CVE-2003-0148
CVSS7.2
发布时间 :2003-08-27 00:00:00
修订时间 :2008-09-10 15:18:05
NMCOPS    

[原文]The default installation of MSDE via McAfee ePolicy Orchestrator 2.0 through 3.0 allows attackers to execute arbitrary code via a series of steps that (1) obtain the database administrator username and encrypted password in a configuration file from the ePO server using a certain request, (2) crack the password due to weak cryptography, and (3) use the password to pass commands through xp_cmdshell.


[CNNVD]McAfee Security ePolicy Orchestrator MSDE SA帐户信息泄露漏洞(CNNVD-200308-154)

        
        McAfee Security ePolicy Orchestrator是一款企业级反病毒管理工具。ePolicy Orchestrator是策略驱动配置,并包含报告工具。
        McAfee ePolicy Orchestrator会泄露Microsoft Data Engine安装的管理员帐户信息,远程攻击者可以利用这个漏洞通过特殊HTTP请求获得这些敏感信息。
        通过发送特殊构建的HTTP请求给ePO服务器,服务器会以服务器配置文件的内容进行应答,配置文件包含了MSDE安装的数据库管理员用户名和加密密码。加密密码存储在ePO服务器配置文件中,以DES和密钥形式加密,密钥存储在DLL文件中,利用这些可以容易地恢复密码。
        默认MSDE安装不够安全,攻击者如果获得数据库管理员用户名和密码,就可能以SYSTEM权限通过xp_cmdshell执行任意命令。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:mcafee:epolicy_orchestrator:2.0McAfee ePolicy Orchestrator 2.0
cpe:/a:mcafee:epolicy_orchestrator:3.0McAfee ePolicy Orchestrator 3.0
cpe:/a:mcafee:epolicy_orchestrator:2.5.1McAfee ePolicy Orchestrator 2.5.1
cpe:/a:mcafee:epolicy_orchestrator:2.5:sp1McAfee ePolicy Orchestrator 2.5 SP1
cpe:/a:mcafee:epolicy_orchestrator:2.5McAfee ePolicy Orchestrator 2.5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0148
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0148
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-154
(官方数据源) CNNVD

- 其它链接及资源

http://www.nai.com/us/promos/mcafee/epo_vulnerabilities.asp
(VENDOR_ADVISORY)  CONFIRM  http://www.nai.com/us/promos/mcafee/epo_vulnerabilities.asp
http://www.atstake.com/research/advisories/2003/a073103-1.txt
(VENDOR_ADVISORY)  ATSTAKE  A073103-1

- 漏洞信息

McAfee Security ePolicy Orchestrator MSDE SA帐户信息泄露漏洞
高危 其他
2003-08-27 00:00:00 2005-10-20 00:00:00
远程  
        
        McAfee Security ePolicy Orchestrator是一款企业级反病毒管理工具。ePolicy Orchestrator是策略驱动配置,并包含报告工具。
        McAfee ePolicy Orchestrator会泄露Microsoft Data Engine安装的管理员帐户信息,远程攻击者可以利用这个漏洞通过特殊HTTP请求获得这些敏感信息。
        通过发送特殊构建的HTTP请求给ePO服务器,服务器会以服务器配置文件的内容进行应答,配置文件包含了MSDE安装的数据库管理员用户名和加密密码。加密密码存储在ePO服务器配置文件中,以DES和密钥形式加密,密钥存储在DLL文件中,利用这些可以容易地恢复密码。
        默认MSDE安装不够安全,攻击者如果获得数据库管理员用户名和密码,就可能以SYSTEM权限通过xp_cmdshell执行任意命令。
        

- 公告与补丁

        厂商补丁:
        McAfee
        ------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Network Associates Patch EPO3002.Zip
        
        http://download.nai.com/products/patches/ePO/v3.0/EPO3002.Zip

        McAfee ePolicy Orchestrator 3.0 Patch 2
        Network Associates Patch EPO2X2.Zip
        
        http://download.nai.com/products/patches/ePO/v2.x/

        McAfee ePolicy Orchestrator 2.X Patch 2

- 漏洞信息 (F31480)

Atstake Security Advisory 03-07-31.1 (PacketStormID:F31480)
2003-08-05 00:00:00
Atstake,Andreas Junestam  atstake.com
advisory,arbitrary,vulnerability
CVE-2003-0148,CVE-2003-0149,CVE-2003-0616
[点击下载]

Atstake Security Advisory A073103-1 - Three vulnerabilities exist in the McAfee Security ePolicy Orchestrator Server and Agent that allow an attacker to anonymously execute arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                           @stake, Inc.
                         www.atstake.com

                        Security Advisory

Advisory Name: ePolicy Orchestrator multiple vulnerabilities
 Release Date: 07/31/2003
  Application: McAfee ePolicy Orchestrator 2.X and 3.0
     Platform: Windows
     Severity: Remote code execution
       Author: Andreas Junestam [andreas@atstake.com]
Vendor Status: Vendor had bulletin and patch
CVE Candidate: CAN-2003-0148, CAN-2003-0149, CAN-2003-0616
    Reference: www.atstake.com/research/advisories/2003/a073103-1.txt


Overview:

     McAfee Security ePolicy Orchestrator
(http://www.mcafeeb2b.com/ products/epolicy/default-desktop-
protection.asp [line wrapped]) is an enterprise antivirus management
tool.  ePolicy Orchestrator is a policy driven deployment and
reporting tool for enterprise administrators to effectivley manage
their desktop and server antivirus products.

Three vulnerabilities exist in the ePolicy Server and Agent
that allows an attacker to anonymously execute arbitrary code. To
attack a machine running ePO, an attacker would typically need to
be located within the corporate firewall and be able to connect over
the network to the host they wish to compromise. Once one of the
vulnerability is successfully exploited the attacker can execute
arbitrary code under the privileges used by ePO. SYSTEM is the
default.

Details:

     The ePolicy Orchestrator (ePO) is built upon a client / server
solution with Agents running on all client hosts. This allows all
installation and administration of antivirus software to be
centralized to one host. To achive this, ePO relies on three parts:
Server, Agents and MSDE (to store configuration information). All
services are by default installed to run as SYSTEM on the host and
thus can be used to either elevate local privileges or remotely
compromise the host.

@stake has discovered 3 different vulnerabilities in the ePO
solution. 2 vulnerabilies concern the server and 1 concerns
the agent.

Server Issue #1

MSDE SA account compromise - This vulnerability applies to ePO 2.X
and 3.0 and is divided up into 3 different parts, that combined
allows an attacker to execute code on the host.

Information disclosure - By issuing a properly formatted HTTP
request to the ePO Server, it will respond with the server config
file. This config file contains username and encrypted password
for the database administrator of the MSDE installation.

Weak cryptography implementation - The encrypted password stored
in the ePO Server config file is encrypted with a DES variant and a
secret key. The secret key is stored in a dll, making decryption of
the password an easy task.

Default MSDE installation - The installation of MSDE is not
hardened, so once the attacker has the database administrator
username and password, he can execute OS commands as SYSTEM
through xp_cmdshell.

Server Issue #2

ComputerList format string vulnerability - This vulnerability
applies to ePO 2.X. Sending a POST request to the Server where the
ComputerList parameter contains a few format characters will cause
the service to crash when it tries to log a failed name resolution.
A properly constucted malicious string containing format string
characters will allow the execution of arbitrary code.

Client Issue #1

ePO Agent Heap Overflow - This vulnerability applies to ePO 2.X.
Sending a POST request to the Agent where parameters on the URL are
substituted by a large number of A's will cause the service to
crash. A properly formatted request will allow an attacker to
overwrite arbitrary data and thus execute code.


Vendor Response:

Initial contact: March 15, 2003
Confirmed issues: March 31, 2003
Fix available: July 31, 2003

NAI has released a bulletin and a patch that resolves these
issues.  Bulletin:

http://www.nai.com/us/promos/mcafee/epo_vulnerabilities.asp


@stake Recommendation:

When deploying new security products within the enterprise,
organizations should understand the risks that new security
solutions may introduce.  Does the service need to be running as
the SYSTEM user? Does the service need to be accessed anonymously
from any machine?  Usually the answer is no.  Products should
be configured to use the least privilege required and only
send and recieve network data to the required machines.

@stake recommends installing the vendor patch. 


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has
assigned the following names to these issues.  These are candidates
for inclusion in the CVE list (http://cve.mitre.org), which
standardizes names for security problems.

CAN-2003-0148 ePolicy Orchestrator MSDE SA account compromise
CAN-2003-0149 ePolicy Orchestrator 2.x Post Parameters Heap Overflow
CAN-2003-0616 ePolicy Orchestrator 2.x Computerlist format string


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc


@stake is currently seeking application security experts to fill
several consulting positions.  Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing.  Please send resumes to jobs@atstake.com.


Copyright 2003 @stake, Inc. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPylYQke9kNIfAm4yEQLy/wCeMVCEmN0TONuUhd+1jPD2lZ7rBPoAmwXG
dj+Aa6knFpHFYxTOEICwEnGn
=I7j5
-----END PGP SIGNATURE-----


    

- 漏洞信息

2351
McAfee ePolicy Orchestrator MSDE SA Account Compromise
Remote / Network Access Information Disclosure
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

McAfee ePolicy Orchestrator contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered by issuing a properly formatted HTTP request to the ePO Server to get the server config file. This config file contains username and encrypted password for the database administrator of the MSDE installation. With this information, an attacker could decrypt the password, which could then be used to launch further attacks against the affected system.

- 时间线

2003-07-31 2003-03-15
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, McAfee has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

McAfee ePolicy Orchestrator MSDE SA Account Information Disclosure Vulnerability
Failure to Handle Exceptional Conditions 8319
Yes No
2003-07-31 12:00:00 2009-07-11 10:56:00
Discovery is credited to Andreas Junestam <andreas@atstake.com>.

- 受影响的程序版本

McAfee ePolicy Orchestrator 3.0
McAfee ePolicy Orchestrator 2.5.1
McAfee ePolicy Orchestrator 2.5 SP1
McAfee ePolicy Orchestrator 2.5
McAfee ePolicy Orchestrator 2.0

- 漏洞讨论

McAfee ePolicy Orchestrator (ePO) may disclose the username and encrypted password for the database administrator account of the Microsoft Data Engine installation. Sending a specifically formatted HTTP request to the ePO server will return the server configuration file which contains this information.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

Network Associates has released fixes:


McAfee ePolicy Orchestrator 2.0

McAfee ePolicy Orchestrator 2.5 SP1

McAfee ePolicy Orchestrator 2.5

McAfee ePolicy Orchestrator 2.5.1

McAfee ePolicy Orchestrator 3.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站