Vulnerabilities > CVE-2008-1357 - USE of Externally-Controlled Format String vulnerability in Mcafee products
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
COMPLETE Summary
Format string vulnerability in the logDetail function of applib.dll in McAfee Common Management Agent (CMA) 3.6.0.574 (Patch 3) and earlier, as used in ePolicy Orchestrator 4.0.0 build 1015, allows remote attackers to cause a denial of service (crash) or execute arbitrary code via format string specifiers in a sender field in an AgentWakeup request to UDP port 8082. NOTE: this issue only exists when the debug level is 8.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 9 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Format String Injection An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
- String Format Overflow in syslog() This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
Exploit-Db
| description | McAfee Framework ePolicy 3.x Orchestrator '_naimcomn_Log' Remote Format String Vulnerability. CVE-2008-1357. Dos exploit for windows platform |
| id | EDB-ID:31399 |
| last seen | 2016-02-03 |
| modified | 2008-03-12 |
| published | 2008-03-12 |
| reporter | Luigi Auriemma |
| source | https://www.exploit-db.com/download/31399/ |
| title | McAfee Framework ePolicy 3.x - Orchestrator '_naimcomn_Log' Remote Format String Vulnerability |
Nessus
NASL family CGI abuses NASL id MCAFEE_CMA_3_6_0_595.NASL description According to its banner, the version of McAfee Common Management Agent (CMA) running on the remote host is prior to 3.6.0.595. It is, therefore, affected by a flaw in the logDetail() function of applib.dll due to calling vsnwprintf() without the needed format string argument. An unauthenticated, remote attacker can exploit this, via a specially crafted UDP packet, to cause a denial of service condition or the execution of arbitrary code. This issue only occurs when the debug level is set to 8 (the highest level but not the default). Note that Nessus has not checked the debug level setting, only the version number in the agent last seen 2020-06-01 modified 2020-06-02 plugin id 31732 published 2008-04-03 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31732 title McAfee Common Management Agent < 3.6.0.595 UDP Packet Handling Format String code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(31732); script_version("1.25"); script_cvs_date("Date: 2018/11/15 20:50:17"); script_cve_id("CVE-2008-1357"); script_bugtraq_id(28228); script_xref(name:"Secunia", value:"29337"); script_xref(name:"EDB-ID", value:"31399"); script_name(english:"McAfee Common Management Agent < 3.6.0.595 UDP Packet Handling Format String"); script_summary(english:"Checks the version of McAfee CMA."); script_set_attribute(attribute:"synopsis", value: "A security management service running on the remote host is affected by a remote code execution vulnerability."); script_set_attribute(attribute:"description", value: "According to its banner, the version of McAfee Common Management Agent (CMA) running on the remote host is prior to 3.6.0.595. It is, therefore, affected by a flaw in the logDetail() function of applib.dll due to calling vsnwprintf() without the needed format string argument. An unauthenticated, remote attacker can exploit this, via a specially crafted UDP packet, to cause a denial of service condition or the execution of arbitrary code. This issue only occurs when the debug level is set to 8 (the highest level but not the default). Note that Nessus has not checked the debug level setting, only the version number in the agent's banner."); script_set_attribute(attribute:"see_also", value:"http://aluigi.altervista.org/adv/meccaffi-adv.txt"); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/archive/1/489476/100/0/threaded"); script_set_attribute(attribute:"solution", value: "Apply Hotfix BZ398370 Build 595 for McAfee Common Management Agent version 3.6.0 Patch 3."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:W/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(134); script_set_attribute(attribute:"vuln_publication_date", value:"2008/03/12"); script_set_attribute(attribute:"patch_publication_date", value:"2008/03/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/04/03"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mcafee:common_management_agent"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mcafee:epolicy_orchestrator"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc."); script_dependencies("mcafee_cma_detect.nasl"); script_require_ports("Services/www", 8081); script_require_keys("Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("install_func.inc"); # nb: only run the check if reporting is paranoid since we # can't determine the log level setting remotely. if (report_paranoia < 2) audit(AUDIT_PARANOID); appname = "McAfee Agent"; port = get_http_port(default:8081, embedded: 1); install = get_single_install(app_name:appname, port:port, exit_if_unknown_ver:TRUE); ver = install['version']; ver_fields = split(ver, sep:'.', keep:FALSE); major = int(ver_fields[0]); minor = int(ver_fields[1]); rev = int(ver_fields[2]); update = int(ver_fields[3]); fix = ''; # There's a problem if the version is under 3.6.0.595. if (major < 3 || (major == 3 && minor < 6) || (major == 3 && minor == 6 && rev == 0 && update < 595)) fix = '3.6.0.595'; if(fix != '') { report = '\n Installed Version : ' + ver + '\n Fixed Version : ' + fix + '\n'; security_report_v4(severity:SECURITY_HOLE, port:port, extra:report); } else audit(AUDIT_LISTEN_NOT_VULN, "McAfee Common Management Agent", port, ver);NASL family Windows NASL id MCAFEE_CMA_3_6_0_595_CREDS.NASL description The remote host is running a Common Management Agent, a component of the ePolicy Orchestrator system security management solution from McAfee. The version of the Common Management Agent on the remote host is earlier than 3.6.0.595 and, as such, contains a format string vulnerability. If configured with a debug level of 8 (its highest level but not the default), an unauthenticated, remote attacker may be able to leverage this issue by sending a specially crafted UDP packet to the agent broadcast port to crash the service or even execute arbitrary code on the affected host. last seen 2020-06-01 modified 2020-06-02 plugin id 31733 published 2008-04-03 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31733 title McAfee Common Management Agent 3.6.0 UDP Packet Handling Format String (credentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(31733); script_version("1.19"); script_cvs_date("Date: 2018/11/15 20:50:27"); script_cve_id("CVE-2008-1357"); script_bugtraq_id(28228); script_xref(name:"Secunia", value:"29337"); script_name(english:"McAfee Common Management Agent 3.6.0 UDP Packet Handling Format String (credentialed check)"); script_summary(english:"Checks version of McAfee CMA"); script_set_attribute(attribute:"synopsis", value: "A remote service is affected by a format string vulnerability."); script_set_attribute(attribute:"description", value: "The remote host is running a Common Management Agent, a component of the ePolicy Orchestrator system security management solution from McAfee. The version of the Common Management Agent on the remote host is earlier than 3.6.0.595 and, as such, contains a format string vulnerability. If configured with a debug level of 8 (its highest level but not the default), an unauthenticated, remote attacker may be able to leverage this issue by sending a specially crafted UDP packet to the agent broadcast port to crash the service or even execute arbitrary code on the affected host."); script_set_attribute(attribute:"see_also", value:"http://aluigi.altervista.org/adv/meccaffi-adv.txt"); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/archive/1/489476/100/0/threaded"); script_set_attribute(attribute:"solution", value: "Apply Hotfix BZ398370 Build 595 for Common Management Agent 3.6.0 Patch 3."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(134); script_set_attribute(attribute:"vuln_publication_date", value:"2008/03/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/04/03"); script_set_attribute(attribute:"patch_publication_date", value:"2008/03/14"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mcafee:common_management_agent"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mcafee:epolicy_orchestrator"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc."); script_dependencies("mcafee_cma_installed.nbin"); script_require_keys("installed_sw/McAfee Agent"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("install_func.inc"); appname = "McAfee Agent"; install = get_single_install(app_name:appname, exit_if_unknown_ver:TRUE); loglevel = install['Log Level']; # check log level unless running paranoid scan if (report_paranoia < 2) if (isnull(loglevel) || loglevel < 8) audit(AUDIT_PARANOID); ver = install['version']; path = install['path']; fix = "3.6.0.595"; if (ver_compare(ver:ver, fix:fix, strict:FALSE) == -1) { port = get_kb_item("SMB/transport"); if (!port) port = 445; if (report_verbosity > 0) { report = '\n Path : ' + path + '\n Installed version : ' + ver + '\n Fixed version : ' + fix + '\n'; if (report_paranoia > 1) { report += '\nNote, though, that Nessus did not check the value of the debug level' + '\nbecause of the Report Paranoia setting in effect when this scan was' + '\nrun.\n'; } else { report += '\nMoreover, Nessus has verified the debug level currently is set to ' + loglevel + '.\n'; } security_warning(port:port, extra:report); } else security_warning(port:port); } else audit(AUDIT_INST_PATH_NOT_VULN, appname, ver, path );
References
- http://aluigi.altervista.org/adv/meccaffi-adv.txt
- http://secunia.com/advisories/29337
- http://securityreason.com/securityalert/3748
- http://www.securityfocus.com/archive/1/489476/100/0/threaded
- http://www.securityfocus.com/bid/28228
- http://www.securitytracker.com/id?1019609
- http://www.vupen.com/english/advisories/2008/0866/references
- https://exchange.xforce.ibmcloud.com/vulnerabilities/41178
- https://knowledge.mcafee.com/article/234/615103_f.sal_public.html