Talos is today disclosing TALOS-2016-0229 / CVE-2016-8027. This is an exploitable blind SQL injection vulnerability exists within McAfee's ePolicy Orchestrator 5.3.0 that is accessible without user authentication. A specially crafted HTTP POST can allow an attacker to alter a SQL query which can result in information disclosure from within the database, or can allow the impersonation of a McAfee agent, which could reveal specific information related to that McAfee agent. An attacker can use any HTTP client to trigger this vulnerability.

McAfee have published their advisory for this vulnerability here.

McAfee's ePolicy Orchestrator is a centralized security management suite that is used to manage McAfee Antivirus security policies throughout an organisation. This type of software can sometimes be known as an HBSS or Host-based Security System. It is used to manage a number of agents which are deployed in the enterprise and can be used to enforce defenses and software policies in a scalable manner.

McAfee's ePolicy Orchestrator is composed of a number of components. This consists of a load-balancer which is driven by Apache and extended via custom modules. The Console itself, which is based on Tomcat, is used by administrators to manage the entirety of the software. The last component are the agents themselves which are deployed on each client machine. The agents communicate over a proprietary protocol known as SPIPE to Apache which is then forwarded to the Console. This specific vulnerability is located within the application server and is reachable over SPIPE or via the Console directly.

Within the Tomcat server component, which is be reachable on port 8443 in default configurations, are a number of servlets which serve as the management component of the application.

The DataChannel servlet is actually mapped to a POST request received against "https:///receiveDataChannelMsg.dcp" and is implemented by the class "com.mcafee.epo.dataChannel.servlet.EPODataChannelServlet". This resource is normally not reachable without authentication, however there is another servlet that is responsible for forwarding requests to this servlet for an agent.

This servlet is the "com.mcafee.epo.dataChannel.servlet.redirect.EPODataChannelRedirectServlet" class and is mapped to "https:///dcRedirect/dataChannelMsg.dc". This resource will receive a POST request without authentication and then forward it to the "/receiveDataChannelMsg.dcp" for processing without needing authentication.

Once the POST request is received by the EPODataChannelServlet class, the following code will be executed. When calling the ProcessIncomingMessage function, this will eventually call the EPOBaseDataChannelData.unpackLittleEndian_DataPacket method.

This method will decode a structure from the POST's content which contains the message type, it's origin, and most importantly the Agent's GUID as well as some other fields. Afterwards this object will then get passed to the EPODataChannelMessagingService.receiveAgentMessage method, this is then forwarded to the DataChannelMessagingServiceInternal.receieveAgentMessage method. At this point the AgentGUID is used as the argument for information being called from EPOComputerService.getByAgentGUIDNoUserCheck method.

The vulnerability exists at this point, within the EPOComputerService class the getByAgentGUIDNoUserCheck method takes the provided AgentGUID and builds a query using the EPOComputerDataMapper class which is then executed over the jdbc connection. This results in a query being built ie:

select AutoID, Type, NodeName, ParentID, AgentPlatform, ResortEnabled, AgentGUID, SequenceErrorCount, SequenceErrorCountLastUpdate, SuperAgent, TenantId from [EPOLeafNode] where (AgentGUID = '%s')

The full details surrounding the vulnerability are available here.

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.