Format string in McAfee Framework 3.6.0.569 (ePolicy Orchestrator 4.0)

2008.03.17
Risk: High
Local: Yes
Remote: Yes
CWE: CWE-134


CVSS Base Score: 5.4/10
Impact Subscore: 6.9/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Complete

####################################################################### Luigi Auriemma Application: McAfee Framework (implemented in McAfee ePolicy Orchestrator 4.0 http://www.mcafee.com/us/enterprise/products/system_security_management/ epolicy_orchestrator.html) Versions: <= 3.6.0.569 Platforms: Windows Bug: format string in _naimcomn_Log Exploitation: remote Date: 12 Mar 2008 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== McAfee Framework is a framework used for building various services for the McAfee products. These services include HTTP servers and agents implemented, for example, in McAfee ePolicy Orchestrator and possibly other products. ####################################################################### ====== 2) Bug ====== The logDetail function of applib.dll (which is just a link to naimcomn_LogDetailW -> _naimcomn_Log in nailog2.dll) is used for adding new log entries and is affected by a format string vulnerability caused by the calling of vsnwprintf without the needed format argument. In McAfee ePolicy Orchestrator this vulnerability can be exploited through the sending of a simple UDP packet with a malformed sender, package or computer field. The output log file Agent_HOSTNAME.log is located in the Db folder. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/meccaffi.zip ####################################################################### ====== 4) Fix ====== No fix ####################################################################### --- Luigi Auriemma http://aluigi.org


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top