17th Mar 2003 [SBWID-6071]
McAfee ePolicy Orchestrator Format String Vulnerability
McAfee ePolicy Orchestrator 2.5.1
Advisory Name: ePolicy Orchestrator Format String Vulnerability
Release Date: 03/17/2003
Application: McAfee ePolicy Orchestrator 2.5.1
Platform: Windows 2000 Server SP1
Windows 2000 Pro SP1
Severity: There is a a format string vulnerability
that leads to the remote execution of code as
Authors: Ollie Whitehouse [[email protected]]
Andreas Junestam [[email protected]]
Vendor Status: Vendor has patch available
CVE Candidate: CAN-2002-0690
The ePolicy Orchestrator Agent is a service that to allows the
retrieval of log data. It should be noted that the Agent does not
require password authentication to gain access and allows the retrieval
of sensitive information (i.e. the source AV server, local paths etc.).
By default the agent runs as SYSTEM on the host and thus can be used to
either elevate local privileges or remotely compromise the host.
The ePO agent uses the HTTP protocol to communicate on port 8081.
Sending a GET request with a request string containing a few format
string characters will cause the service to terminate. An event will be
written to the event log detailing the crash. A properly constucted
malicious string containing format string characters will allow the
execution or arbitrary code.
The vendor has made a patch available. It is not directly downloadable.
Call to request the patch. It is delivered via email. Contact
If you have a support contract and are eligible for the patch you
should request it and install it.
If you cannot patch, you should consider host based filtering so that
only the network management systems that need to communicate with the
hosts running ePO can connect on TCP port 8081. This requires a host