Signature Detail

HTTP: McAfee Server Header Overflow

This signature detects attempts to exploit a known vulnerability against several McAfee system security management products. It is due to improper boundary checks when parsing HTTP request header fields. A successful unauthenticated remote attacker can execute arbitrary code with System level privileges.

Extended Description

The HTTP server component of McAfee ePolicy Orchestrator and ProtectionPilot is prone to a remote stack-based buffer-overflow vulnerability that can lead to complete system compromise. This issue arises because the application fails to perform boundary checks before copying user-supplied data into sensitive process buffers. A successful attack may result in arbitrary code execution with SYSTEM privileges, leading to a full compromise. McAfee ePolicy Orchestrator 3.5.0 patch 5 and prior versions as well as ProtectionPilot 1.1.1 patch 2 and prior versions are vulnerable to this issue.

Affected Products

• McAfee ePolicy Orchestrator 1.0.0
• McAfee ePolicy Orchestrator 1.1.0
• McAfee ePolicy Orchestrator 2.0.0
• McAfee ePolicy Orchestrator 2.5.0
• McAfee ePolicy Orchestrator 2.5.0 SP1
• McAfee ePolicy Orchestrator 2.5.1
• McAfee ePolicy Orchestrator 3.0.0
• McAfee ePolicy Orchestrator 3.0.0 SP2a
• McAfee ePolicy Orchestrator 3.5
• McAfee ePolicy Orchestrator 3.5 patch 5
• McAfee ProtectionPilot 1.1.0
• McAfee ProtectionPilot 1.1.1
• McAfee ProtectionPilot 1.1.1 patch 2

References

• BugTraq: 20288
• CVE: CVE-2006-5156
• URL: http://lists.grok.org.uk/pipermail/full-disclosure/2006-October/049803.html
• URL: http://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&externalId=8611438&sliceId=SAL_Public&dialogID=2997768&stateId=0%200%202995803