CVE-2006-3623
CVSS5.0
发布时间 :2006-07-18 11:46:00
修订时间 :2011-03-07 21:39:07
NMCOS    

[原文]Directory traversal vulnerability in Framework Service component in McAfee ePolicy Orchestrator agent 3.5.0.x and earlier allows remote attackers to create arbitrary files via a .. (dot dot) in the directory and filename in a PropsResponse (PackageType) request.


[CNNVD]McAfee EPolicy Orchestrator框架服务目录遍历漏洞(CNNVD-200607-246)

        McAfee ePolicy Orchestrator(ePO)是一种业界领先的系统安全管理解决方案,能够帮助企业有效抵御各种恶意威胁和攻击。
        ePO的框架服务对用户POST请求参数的检查过滤的实现上存在漏洞,远程攻击者可以利用此漏洞对服务器执行目录遍历攻击。
        ePO的框架服务通过/spipe/pkg接口接受POST请求。POST请求的头部可以指示软件包请求的类型、UUID和计算机主机名。根据请求的不同,之后的数据块可能包含有该请求所特定的数据。在本漏洞所述的情况中,请求类型(PackageType)是PropsResponse,紧随其后数据指定了目录和xml文件名,然后是xml文件的内容。由于没有正确的过滤目录和文件名,攻击者可以使用目录遍历攻击以自定义的内容在系统中的任意位置写入文件名。
        每个软件包请求都会使用静态的字节0xAA与软件包数据进行异或运算,然后使用SHA-1哈希和DSA签名。
        有漏洞的软件包格式如下:
        +00h WORD magic = "PO" (0x4F50)
        +02h DWORD = 20000001h, 20001001h, or 30000001
        +06h DWORD file offset of XML
        +0Ah [E0h] fixed-length data
        +0Ah DWORD
        +0Eh DWORD
        +12h DWORD length of XML
        +16h [40h] ASCII ??? GUID
        +56h [40h] ASCII ??? GUID
        +96h DWORD
        +9Ah [???] ASCII host name
        ...
        +EAh [...] name-value pairs
        X+00h DWORD length of following name string
        +04h [...] ASCII name string (no null terminator)
        X+00h DWORD length of following value data
        +04h [...] value data (null terminated if ASCII string)
        X+00h [...] XML
        +00h WORD
        +02h WORD length of following file name string
        +04h [...] ASCII .xml file name string * traversal attack, may be any directory and file extension
        X+00h DWORD length of following XML * increase length to prevent deletion
        +04h [...] ASCII XML * filename data
        X+00h DWORD length of signature data = 2Ch
        +04h WORD (big-endian) number of bits in DSA signature 'r' component
        +06h [14h] DSA signature 'r' component (technically it's variable-length)
        +1Ah WORD (big-endian) number of bits in DSA signature 's' component
        +1Ch [14h] DSA signature 's' component (also variable-length)
        由于利用的是框架服务中已实现的函数,因此攻击是100%可用的。
        
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3623
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3623
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200607-246
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2006/2796
(UNKNOWN)  VUPEN  ADV-2006-2796
http://www.eeye.com/html/research/advisories/AD20060713.html
(UNKNOWN)  MISC  http://www.eeye.com/html/research/advisories/AD20060713.html
http://secunia.com/advisories/21037
(VENDOR_ADVISORY)  SECUNIA  21037
http://xforce.iss.net/xforce/xfdb/27738
(UNKNOWN)  XF  epolicy-epo-directory-traversal(27738)
http://www.securityfocus.com/bid/18979
(UNKNOWN)  BID  18979
http://www.securityfocus.com/archive/1/archive/1/440077/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060714 EEYE: McAfee ePolicy Orchestrator Remote Compromise
http://www.osvdb.org/27158
(UNKNOWN)  OSVDB  27158
http://securitytracker.com/id?1016501
(UNKNOWN)  SECTRACK  1016501

- 漏洞信息

McAfee EPolicy Orchestrator框架服务目录遍历漏洞
中危 路径遍历
2006-07-18 00:00:00 2006-07-20 00:00:00
远程  
        McAfee ePolicy Orchestrator(ePO)是一种业界领先的系统安全管理解决方案,能够帮助企业有效抵御各种恶意威胁和攻击。
        ePO的框架服务对用户POST请求参数的检查过滤的实现上存在漏洞,远程攻击者可以利用此漏洞对服务器执行目录遍历攻击。
        ePO的框架服务通过/spipe/pkg接口接受POST请求。POST请求的头部可以指示软件包请求的类型、UUID和计算机主机名。根据请求的不同,之后的数据块可能包含有该请求所特定的数据。在本漏洞所述的情况中,请求类型(PackageType)是PropsResponse,紧随其后数据指定了目录和xml文件名,然后是xml文件的内容。由于没有正确的过滤目录和文件名,攻击者可以使用目录遍历攻击以自定义的内容在系统中的任意位置写入文件名。
        每个软件包请求都会使用静态的字节0xAA与软件包数据进行异或运算,然后使用SHA-1哈希和DSA签名。
        有漏洞的软件包格式如下:
        +00h WORD magic = "PO" (0x4F50)
        +02h DWORD = 20000001h, 20001001h, or 30000001
        +06h DWORD file offset of XML
        +0Ah [E0h] fixed-length data
        +0Ah DWORD
        +0Eh DWORD
        +12h DWORD length of XML
        +16h [40h] ASCII ??? GUID
        +56h [40h] ASCII ??? GUID
        +96h DWORD
        +9Ah [???] ASCII host name
        ...
        +EAh [...] name-value pairs
        X+00h DWORD length of following name string
        +04h [...] ASCII name string (no null terminator)
        X+00h DWORD length of following value data
        +04h [...] value data (null terminated if ASCII string)
        X+00h [...] XML
        +00h WORD
        +02h WORD length of following file name string
        +04h [...] ASCII .xml file name string * traversal attack, may be any directory and file extension
        X+00h DWORD length of following XML * increase length to prevent deletion
        +04h [...] ASCII XML * filename data
        X+00h DWORD length of signature data = 2Ch
        +04h WORD (big-endian) number of bits in DSA signature 'r' component
        +06h [14h] DSA signature 'r' component (technically it's variable-length)
        +1Ah WORD (big-endian) number of bits in DSA signature 's' component
        +1Ch [14h] DSA signature 's' component (also variable-length)
        由于利用的是框架服务中已实现的函数,因此攻击是100%可用的。
        
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.mcafee.com/

- 漏洞信息

27158
McAfee ePolicy Orchestrator /spipe/pkg Traversal Arbitrary File Write
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

ePolicy Orchestrator contains a flaw that allows a remote attacker to write files outside of the web path. The issue is due to the /spipe/pkg interface not properly sanitizing user input, specifically directory traversal style attacks (../../) supplied via the URI.

- 时间线

2006-07-13 Unknow
2006-07-13 2006-07-13

- 解决方案

Upgrade to version 3.5.5.438 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

McAfee EPolicy Orchestrator Framework Service Directory Traversal Vulnerability
Input Validation Error 18979
Yes No
2006-07-14 12:00:00 2007-06-26 04:48:00
McAfee and eEye Digital Security each independently discovered this vulnerability.

- 受影响的程序版本

McAfee ePolicy Orchestrator 3.5.5
McAfee ePolicy Orchestrator 3.0 SP2a
McAfee ePolicy Orchestrator 3.0
McAfee ePolicy Orchestrator 2.5.1
McAfee ePolicy Orchestrator 2.5 SP1
McAfee ePolicy Orchestrator 2.5
McAfee ePolicy Orchestrator 2.0
McAfee ePolicy Orchestrator 1.1
McAfee ePolicy Orchestrator 1.0
McAfee ePolicy Orchestrator 3.5
McAfee ePolicy Orchestrator 3.6
McAfee ePolicy Orchestrator 3.5.5 .438

- 不受影响的程序版本

McAfee ePolicy Orchestrator 3.6
McAfee ePolicy Orchestrator 3.5.5 .438

- 漏洞讨论

The McAfee ePolicy Orchestrator framework service is prone to a directory-traversal vulnerability that can lead to complete system compromise..

The application fails to sanitize user input when accepting POST requests on the '/spipe/pkg' interface. Specifically, the script fails to sanitize input for proper directory and filename, allowing an attacker to conduct a directory-traversal attack that can overwrite existing files or place arbitrary files on a vulnerable computer.

A successful exploit may allow unauthorized remote users to overwrite existing files or place arbitrary files on a vulnerable computer.

- 漏洞利用

An exploit is not required. An attacker could carry out this attack with available client applications.

- 解决方案

Customers must log onto the McAfee product update website and download version 3.5.5.438 of ePolicy Orchestrator or higher. ePolicy Orchestrator itself can also be used to upgrade this product to a reportedly non-vulnerable version.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站