[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] McAfee ePolicy Orchestrator Authenticated XXE and Credential Exposure

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] McAfee ePolicy Orchestrator Authenticated XXE and Credential Exposure
From: Brandon Perry <bperry.volatile@xxxxxxxxx>
Date: Tue, 6 Jan 2015 14:05:52 -0600

McAfee ePolicy Orchestrator Authenticated XXE and Credential Disclosure

Trial available here:

https://secure.mcafee.com/apps/downloads/free-evaluations/survey.aspx?mktg=ESD1172&cid=ESD1172&eval=A0C692FB-8E29-4D47-BBF1-43CAB5F10069&region=us

McAfee ePolicy Orchestrator suffers from an authenticated XXE
vulnerability, available to any authenticated user. The Server Task Log
option in the upper left menu is where the vulnerability lies. When
creating a custom filter, a bit of XML is passed from the client to the
server to create the said filter. This parameter is called 'conditionXML'
and is vulnerable to an XXE attack. The attack seems a bit limited however,
as you can only fit up to 255 characters in the 'value' field.

However, a file in the web server installation configuration directory
called 'keystore.properties' is less than the size we need, and contains an
encrypted passphrase that is set during installation. When installing, an
initial admin user is created (with 'admin' as the default username'). The
password supplied here will also become the password for the local 'sa' SQL
user, if you choose to install a local SQL server, and it will be the
password for the application's certificate key store (hence the name of the
properties file).

This passphrase is encrypted using a static key, and uses a weak cipher
(AES-128-ECB).

The supplied metasploit module will authenticate as a given user, exploit
the XXE to retrieve the encrypted passphrase, then decrypt it and print the
decrypted password out for the user.

By default, if a local SQL server has been installed, it the SQL server
will listen on all interfaces. Since the application uses the 'sa' user by
default, the password supplied during installation can be used to log in
remotely as the 'sa' user, allowing for remote command execution.

Metasploit module attached.

Also, Github gist link:
https://gist.github.com/brandonprry/692e553975bf29aeaf2c

--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

Attachment: mcafee_epo_xxe.rb
Description: Binary data

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Follow-Ups:
- Re: [FD] McAfee ePolicy Orchestrator Authenticated XXE and Credential Exposure
  - From: Brandon Perry

Prev by Date: [FD] ZTE Datacard MF19 0V1.0.0B PCW - Multiple Vulnerabilities
Next by Date: [FD] SQL-Injection in administrative Backend of Sefrengo CMS v.1.6.0
Previous by thread: [FD] ZTE Datacard MF19 0V1.0.0B PCW - Multiple Vulnerabilities
Next by thread: Re: [FD] McAfee ePolicy Orchestrator Authenticated XXE and Credential Exposure
Index(es):
- Date
- Thread