[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAOJKFBAGE6W7yPzdPLsF6AkVRr12snqZGfCvK4-Th-WsaiT6Mg@mail.gmail.com>
Date: Tue, 6 Jan 2015 14:05:52 -0600
From: Brandon Perry <bperry.volatile@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] McAfee ePolicy Orchestrator Authenticated XXE and Credential
Exposure
McAfee ePolicy Orchestrator Authenticated XXE and Credential Disclosure
Trial available here:
https://secure.mcafee.com/apps/downloads/free-evaluations/survey.aspx?mktg=ESD1172&cid=ESD1172&eval=A0C692FB-8E29-4D47-BBF1-43CAB5F10069®ion=us
McAfee ePolicy Orchestrator suffers from an authenticated XXE
vulnerability, available to any authenticated user. The Server Task Log
option in the upper left menu is where the vulnerability lies. When
creating a custom filter, a bit of XML is passed from the client to the
server to create the said filter. This parameter is called 'conditionXML'
and is vulnerable to an XXE attack. The attack seems a bit limited however,
as you can only fit up to 255 characters in the 'value' field.
However, a file in the web server installation configuration directory
called 'keystore.properties' is less than the size we need, and contains an
encrypted passphrase that is set during installation. When installing, an
initial admin user is created (with 'admin' as the default username'). The
password supplied here will also become the password for the local 'sa' SQL
user, if you choose to install a local SQL server, and it will be the
password for the application's certificate key store (hence the name of the
properties file).
This passphrase is encrypted using a static key, and uses a weak cipher
(AES-128-ECB).
The supplied metasploit module will authenticate as a given user, exploit
the XXE to retrieve the encrypted passphrase, then decrypt it and print the
decrypted password out for the user.
By default, if a local SQL server has been installed, it the SQL server
will listen on all interfaces. Since the application uses the 'sa' user by
default, the password supplied during installation can be used to log in
remotely as the 'sa' user, allowing for remote command execution.
Metasploit module attached.
Also, Github gist link:
https://gist.github.com/brandonprry/692e553975bf29aeaf2c
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
Download attachment "mcafee_epo_xxe.rb" of type "application/octet-stream" (7649 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists