McAfee Firewall Reporter isValidClient Authentication Bypass

2011-06-03T00:00:00
ID SAINT:4EB89E5E2C7A66A9E17C8A72F7FB5263
Type saint
Reporter SAINT Corporation
Modified 2011-06-03T00:00:00

Description

Added: 06/03/2011
BID: 47306
OSVDB: 71842

Background

McAfee Firewall Reporter is an enterprise-class security event management (SEM) reporting solution.

Problem

McAfee Firewall Reporter versions 5.1.0.6 through 5.1.0.12 are vulnerable to an authentication bypass that may allow remote attackers to upload files to the server. This may allow attackers to upload and execute arbitrary code.

Resolution

Upgrade to McAfee Firewall Reporter version 5.1.0.13 or later.

References

https://kc.mcafee.com/corporate/index?page=content&id=SB10015
<http://www.zerodayinitiative.com/advisories/ZDI-11-117/>
<http://secunia.com/advisories/44110/>

Limitations

This exploit has been tested against McAfee Firewall Reporter 5.1.0.6 on Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP2 (DEP OptOut).
The exploit creates two files on the server which persist after the shell connection is terminated: c:\exploit.exe and /cgi-bin/exploit.cgi. These files should be removed manually after successful exploitation.

Platforms

Windows