Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[Advisory]McAfee ePolicy Orchestrator Multiple Remote Buffer Overflow Vulnerabilities
From: "hfli" <hfli () fortinet com>
Date: Wed, 14 Mar 2007 10:04:46 +0800

hi full-disclosure,

McAfee ePolicy Orchestrator Multiple Remote Buffer Overflow Vulnerabilities

by cocoruder of FSRT(Fortinet Security Research Team)
hfli_at_fortinet.com


Summary:

    Multiple remote buffer overflow vulnerabilities exist in the ActiveX Control named "SiteManager.Dll" of McAfee 
ePolicy Orchestrator. A remote attacker who successfully exploit these vulnerabilities can completely take control of 
the affected system.


Affected Software Versions:

    McAfee ePolicy Orchestrator 3.6.1
    McAfee ePolicy Orchestrator 3.5 patch 6



Details:
    
    1.Function "ExportSiteList()" educed by "SiteManager.dll" stack overflow.

    InprocServer32:     SiteManager.dll
    ClassID       :     4124FDF6-B540-44C5-96B4-A380CEE9826A
    ProgID        :     SiteManager.SiteMgr.1
    Function Name :     ExportSiteList

    When we set the parameter of "ExportSiteList" a long string, there will cause a stack base overflow. The following 
is the related code:
    (SiteManager.dll,version=3.6.1.166)

        .text:5262B1DE ; func_ExportSiteList
        .text:5262B1DE ; Attributes: bp-based frame
        .text:5262B1DE
        .text:5262B1DE ; int __stdcall sub_5262B1DE(int,wchar_t *,int)
        .text:5262B1DE sub_5262B1DE    proc near                        ; DATA XREF: .rdata:5265B504o
        .text:5262B1DE                                                  ; .rdata:5265B614o
        .text:5262B1DE
        .text:5262B1DE var_414         = word ptr -414h
        .text:5262B1DE var_20E         = word ptr -20Eh
        .text:5262B1DE var_20C         = word ptr -20Ch
        .text:5262B1DE var_4           = dword ptr -4
        .text:5262B1DE arg_0           = dword ptr  8
        .text:5262B1DE arg_4           = dword ptr  0Ch
        .text:5262B1DE arg_8           = dword ptr  10h
        .text:5262B1DE
        .text:5262B1DE                 push    ebp
        .text:5262B1DF                 mov     ebp, esp
        .text:5262B1E1                 sub     esp, 414h
        .text:5262B1E7                 mov     eax, dword_52670218      ; set stack cookie
        .text:5262B1EC                 push    esi
        .text:5262B1ED                 push    [ebp+arg_4]              ; lpSrcBuff
        .text:5262B1F0                 mov     [ebp+var_4], eax
        .text:5262B1F3                 lea     eax, [ebp+var_20C]
        .text:5262B1F9                 push    eax                      ; lpDestBuff
        .text:5262B1FA                 call    ds:wcscpy                ; stack overflow

    2.Moreover, we think that the following "swprintf" function also has carried out the copy action without 
attestation, as follows:

        .text:5262B257                 push    ebx
        .text:5262B258                 push    edi
        .text:5262B259                 mov     edi, offset aSitelist_xml ; "SiteList.xml"
        .text:5262B25E                 push    edi
        .text:5262B25F                 lea     eax, [ebp+var_20C]
        .text:5262B265                 push    eax
        .text:5262B266                 lea     eax, [ebp+var_414]
        .text:5262B26C                 push    offset aSS_0             ; "%s\\%s"
        .text:5262B271                 push    eax                      ; lpSrcBuff
        .text:5262B272                 call    ds:swprintf              ; stack overflow

    3.Function "VerifyPackageCatalog()" educed by "SiteManager.dll" stack overflow.

    InprocServer32:     SiteManager.dll
    ClassID       :     4124FDF6-B540-44C5-96B4-A380CEE9826A
    ProgID        :     SiteManager.SiteMgr.1
    Function Name :     VerifyPackageCatalog

    When we set the parameter of "VerifyPackageCatalog" a long string, there will cause a stack base overflow. The 
following is the related code:
    (SiteManager.dll,version=3.6.1.166)

    part1:

        .text:5262CFAC func_VerifyPackageCatalog proc near      
        .text:5262CFAC                                          
        .text:5262CFAC           mov     eax, offset loc_52649F86
        .text:5262CFB1           call    __EH_prolog
        ...
        .text:5262D00C           lea     eax, [ebp-28h]
        .text:5262D00F           push    eax
        .text:5262D010           push    ebx
        .text:5262D011           push    esi
        .text:5262D012           push    offset loc_5263AD1A
        .text:5262D017           push    ebx
        .text:5262D018           push    ebx
        .text:5262D019           call    ds:_beginthreadex

    part2:

        .text:5263AD1A           mov     eax, offset loc_5264B221
        .text:5263AD1F           call    __EH_prolog
        .text:52637229           push    ecx
        .text:5263722A           mov     eax, 1774h
        .text:5263722F           call    __alloca_probe                         ; int
        .text:52637234           mov     eax, dword_52670218
        .text:52637239           mov     [ebp-14h], eax                         ; set stack-cookie
        ...
        .text:5263AD9A           lea     ecx, [ebp-23Ch]
        .text:5263ADA0           push    ecx
        .text:5263ADA1           push    eax
        .text:5263ADA2           mov     ecx, edi
        .text:5263ADA4           call    sub_5263721F
                |
                |_____  .text:5263721F           mov     eax, offset loc_5264AD1C
                        .text:52637224           call    __EH_prolog
                        ...
                        .text:5263731A           push    dword ptr [ebp+8]      ; lpSrcBuff,"AAA..."
                        .text:5263731D           lea     eax, [ebp-62Ch]
                        .text:52637323           push    eax                    ; lpDestBuff
                        .text:52637324           call    ds:wcscpy              ; stack overflow



Solution:
    
    McAfee has released two patches and advisories which are available on:

    https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&sliceId=SAL_Public&externalId=612495
    https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&sliceId=SAL_Public&externalId=612496



Disclosure Timeline:

    2006.12.19          Submitted vul1 and vul2 via security-alerts () mcafee com
    2006.12.19          Vendor responded
    2006.12.30          Submitted vul3 via security-alerts () mcafee com
    2006.12.30          Vendor responded
    2007.03.12          Vendor noticed patches has been developed completely
    2007.03.13          Coordinated public disclosure



Disclaimer:

    Although Fortinet has attempted to provide accurate information in
these materials, Fortinet assumes no legal responsibility for the
accuracy or completeness of the information. More specific information
is available on request from Fortinet. Please note that Fortinet's
product information does not constitute or contain any guarantee,
warranty or legally binding representation, unless expressly
identified as such in a duly signed writing.


Fortinet Security Research
secresearch () fortinet com
http://www.fortinet.com
        

Best Regards,
                                

        hfli
        hfli () fortinet com
          2007-03-14
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • [Advisory]McAfee ePolicy Orchestrator Multiple Remote Buffer Overflow Vulnerabilities hfli (Mar 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault