Code injection through McAfee's ePolicy Orchestrator
Attackers can save arbitrary files on local systems and fill them with arbitrary content via McAfee's ePolicy Orchestrator (EPO). In this way, they can gain access with system rights. EPO handles the management and remote maintenance of McAfee's enterprise solutions. Security service provider eEye has found a directory-traversal weak point in EPO's Framework Services, which are active in the standard settings and listen to http queries on the network at Port 8081.
The Framework Services accept POST queries. These queries can contain a header with an indication of length, a UUID, and the computer's host name. In a PropsResponse query, a directory, a filename and the file content can be indicated in the packet. By adding a "../" to the path, attackers can use a directory traversal to create arbitrary files in the system and determine their content thanks to a defective check of the directory and filename. While EPO normally deletes this file directly after using it, attackers can prevent this deletion by entering in the length field a larger value for the file content than the packet actually needs for the data it contains.
The weak point affects ePolicy Orchestrator and ePolicy Orchestrator Agents in version 3.5.0.x and possibly earlier versions as well. McAfee is closing this hole starting with version 3.5.5, which registered users can download from the vendor.
- McAfee ePolicy Orchestrator Remote Compromise, security advisory at eEye
- Download of the patched version (registration required)