McAfee ePolicy Orchestrator 4.6.0 < 4.6.5 - 'ePowner' Multiple Vulnerabilities

EDB-ID:

33071

CVE:

2013-0140

EDB Verified:

Author:

st3n

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2014-04-28

Vulnerable App: 
# Exploit Title: McAfee ePolicy Orchestrator 4.6.0-4.6.5 (ePowner) - Multiple vulnerabilities
# Date: 20 November 2012
# Exploit Author: st3n@funoverip.net (a.k.a. jerome.nokin@gmail.com)
# Vendor Homepage: http://www.mcafee.com/uk/products/epolicy-orchestrator.aspx
# Version: 4.6.0 -> 4.6.5
# Tested on: Windows 2003/2008
# CVE : CVE-2013-0140 , CVE-2013-0141
# More info on: http://funoverip.net/?p=1685 & https://github.com/funoverip/epowner

PoC: 
v0.2.1- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/33071-2.tar.gz (epowner-0.2.1.zip)

=====================================================================================================
 INTRODUCTION
=====================================================================================================

- In short, this tool registers a rogue agent on the ePo server and then takes advantage of the 
  following vulnerabilities to perform multiple actions :

	- CVE-2013-0140 : Pre-auth SQL Injection
	- CVE-2013-0141 : Pre-auth Directory Path Traversal

- The tool manages the following actions, called "mode" :

     -r, --register          Register a new agent on the ePo server (it's free)
     --check                 Check the SQL Injection vunerability
     --add-admin             Add a new web admin account into the DB
     --readdb                Retrieve various information from the database
     --get-install-path      Retrieve the installation path of ePo software (needed for other modes)
     --ad-creds              Retrieve and decrypt cached domain credentials from ePo database.
     --wipe                  Wipe our traces from the database and file system
     --srv-exec              Perform remote command execution on the ePo server
     --srv-upload            Upload files on the ePo server
     --cli-deploy            Deploy commands or softwares on clients


- It is strongly advised to read the manual which explains how to use these modes (see below). 
  But basically, your two first actions must be :

	1) Register a rogue agent using '--register'

	2) Setup Remote Code execution using '--srv-exec --wizard'
	   

- Usage examples are provided at the end of this file. It is recommended to read the doc before
  any of usage of them.

- You may find a vulnerable version of the ePo software on my blog. Deploy 2 VMs (eposrv + epocli) and
  test it !

- The tool was developed/tested on Backtrack 5r3, Kali Linux 1.0.6 and Ubuntu 12.04. 
  It won't work under Windows due to linux tools dependencies.
  . ePolicy Orchestrator was running on Win2003 and Win2003 R2
  . The managed station were running on WinXPsp3 and Win7
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services