy
task.

Default MSDE installation - The installation of MSDE is not hardened, so
once the attacker has the database administrator username and password, he
can execute OS commands as SYSTEM through xp_cmdshell.

Server Issue #2

ComputerList format string vulnerability - This vulnerability applies to ePO
2.X. Sending a POST request to the Server where the ComputerList parameter
contains a few format characters will cause the service to crash when it
tries to log a failed name resolution.
A properly constucted malicious string containing format string characters
will allow the execution of arbitrary code.

Client Issue #1

ePO Agent Heap Overflow - This vulnerability applies to ePO 2.X.
Sending a POST request to the Agent where parameters on the URL are
substituted by a large number of A's will cause the service to crash. A
properly formatted request will allow an attacker to overwrite arbitrary
data and thus execute code.


Vendor Response:

Initial contact: March 15, 2003
Confirmed issues: March 31, 2003
Fix available: July 31, 2003

NAI has released a bulletin and a patch that resolves these issues.
Bulletin:

http://www.nai.com/us/promos/mcafee/epo_vulnerabilities.asp


@stake Recommendation:

When deploying new security products within the enterprise, organizations
should understand the risks that new security solutions may introduce.  Does
the service need to be running as the SYSTEM user? Does the service need to
be accessed anonymously from any machine?  Usually the answer is no.
Products should be configured to use the least privilege required and only
send and recieve network data to the required machines.

@stake recommends installing the vendor patch. 


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the
following names to these issues.  These are candidates for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security
problems.

CAN-2003-0148 ePolicy Orchestrator MSDE SA account compromise
CAN-2003-0149 ePolicy Orchestrator 2.x Post Parameters Heap Overflow
CAN-2003-0616 ePolicy Orchestrator 2.x Computerlist format string


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc


@stake is currently seeking application security experts to fill several
consulting positions.  Applicants should have strong application development
skills and be able to perform application security design reviews, code
reviews, and application penetration testing.  Please send resumes to
jobs@xxxxxxxxxxxx


Copyright 2003 @stake, Inc. All rights reserved.

- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPylYQke9kNIfAm4yEQLy/wCeMVCEmN0TONuUhd+1jPD2lZ7rBPoAmwXG
dj+Aa6knFpHFYxTOEICwEnGn
=I7j5
- -----END PGP SIGNATURE-----


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
Comment: Public PGP key for Chris Lynch

iQA/AwUBPymAk29fg+xq5T3MEQLBxwCghBuvlJ8o3wT+r7mrEJeUcx1WUQ8AoNcV
5wMcDLOOR7p5fvGA6OesoKdF
=vMDe
-----END PGP SIGNATURE-----


********************************************************
This weeks sponsor - RTOSoft TScale 
Complaints about applications response time - DO SOMETHING ABOUT IT!
TScale 2.0 improves applications response time and increases terminal
server capacity. Really get MORE from your existing servers! Free eval:
http://www.rtosoft.com/enter.asp?id=130
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription