McAfee ePO SiteManager.dll ActiveX控件多个远程栈溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1191311 漏洞类型 缓冲区溢出
发布时间 2007-03-16 更新时间 2007-04-02
CVE编号 CVE-2007-1498 CNNVD-ID CNNVD-200703-409
漏洞平台 N/A CVSS评分 9.3
|漏洞来源
https://cxsecurity.com/issue/WLB-2007030142
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200703-409
|漏洞详情
IntelMcAfeeePolicyOrchestrator(ePO)是美国英特尔(Intel)公司(原McAfee公司)的一套可扩展的安全管理软件。该软件可对终端、网络、内容安全和合规解决方案实现集中的简化管理。ePO的SiteManager.DllActiveX控件中存在多个缓冲区溢出漏洞,允许远程攻击者完全控制受影响的系统。1.ExportSiteList()函数栈溢出InprocServer32:SiteManager.dllClassID:4124FDF6-B540-44C5-96B4-A380CEE9826AProgID:SiteManager.SiteMgr.1函数名:ExportSiteList如果将ExportSiteList参数设置为超长字符串,就会触发栈溢出,相关代码如下:(SiteManager.dll,version=3.6.1.166).text:5262B1DE;func_ExportSiteList.text:5262B1DE;Attributes:bp-basedframe.text:5262B1DE.text:5262B1DE;int__stdcallsub_5262B1DE(int,wchar_t*,int).text:5262B1DEsub_5262B1DEprocnear;DATAXREF:.rdata:5265B504o.text:5262B1DE;.rdata:5265B614o.text:5262B1DE.text:5262B1DEvar_414=wordptr-414h.text:5262B1DEvar_20E=wordptr-20Eh.text:5262B1DEvar_20C=wordptr-20Ch.text:5262B1DEvar_4=dwordptr-4.text:5262B1DEarg_0=dwordptr8.text:5262B1DEarg_4=dwordptr0Ch.text:5262B1DEarg_8=dwordptr10h.text:5262B1DE.text:5262B1DEpushebp.text:5262B1DFmovebp,esp.text:5262B1E1subesp,414h.text:5262B1E7moveax,dword_52670218;setstackcookie.text:5
|漏洞EXP
hi full-disclosure,

McAfee ePolicy Orchestrator Multiple Remote Buffer Overflow Vulnerabilities

by cocoruder of FSRT(Fortinet Security Research Team)
hfli_at_fortinet.com


Summary:

    Multiple remote buffer overflow vulnerabilities exist in the ActiveX Control named "SiteManager.Dll" of McAfee ePolicy Orchestrator. A remote attacker who successfully exploit these vulnerabilities can completely take control of the affected system.


Affected Software Versions:

    McAfee ePolicy Orchestrator 3.6.1
    McAfee ePolicy Orchestrator 3.5 patch 6



Details:
    
    1.Function "ExportSiteList()" educed by "SiteManager.dll" stack overflow.

    InprocServer32:	SiteManager.dll
    ClassID	  : 	4124FDF6-B540-44C5-96B4-A380CEE9826A
    ProgID	  : 	SiteManager.SiteMgr.1
    Function Name : 	ExportSiteList

    When we set the parameter of "ExportSiteList" a long string, there will cause a stack base overflow. The following is the related code:
    (SiteManager.dll,version=3.6.1.166)

	.text:5262B1DE ; func_ExportSiteList
	.text:5262B1DE ; Attributes: bp-based frame
	.text:5262B1DE
	.text:5262B1DE ; int __stdcall sub_5262B1DE(int,wchar_t *,int)
	.text:5262B1DE sub_5262B1DE    proc near			; DATA XREF: .rdata:5265B504o
	.text:5262B1DE							; .rdata:5265B614o
	.text:5262B1DE
	.text:5262B1DE var_414         = word ptr -414h
	.text:5262B1DE var_20E         = word ptr -20Eh
	.text:5262B1DE var_20C         = word ptr -20Ch
	.text:5262B1DE var_4           = dword ptr -4
	.text:5262B1DE arg_0           = dword ptr  8
	.text:5262B1DE arg_4           = dword ptr  0Ch
	.text:5262B1DE arg_8           = dword ptr  10h
	.text:5262B1DE
	.text:5262B1DE                 push    ebp
	.text:5262B1DF                 mov     ebp, esp
	.text:5262B1E1                 sub     esp, 414h
	.text:5262B1E7                 mov     eax, dword_52670218	; set stack cookie
	.text:5262B1EC                 push    esi
	.text:5262B1ED                 push    [ebp+arg_4]		; lpSrcBuff
	.text:5262B1F0                 mov     [ebp+var_4], eax
	.text:5262B1F3                 lea     eax, [ebp+var_20C]
	.text:5262B1F9                 push    eax			; lpDestBuff
	.text:5262B1FA                 call    ds:wcscpy		; stack overflow

    2.Moreover, we think that the following "swprintf" function also has carried out the copy action without attestation, as follows:

	.text:5262B257                 push    ebx
	.text:5262B258                 push    edi
	.text:5262B259                 mov     edi, offset aSitelist_xml ; "SiteList.xml"
	.text:5262B25E                 push    edi
	.text:5262B25F                 lea     eax, [ebp+var_20C]
	.text:5262B265                 push    eax
	.text:5262B266                 lea     eax, [ebp+var_414]
	.text:5262B26C                 push    offset aSS_0		; "%s\%s"
	.text:5262B271                 push    eax			; lpSrcBuff
	.text:5262B272                 call    ds:swprintf		; stack overflow

    3.Function "VerifyPackageCatalog()" educed by "SiteManager.dll" stack overflow.

    InprocServer32:	SiteManager.dll
    ClassID	  : 	4124FDF6-B540-44C5-96B4-A380CEE9826A
    ProgID	  : 	SiteManager.SiteMgr.1
    Function Name : 	VerifyPackageCatalog

    When we set the parameter of "VerifyPackageCatalog" a long string, there will cause a stack base overflow. The following is the related code:
    (SiteManager.dll,version=3.6.1.166)

    part1:

	.text:5262CFAC func_VerifyPackageCatalog proc near	
	.text:5262CFAC						
	.text:5262CFAC           mov     eax, offset loc_52649F86
	.text:5262CFB1           call    __EH_prolog
	...
	.text:5262D00C           lea     eax, [ebp-28h]
	.text:5262D00F           push    eax
	.text:5262D010           push    ebx
	.text:5262D011           push    esi
	.text:5262D012           push    offset loc_5263AD1A
	.text:5262D017           push    ebx
	.text:5262D018           push    ebx
	.text:5262D019           call    ds:_beginthreadex

    part2:

	.text:5263AD1A           mov     eax, offset loc_5264B221
	.text:5263AD1F           call    __EH_prolog
	.text:52637229           push    ecx
	.text:5263722A           mov     eax, 1774h
	.text:5263722F           call    __alloca_probe				; int
	.text:52637234           mov     eax, dword_52670218
	.text:52637239           mov     [ebp-14h], eax				; set stack-cookie
	...
	.text:5263AD9A           lea     ecx, [ebp-23Ch]
	.text:5263ADA0           push    ecx
	.text:5263ADA1           push    eax
	.text:5263ADA2           mov     ecx, edi
	.text:5263ADA4           call    sub_5263721F
		|
		|_____	.text:5263721F           mov     eax, offset loc_5264AD1C
			.text:52637224           call    __EH_prolog
			...
			.text:5263731A           push    dword ptr [ebp+8]	; lpSrcBuff,"AAA..."
			.text:5263731D           lea     eax, [ebp-62Ch]
			.text:52637323           push    eax			; lpDestBuff
			.text:52637324           call    ds:wcscpy		; stack overflow



Solution:
    
    McAfee has released two patches and advisories which are available on:

    https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&sliceId=SAL_Public&externalId=612495
    https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&sliceId=SAL_Public&externalId=612496



Disclosure Timeline:

    2006.12.19		Submitted vul1 and vul2 via security-alerts at mcafee.com
    2006.12.19		Vendor responded
    2006.12.30		Submitted vul3 via security-alerts at mcafee.com
    2006.12.30		Vendor responded
    2007.03.12		Vendor noticed patches has been developed completely
    2007.03.13		Coordinated public disclosure



Disclaimer:

    Although Fortinet has attempted to provide accurate information in
these materials, Fortinet assumes no legal responsibility for the
accuracy or completeness of the information. More specific information
is available on request from Fortinet. Please note that Fortinet's
product information does not constitute or contain any guarantee,
warranty or legally binding representation, unless expressly
identified as such in a duly signed writing.


Fortinet Security Research
secresearch at fortinet.com
http://www.fortinet.com
	

Best Regards,
 				




|参考资料

来源:VU#714593
名称:VU#714593
链接:http://www.kb.cert.org/vuls/id/714593
来源:knowledge.mcafee.com
链接:https://knowledge.mcafee.com/article/26/612496_f.SAL_Public.html
来源:knowledge.mcafee.com
链接:https://knowledge.mcafee.com/article/25/612495_f.SAL_Public.html
来源:BID
名称:22952
链接:http://www.securityfocus.com/bid/22952
来源:VUPEN
名称:ADV-2007-0931
链接:http://www.frsirt.com/english/advisories/2007/0931
来源:SECUNIA
名称:24466
链接:http://secunia.com/advisories/24466
来源:FULLDISC
名称:20070314[Advisory]McAfeeePolicyOrchestratorMultipleRemoteBufferOverflowVulnerabilities
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2007-March/052960.html
来源:SECTRACK
名称:1017757
链接:http://www.securitytracker.com/id?1017757
来源:SREASON
名称:2444
链接:http://securityreason.com/securityalert/2444