Skip to content
cyberexploits
remotewindowstext

McAfee ePolicy Orchestrator 4.6.0 < 4.6.5 - 'ePowner' Multiple Vulnerabilities

McAfee ePolicy Orchestrator 4.6.0 < 4.6.5 - 'ePowner' Multiple Vulnerabilities

Publié le 2014-04-28

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/windows/remote/33071.txt7eac4c3a
raw
# Exploit Title: McAfee ePolicy Orchestrator 4.6.0-4.6.5 (ePowner) - Multiple vulnerabilities

# Date: 20 November 2012

# Exploit Author: st3n@funoverip.net (a.k.a. jerome.nokin@gmail.com)

# Vendor Homepage: http://www.mcafee.com/uk/products/epolicy-orchestrator.aspx

# Version: 4.6.0 -> 4.6.5

# Tested on: Windows 2003/2008

# CVE : CVE-2013-0140 , CVE-2013-0141

# More info on: http://funoverip.net/?p=1685 & https://github.com/funoverip/epowner



PoC: 

v0.2.1- https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/33071-2.tar.gz (epowner-0.2.1.zip)



=====================================================================================================

 INTRODUCTION

=====================================================================================================



- In short, this tool registers a rogue agent on the ePo server and then takes advantage of the 

  following vulnerabilities to perform multiple actions :



	- CVE-2013-0140 : Pre-auth SQL Injection

	- CVE-2013-0141 : Pre-auth Directory Path Traversal



- The tool manages the following actions, called "mode" :



     -r, --register          Register a new agent on the ePo server (it's free)

     --check                 Check the SQL Injection vunerability

     --add-admin             Add a new web admin account into the DB

     --readdb                Retrieve various information from the database

     --get-install-path      Retrieve the installation path of ePo software (needed for other modes)

     --ad-creds              Retrieve and decrypt cached domain credentials from ePo database.

     --wipe                  Wipe our traces from the database and file system

     --srv-exec              Perform remote command execution on the ePo server

     --srv-upload            Upload files on the ePo server

     --cli-deploy            Deploy commands or softwares on clients





- It is strongly advised to read the manual which explains how to use these modes (see below). 

  But basically, your two first actions must be :



	1) Register a rogue agent using '--register'



	2) Setup Remote Code execution using '--srv-exec --wizard'

	   



- Usage examples are provided at the end of this file. It is recommended to read the doc before

  any of usage of them.



- You may find a vulnerable version of the ePo software on my blog. Deploy 2 VMs (eposrv + epocli) and

  test it !



- The tool was developed/tested on Backtrack 5r3, Kali Linux 1.0.6 and Ubuntu 12.04. 

  It won't work under Windows due to linux tools dependencies.

  . ePolicy Orchestrator was running on Win2003 and Win2003 R2

  . The managed station were running on WinXPsp3 and Win7
Voir sur GitHub