Mailing List Archive

[RT-SA-2014-001] McAfee ePolicy Orchestrator: XML External Entity Expansion in Dashboard
Advisory: McAfee ePolicy Orchestrator XML External Entity Expansion in
Dashboard

RedTeam Pentesting identified an XML external entity expansion
vulnerability in McAfee ePolicy Orchestrator's (ePO) dashboard feature.
Users with the ability to create new dashboards in the ePO web interface
who exploit this vulnerability can read local files on the ePO server,
including sensitive data like the ePO database configuration.


Details
=======

Product: McAfee ePolicy Orchestrator
Affected Versions: 4.6.7 and below
Fixed Versions: 4.6.7 + hotfix 940148
Vulnerability Type: XML External Entity Expansion
Security Risk: high
Vendor URL: http://www.mcafee.com/uk/products/epolicy-orchestrator.aspx
Vendor Status: hotfix released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-001
Advisory Status: public
CVE: GENERIC-MAP-NOMATCH
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH


Introduction
============

McAfee ePO allows to centrally manage other systems, including deploying
new software and collecting system information. Dashboards allow
privileged users to view statistics and current data about ePO and
associated systems.


More Details
============

Users with access to McAfee ePO's web interface can have the permission
to add new dashboards. Dashboard definitions can be exported as XML data
and also be imported again. A basic XML dashboard definition looks like
follows:

<dashboard id="1">
<name>RedTeam Pentesting</name>
<filteringEnabled>false</filteringEnabled>
</dashboard>

Importing a dashboard consists of uploading the XML data and confirming
the import afterwards. On the confirmation page the dashboard's name
defined in the XML tag "name" is shown.

The ePO system allows to add a user-defined DTD to the XML data and
therefore add additional entities, which will be expanded by the system.
The following example results in an dashboard with the name "RedTeam
Pentesting Entity":

<?xml version="1.0"?>
<!DOCTYPE dashboard [
<!ENTITY redteam "RedTeam Pentesting Entity">
]>
<dashboard id="1">
<name>&redteam;</name>
<filteringEnabled>false</filteringEnabled>
</dashboard>

It is also possible to specify external entities that for example point
to local files on the ePO server. The entity will then be expanded to
contain the file's content. This works as long as the file contents do
not make the resulting XML data invalid. Data that cannot be read
includes for example binary data or files containing XML data
themselves.

If the entity is used in the dashboard's name, the confirmation page
shown when importing a dashboard displays the contents of the file.

The following example XML data can be uploaded to read the file
C:\boot.ini:

<?xml version="1.0"?>
<!DOCTYPE dashboard [
<!ENTITY redteam SYSTEM "file:///c:/boot.ini">
]>
<dashboard id="1">
<name>&redteam;</name>
<filteringEnabled>false</filteringEnabled>
</dashboard>

It is also possible to get directory listings by using a file URL that
points to a directory, for example the C: drive:

<!ENTITY redteam SYSTEM "file:///c:/">


Workaround
==========

RedTeam Pentesting is not aware of any workarounds.


Fix
===

McAfee has issued a hotfix[0] for version 4.6.7 that removes the
vulnerability. An upgrade to the newer 5.x branch of the product will
also resolve this problem.


Security Risk
=============

The vulnerability is mitigated by the fact that users already need valid
login credentials for the ePO system and the permission to create
dashboards for a successful exploitation.

It is still considered to be of a high risk potential however, as it
gives attackers the opportunity to read potentially sensitive file
contents on the server. This includes for example ePO's database
credentials, which are typically stored in a file available at a path
like the following:

C:\programs\mcafee\epolicy orchestrator\server\conf\orion\db.properties

The credentials in this file are encrypted with a static key that is
publicly known and included for example in Metasploit[1].

Depending on the actual network structure, it might be possible to use
the decrypted credentials to read and alter the information in the ePO
database. This might lead to a compromise of the clients that are
managed by ePO.


Timeline
========

2013-11-20 Vulnerability identified
2013-11-22 Customer decided to coordinate disclosure with vendor
2014-02-14 Vendor replied to customer
2014-02-24 Vendor released hotfix for version 4.6.7 and a public
Security Bulletin[0]
2014-02-25 Advisory released


References
==========

[0] https://kc.mcafee.com/corporate/index?page=content&id=SB10065
[1] https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/epo_sql.rb


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.

--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen