Format string in McAfee Framework 3.6.0.569 (ePolicy Orchestrator 4.0)

To: bugtraq@xxxxxxxxxxxxxxxxx, news@xxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx, packet@xxxxxxxxxxxxxxxxxxxxxxx
Subject: Format string in McAfee Framework 3.6.0.569 (ePolicy Orchestrator 4.0)
From: Luigi Auriemma <aluigi@xxxxxxxxxxxxx>
Date: Wed, 12 Mar 2008 20:33:28 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

#######################################################################

                             Luigi Auriemma

Application:  McAfee Framework
              (implemented in McAfee ePolicy Orchestrator 4.0
              
http://www.mcafee.com/us/enterprise/products/system_security_management/epolicy_orchestrator.html)
Versions:     <= 3.6.0.569
Platforms:    Windows
Bug:          format string in _naimcomn_Log
Exploitation: remote
Date:         12 Mar 2008
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxx
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


McAfee Framework is a framework used for building various services for
the McAfee products.
These services include HTTP servers and agents implemented, for
example, in McAfee ePolicy Orchestrator and possibly other products.


#######################################################################

======
2) Bug
======


The logDetail function of applib.dll (which is just a link to
naimcomn_LogDetailW -> _naimcomn_Log in nailog2.dll) is used for adding
new log entries and is affected by a format string vulnerability caused
by the calling of vsnwprintf without the needed format argument.

In McAfee ePolicy Orchestrator this vulnerability can be exploited
through the sending of a simple UDP packet with a malformed sender,
package or computer field. The output log file Agent_HOSTNAME.log is
located in the Db folder.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/meccaffi.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

Prev by Date: [ GLSA 200803-21 ] Sarg: Remote execution of arbitrary code
Next by Date: rPSA-2008-0108-1 dovecot
Previous by thread: [ GLSA 200803-21 ] Sarg: Remote execution of arbitrary code
Next by thread: Re: Format string in McAfee Framework 3.6.0.569 (ePolicy Orchestrator 4.0)
Index(es):
- Date
- Thread