[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200703140204.l2E24htv014083@mail.apsecure.com>
Date: Wed, 14 Mar 2007 10:04:46 +0800
From: "hfli" <hfli@...tinet.com>
To: "full-disclosure" <full-disclosure@...ts.grok.org.uk>
Subject: [Advisory]McAfee ePolicy Orchestrator Multiple
Remote Buffer Overflow Vulnerabilities
hi full-disclosure,
McAfee ePolicy Orchestrator Multiple Remote Buffer Overflow Vulnerabilities
by cocoruder of FSRT(Fortinet Security Research Team)
hfli_at_fortinet.com
Summary:
Multiple remote buffer overflow vulnerabilities exist in the ActiveX Control named "SiteManager.Dll" of McAfee ePolicy Orchestrator. A remote attacker who successfully exploit these vulnerabilities can completely take control of the affected system.
Affected Software Versions:
McAfee ePolicy Orchestrator 3.6.1
McAfee ePolicy Orchestrator 3.5 patch 6
Details:
1.Function "ExportSiteList()" educed by "SiteManager.dll" stack overflow.
InprocServer32: SiteManager.dll
ClassID : 4124FDF6-B540-44C5-96B4-A380CEE9826A
ProgID : SiteManager.SiteMgr.1
Function Name : ExportSiteList
When we set the parameter of "ExportSiteList" a long string, there will cause a stack base overflow. The following is the related code:
(SiteManager.dll,version=3.6.1.166)
.text:5262B1DE ; func_ExportSiteList
.text:5262B1DE ; Attributes: bp-based frame
.text:5262B1DE
.text:5262B1DE ; int __stdcall sub_5262B1DE(int,wchar_t *,int)
.text:5262B1DE sub_5262B1DE proc near ; DATA XREF: .rdata:5265B504.o
.text:5262B1DE ; .rdata:5265B614.o
.text:5262B1DE
.text:5262B1DE var_414 = word ptr -414h
.text:5262B1DE var_20E = word ptr -20Eh
.text:5262B1DE var_20C = word ptr -20Ch
.text:5262B1DE var_4 = dword ptr -4
.text:5262B1DE arg_0 = dword ptr 8
.text:5262B1DE arg_4 = dword ptr 0Ch
.text:5262B1DE arg_8 = dword ptr 10h
.text:5262B1DE
.text:5262B1DE push ebp
.text:5262B1DF mov ebp, esp
.text:5262B1E1 sub esp, 414h
.text:5262B1E7 mov eax, dword_52670218 ; set stack cookie
.text:5262B1EC push esi
.text:5262B1ED push [ebp+arg_4] ; lpSrcBuff
.text:5262B1F0 mov [ebp+var_4], eax
.text:5262B1F3 lea eax, [ebp+var_20C]
.text:5262B1F9 push eax ; lpDestBuff
.text:5262B1FA call ds:wcscpy ; stack overflow
2.Moreover, we think that the following "swprintf" function also has carried out the copy action without attestation, as follows:
.text:5262B257 push ebx
.text:5262B258 push edi
.text:5262B259 mov edi, offset aSitelist_xml ; "SiteList.xml"
.text:5262B25E push edi
.text:5262B25F lea eax, [ebp+var_20C]
.text:5262B265 push eax
.text:5262B266 lea eax, [ebp+var_414]
.text:5262B26C push offset aSS_0 ; "%s\\%s"
.text:5262B271 push eax ; lpSrcBuff
.text:5262B272 call ds:swprintf ; stack overflow
3.Function "VerifyPackageCatalog()" educed by "SiteManager.dll" stack overflow.
InprocServer32: SiteManager.dll
ClassID : 4124FDF6-B540-44C5-96B4-A380CEE9826A
ProgID : SiteManager.SiteMgr.1
Function Name : VerifyPackageCatalog
When we set the parameter of "VerifyPackageCatalog" a long string, there will cause a stack base overflow. The following is the related code:
(SiteManager.dll,version=3.6.1.166)
part1:
.text:5262CFAC func_VerifyPackageCatalog proc near
.text:5262CFAC
.text:5262CFAC mov eax, offset loc_52649F86
.text:5262CFB1 call __EH_prolog
...
.text:5262D00C lea eax, [ebp-28h]
.text:5262D00F push eax
.text:5262D010 push ebx
.text:5262D011 push esi
.text:5262D012 push offset loc_5263AD1A
.text:5262D017 push ebx
.text:5262D018 push ebx
.text:5262D019 call ds:_beginthreadex
part2:
.text:5263AD1A mov eax, offset loc_5264B221
.text:5263AD1F call __EH_prolog
.text:52637229 push ecx
.text:5263722A mov eax, 1774h
.text:5263722F call __alloca_probe ; int
.text:52637234 mov eax, dword_52670218
.text:52637239 mov [ebp-14h], eax ; set stack-cookie
...
.text:5263AD9A lea ecx, [ebp-23Ch]
.text:5263ADA0 push ecx
.text:5263ADA1 push eax
.text:5263ADA2 mov ecx, edi
.text:5263ADA4 call sub_5263721F
|
|_____ .text:5263721F mov eax, offset loc_5264AD1C
.text:52637224 call __EH_prolog
...
.text:5263731A push dword ptr [ebp+8] ; lpSrcBuff,"AAA..."
.text:5263731D lea eax, [ebp-62Ch]
.text:52637323 push eax ; lpDestBuff
.text:52637324 call ds:wcscpy ; stack overflow
Solution:
McAfee has released two patches and advisories which are available on:
https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&sliceId=SAL_Public&externalId=612495
https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&sliceId=SAL_Public&externalId=612496
Disclosure Timeline:
2006.12.19 Submitted vul1 and vul2 via security-alerts@...fee.com
2006.12.19 Vendor responded
2006.12.30 Submitted vul3 via security-alerts@...fee.com
2006.12.30 Vendor responded
2007.03.12 Vendor noticed patches has been developed completely
2007.03.13 Coordinated public disclosure
Disclaimer:
Although Fortinet has attempted to provide accurate information in
these materials, Fortinet assumes no legal responsibility for the
accuracy or completeness of the information. More specific information
is available on request from Fortinet. Please note that Fortinet's
product information does not constitute or contain any guarantee,
warranty or legally binding representation, unless expressly
identified as such in a duly signed writing.
Fortinet Security Research
secresearch@...tinet.com
http://www.fortinet.com
Best Regards,
hfli
hfli@...tinet.com
2007-03-14
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists