SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Your Ad Here
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Security)  >  ePolicy Orchestrator Vendors:  McAfee
McAfee ePolicy Orchestrator Format String Bug Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1019609
SecurityTracker URL:  http://securitytracker.com/id?1019609
CVE Reference:  CVE-2008-1357   (Links to External Site)
Updated:  Mar 19 2008
Original Entry Date:  Mar 13 2008
Impact:  Execution of arbitrary code via network, User access via network
Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): Management Agent 4.0, Common Management Agent 3.6.0.574 (Patch 3) and prior versions
Description:  A vulnerability was reported in McAfee ePolicy Orchestrator. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can send specially crafted data to trigger a format string flaw in 'nailog2.dll' and potentially execute arbitrary code on the target system. The code will run with the privileges of the target service.

A specially crafted sender, package, or computer field can trigger the flaw.

The system is vulnerable when the debug level set to 8 (not the default configuration).

The vulnerability resides in the Common Management Agent component.

A demonstration exploit is available at:

http://aluigi.org/poc/meccaffi.zip

Luigi Auriemma reported this vulnerability.
Impact:  A remote user can execute arbitrary code on the target user's system.
Solution:  No solution was available at the time of this entry. The vendor plans to issue a fix.

As a workaround, you can set the debug log level to 7 (default) or lower.

The vendor's advisory is available at:

https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&externalId=615 103&sliceId=SAL_Public
Vendor URL:  knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&externalId=615103&sliceId=SAL_Public (Links to External Site)
Cause:  Input validation error, State error
Underlying OS:  Windows (2000), Windows (2003), Windows (XP)
Reported By:  Luigi Auriemma <aluigi@autistici.org>
Message History:   None.

 Source Message Contents
Date:  Wed, 12 Mar 2008 20:33:28 +0100
From:  Luigi Auriemma <aluigi@autistici.org>
Subject:  [Full-disclosure] Format string in McAfee Framework 3.6.0.569


 

#######################################################################

                             Luigi Auriemma

Application:  McAfee Framework
              (implemented in McAfee ePolicy Orchestrator 4.0
              http://www.mcafee.com/us/enterprise/products/system_security_management/epolicy_orchest
rator.html)
Versions:     <= 3.6.0.569
Platforms:    Windows
Bug:          format string in _naimcomn_Log
Exploitation: remote
Date:         12 Mar 2008
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


McAfee Framework is a framework used for building various services for
the McAfee products.
These services include HTTP servers and agents implemented, for
example, in McAfee ePolicy Orchestrator and possibly other products.


#######################################################################

======
2) Bug
======


The logDetail function of applib.dll (which is just a link to
naimcomn_LogDetailW -> _naimcomn_Log in nailog2.dll) is used for adding
new log entries and is affected by a format string vulnerability caused
by the calling of vsnwprintf without the needed format argument.

In McAfee ePolicy Orchestrator this vulnerability can be exploited
through the sending of a simple UDP packet with a malformed sender,
package or computer field. The output log file Agent_HOSTNAME.log is
located in the Db folder.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/meccaffi.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC