Thursday, February 2, 2017

Vulnerability Spotlight - McAfee ePolicy Orchestrator DataChannel Blind SQL Injection Vulnerability

Discovered by Cisco Talos


Talos is today disclosing TALOS-2016-0229 / CVE-2016-8027. This is an exploitable blind SQL injection vulnerability exists within McAfee's ePolicy Orchestrator 5.3.0 that is accessible without user authentication. A specially crafted HTTP POST can allow an attacker to alter a SQL query which can result in information disclosure from within the database, or can allow the impersonation of a McAfee agent, which could reveal specific information related to that McAfee agent. An attacker can use any HTTP client to trigger this vulnerability.

McAfee have published their advisory for this vulnerability here.


McAfee's ePolicy Orchestrator is a centralized security management suite that is used to manage McAfee Antivirus security policies throughout an organisation. This type of software can sometimes be known as an HBSS or Host-based Security System. It is used to manage a number of agents which are deployed in the enterprise and can be used to enforce defenses and software policies in a scalable manner.

McAfee's ePolicy Orchestrator is composed of a number of components. This consists of a load-balancer which is driven by Apache and extended via custom modules. The Console itself, which is based on Tomcat, is used by administrators to manage the entirety of the software. The last component are the agents themselves which are deployed on each client machine. The agents communicate over a proprietary protocol known as SPIPE to Apache which is then forwarded to the Console. This specific vulnerability is located within the application server and is reachable over SPIPE or via the Console directly.

Within the Tomcat server component, which is be reachable on port 8443 in default configurations, are a number of servlets which serve as the management component of the application.

The DataChannel servlet is actually mapped to a POST request received against "https:///receiveDataChannelMsg.dcp" and is implemented by the class "com.mcafee.epo.dataChannel.servlet.EPODataChannelServlet". This resource is normally not reachable without authentication, however there is another servlet that is responsible for forwarding requests to this servlet for an agent. 

This servlet is the "com.mcafee.epo.dataChannel.servlet.redirect.EPODataChannelRedirectServlet" class and is mapped to "https:///dcRedirect/dataChannelMsg.dc". This resource will receive a POST request without authentication and then forward it to the "/receiveDataChannelMsg.dcp" for processing without needing authentication. 

Once the POST request is received by the EPODataChannelServlet class, the following code will be executed. When calling the ProcessIncomingMessage function, this will eventually call the EPOBaseDataChannelData.unpackLittleEndian_DataPacket method. 

This method will decode a structure from the POST's content which contains the message type, it's origin, and most importantly the Agent's GUID as well as some other fields. Afterwards this object will then get passed to the EPODataChannelMessagingService.receiveAgentMessage method, this is then forwarded to the DataChannelMessagingServiceInternal.receieveAgentMessage method. At this point the AgentGUID is used as the argument for information being called from EPOComputerService.getByAgentGUIDNoUserCheck method. 

The vulnerability exists at this point, within the EPOComputerService class the getByAgentGUIDNoUserCheck method takes the provided AgentGUID and builds a query using the EPOComputerDataMapper class which is then executed over the jdbc connection. This results in a query being built ie: 

select AutoID, Type, NodeName, ParentID, AgentPlatform, ResortEnabled, AgentGUID, SequenceErrorCount, SequenceErrorCountLastUpdate, SuperAgent, TenantId from [EPOLeafNode] where (AgentGUID = '%s') 

 The full details surrounding the vulnerability are available here.

Known vulnerable versions 

McAfee's ePolicy Orchestrator 5.3.0


Software at scale applications such as McAfee ePO provide a single point of configuration. This potentially applies to organisations that are geographically dispersed from their IT & Security administrators. Vulnerabilities like this can allow deep insight into the organisation without an attacker requiring any privileged access to centralised platforms such as Active Directory, with this access an attacker can profile users and the infrastructure passively. Talos will continue to triage and analyse new bugs whilst maintaining a relationship with any product vendor, open source initiative or individual in an attempt to ensure the safety of consumers and the people using the internet is maintained.


The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or

Snort Rule: 411410

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.