发布时间 :2003-08-27 00:00:00
修订时间 :2013-07-23 01:04:36

[原文]Format string vulnerability in ePO service for McAfee ePolicy Orchestrator 2.0, 2.5, and 2.5.1 allows remote attackers to execute arbitrary code via a POST request with format strings in the computerlist parameter, which are used when logging a failed name resolution.

[CNNVD]McAfee Security ePolicy Orchestrator ComputerList远程格式串处理漏洞(CNNVD-200308-177)

        McAfee Security ePolicy Orchestrator是一款企业级反病毒管理工具。ePolicy Orchestrator是策略驱动配置,并包含报告工具。
        McAfee ePolicy Orchestrator对部分POST请求处理不正确,远程攻击者可以利用这个漏洞进行格式字符串攻击,可能以ePO进程权限在系统上执行任意指令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:mcafee:epolicy_orchestrator:2.0McAfee ePolicy Orchestrator 2.0
cpe:/a:mcafee:epolicy_orchestrator:2.5.1McAfee ePolicy Orchestrator 2.5.1
cpe:/a:mcafee:epolicy_orchestrator:2.5:sp1McAfee ePolicy Orchestrator 2.5 SP1
cpe:/a:mcafee:epolicy_orchestrator:2.5McAfee ePolicy Orchestrator 2.5

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

McAfee Security ePolicy Orchestrator ComputerList远程格式串处理漏洞
高危 输入验证
2003-08-27 00:00:00 2005-10-20 00:00:00
        McAfee Security ePolicy Orchestrator是一款企业级反病毒管理工具。ePolicy Orchestrator是策略驱动配置,并包含报告工具。
        McAfee ePolicy Orchestrator对部分POST请求处理不正确,远程攻击者可以利用这个漏洞进行格式字符串攻击,可能以ePO进程权限在系统上执行任意指令。

- 公告与补丁

        Network Associates Patch EPO2X2.Zip

        McAfee ePolicy Orchestrator 2.X Patch 2

- 漏洞信息 (F31480)

Atstake Security Advisory 03-07-31.1 (PacketStormID:F31480)
2003-08-05 00:00:00
Atstake,Andreas Junestam

Atstake Security Advisory A073103-1 - Three vulnerabilities exist in the McAfee Security ePolicy Orchestrator Server and Agent that allow an attacker to anonymously execute arbitrary code.

Hash: SHA1

                           @stake, Inc.

                        Security Advisory

Advisory Name: ePolicy Orchestrator multiple vulnerabilities
 Release Date: 07/31/2003
  Application: McAfee ePolicy Orchestrator 2.X and 3.0
     Platform: Windows
     Severity: Remote code execution
       Author: Andreas Junestam []
Vendor Status: Vendor had bulletin and patch
CVE Candidate: CAN-2003-0148, CAN-2003-0149, CAN-2003-0616


     McAfee Security ePolicy Orchestrator
( products/epolicy/default-desktop-
protection.asp [line wrapped]) is an enterprise antivirus management
tool.  ePolicy Orchestrator is a policy driven deployment and
reporting tool for enterprise administrators to effectivley manage
their desktop and server antivirus products.

Three vulnerabilities exist in the ePolicy Server and Agent
that allows an attacker to anonymously execute arbitrary code. To
attack a machine running ePO, an attacker would typically need to
be located within the corporate firewall and be able to connect over
the network to the host they wish to compromise. Once one of the
vulnerability is successfully exploited the attacker can execute
arbitrary code under the privileges used by ePO. SYSTEM is the


     The ePolicy Orchestrator (ePO) is built upon a client / server
solution with Agents running on all client hosts. This allows all
installation and administration of antivirus software to be
centralized to one host. To achive this, ePO relies on three parts:
Server, Agents and MSDE (to store configuration information). All
services are by default installed to run as SYSTEM on the host and
thus can be used to either elevate local privileges or remotely
compromise the host.

@stake has discovered 3 different vulnerabilities in the ePO
solution. 2 vulnerabilies concern the server and 1 concerns
the agent.

Server Issue #1

MSDE SA account compromise - This vulnerability applies to ePO 2.X
and 3.0 and is divided up into 3 different parts, that combined
allows an attacker to execute code on the host.

Information disclosure - By issuing a properly formatted HTTP
request to the ePO Server, it will respond with the server config
file. This config file contains username and encrypted password
for the database administrator of the MSDE installation.

Weak cryptography implementation - The encrypted password stored
in the ePO Server config file is encrypted with a DES variant and a
secret key. The secret key is stored in a dll, making decryption of
the password an easy task.

Default MSDE installation - The installation of MSDE is not
hardened, so once the attacker has the database administrator
username and password, he can execute OS commands as SYSTEM
through xp_cmdshell.

Server Issue #2

ComputerList format string vulnerability - This vulnerability
applies to ePO 2.X. Sending a POST request to the Server where the
ComputerList parameter contains a few format characters will cause
the service to crash when it tries to log a failed name resolution.
A properly constucted malicious string containing format string
characters will allow the execution of arbitrary code.

Client Issue #1

ePO Agent Heap Overflow - This vulnerability applies to ePO 2.X.
Sending a POST request to the Agent where parameters on the URL are
substituted by a large number of A's will cause the service to
crash. A properly formatted request will allow an attacker to
overwrite arbitrary data and thus execute code.

Vendor Response:

Initial contact: March 15, 2003
Confirmed issues: March 31, 2003
Fix available: July 31, 2003

NAI has released a bulletin and a patch that resolves these
issues.  Bulletin:

@stake Recommendation:

When deploying new security products within the enterprise,
organizations should understand the risks that new security
solutions may introduce.  Does the service need to be running as
the SYSTEM user? Does the service need to be accessed anonymously
from any machine?  Usually the answer is no.  Products should
be configured to use the least privilege required and only
send and recieve network data to the required machines.

@stake recommends installing the vendor patch. 

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has
assigned the following names to these issues.  These are candidates
for inclusion in the CVE list (, which
standardizes names for security problems.

CAN-2003-0148 ePolicy Orchestrator MSDE SA account compromise
CAN-2003-0149 ePolicy Orchestrator 2.x Post Parameters Heap Overflow
CAN-2003-0616 ePolicy Orchestrator 2.x Computerlist format string

@stake Vulnerability Reporting Policy:

@stake Advisory Archive:

PGP Key:

@stake is currently seeking application security experts to fill
several consulting positions.  Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing.  Please send resumes to

Copyright 2003 @stake, Inc. All rights reserved.

Version: PGP 8.0



- 漏洞信息

McAfee ePolicy Orchestrator POST Request Remote Format String
Remote / Network Access, Local / Remote, Context Dependent Input Manipulation
Loss of Integrity

- 漏洞描述

A format string bug exists in McAfee ePolicy Orchestrator. The McAfee ePolicy Orchestrator fails to handle format strings when logging failed name resolutions. With a specially crafted POST request, an attacker can execute arbitrary code on the system resulting in a loss of confidentiality.

- 时间线

2003-07-31 2003-03-15
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, McAfee has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

McAfee Security ePolicy Orchestrator ComputerList Format String Vulnerability
Input Validation Error 8318
Yes No
2003-07-31 12:00:00 2009-07-11 10:56:00
Discovery credited to Andreas Junestam.

- 受影响的程序版本

McAfee ePolicy Orchestrator 2.5.1
McAfee ePolicy Orchestrator 2.5 SP1
McAfee ePolicy Orchestrator 2.5
McAfee ePolicy Orchestrator 2.0

- 漏洞讨论

A problem has been identified in the handling of ComputerList parameters by McAfee Security ePolicy Orchestrator. This may result in an attacker gaining unauthorized access to the vulnerable host.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: <>.

- 解决方案

NAI has made a fix available to address this issue:

McAfee ePolicy Orchestrator 2.0

McAfee ePolicy Orchestrator 2.5 SP1

McAfee ePolicy Orchestrator 2.5

McAfee ePolicy Orchestrator 2.5.1

- 相关参考