SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   McAfee ePolicy Orchestrator Vendors:   McAfee
McAfee ePolicy Orchestrator Format String Bug Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1019609
SecurityTracker URL:  http://securitytracker.com/id/1019609
CVE Reference:   CVE-2008-1357   (Links to External Site)
Updated:  Mar 19 2008
Original Entry Date:  Mar 13 2008
Impact:   Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Management Agent 4.0, Common Management Agent 3.6.0.574 (Patch 3) and prior versions
Description:   A vulnerability was reported in McAfee ePolicy Orchestrator. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can send specially crafted data to trigger a format string flaw in 'nailog2.dll' and potentially execute arbitrary code on the target system. The code will run with the privileges of the target service.

A specially crafted sender, package, or computer field can trigger the flaw.

The system is vulnerable when the debug level set to 8 (not the default configuration).

The vulnerability resides in the Common Management Agent component.

A demonstration exploit is available at:

http://aluigi.org/poc/meccaffi.zip

Luigi Auriemma reported this vulnerability.

Impact:   A remote user can execute arbitrary code on the target user's system.
Solution:   No solution was available at the time of this entry. The vendor plans to issue a fix.

As a workaround, you can set the debug log level to 7 (default) or lower.

The vendor's advisory is available at:

https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&externalId=615103&sliceId=SAL_Public

Vendor URL:  knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&externalId=615103&sliceId=SAL_Public (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Windows (2000), Windows (2003), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] Format string in McAfee Framework 3.6.0.569


#######################################################################

                             Luigi Auriemma

Application:  McAfee Framework
              (implemented in McAfee ePolicy Orchestrator 4.0
              http://www.mcafee.com/us/enterprise/products/system_security_management/epolicy_orchestrator.html)
Versions:     <= 3.6.0.569
Platforms:    Windows
Bug:          format string in _naimcomn_Log
Exploitation: remote
Date:         12 Mar 2008
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


McAfee Framework is a framework used for building various services for
the McAfee products.
These services include HTTP servers and agents implemented, for
example, in McAfee ePolicy Orchestrator and possibly other products.


#######################################################################

======
2) Bug
======


The logDetail function of applib.dll (which is just a link to
naimcomn_LogDetailW -> _naimcomn_Log in nailog2.dll) is used for adding
new log entries and is affected by a format string vulnerability caused
by the calling of vsnwprintf without the needed format argument.

In McAfee ePolicy Orchestrator this vulnerability can be exploited
through the sending of a simple UDP packet with a malformed sender,
package or computer field. The output log file Agent_HOSTNAME.log is
located in the Db folder.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/meccaffi.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC