####################################################################### Luigi Auriemma Application: McAfee Framework (implemented in McAfee ePolicy Orchestrator 4.0 http://www.mcafee.com/us/enterprise/products/system_security_management/ epolicy_orchestrator.html) Versions: <= 3.6.0.569 Platforms: Windows Bug: format string in _naimcomn_Log Exploitation: remote Date: 12 Mar 2008 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== McAfee Framework is a framework used for building various services for the McAfee products. These services include HTTP servers and agents implemented, for example, in McAfee ePolicy Orchestrator and possibly other products. ####################################################################### ====== 2) Bug ====== The logDetail function of applib.dll (which is just a link to naimcomn_LogDetailW -> _naimcomn_Log in nailog2.dll) is used for adding new log entries and is affected by a format string vulnerability caused by the calling of vsnwprintf without the needed format argument. In McAfee ePolicy Orchestrator this vulnerability can be exploited through the sending of a simple UDP packet with a malformed sender, package or computer field. The output log file Agent_HOSTNAME.log is located in the Db folder. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/meccaffi.zip ####################################################################### ====== 4) Fix ====== No fix ####################################################################### --- Luigi Auriemma http://aluigi.org