Exploit: McAfee ePolicy 0wner (ePowner) v0.1 – Release
UPDATE: Version 0.2 released on 29th of June 2014. Check out https://github.com/funoverip/epowner.
I received so many requests for this exploit code. Usually my response was something similar to: “Because the exploit can p0wn a whole network environment within 2 minutes (only by talking with the McAfee ePO server), and that vulnerable ePO servers are currently exposed on the Internet, I have to wait a little bit before releasing it” (problem of consciousness the doctor said…).
McAfee released a security patch on March 2013. So one year ago. Guess what, Internet servers are still vulnerable (come on.. really ?) I think that I did my job and waited long enough. I can’t save the planet every day.. Some companies will be magisterially owned but after the OpenSSL Heartbleed story, I don’t really care anymore. I consider these companies already compromised since a while ..
About the tool
- ePolicy 0wner (ePowner) can perform various actions against both the ePO server and the managed stations. The most exciting feature is “Software deployment” on the managed stations which can be used to upload and execute anything you like, on any windows boxes managed by the ePO server. On top of that, ePowner manages Remote Command Execution, Database Access, File upload and Cached password recovering (AD creds) on the ePO server.
- ePowner targets ePO versions 4.6.0 to 4.6.5. According to McAfee, ePO versions 4.5.x are also vulnerable but the tool does not support these versions (I never took the time to get a closer look for laziness reasons).
- The tool was developed/tested on Backtrack 5r3, Kali Linux 1.0.6 and Ubuntu 12.04. Windows is not supported.
- It’s Perl code but you are free to translate the 6000 Perl lines to python, ruby, cobol or even Java.. I won’t be offended.
- A video demonstration was first published here if you missed it.
- Slides that I’ve presented at OWASP Benelux 2013 and St’Hack 2014 about the vulnerabilities can be found here.
- Please: Install the needed dependencies and read the manual carefully before using it (See the README file).
- ePowner can be downloaded from https://github.com/funoverip/epowner.
- If you want to test ePowner, you may download and install this vulnerable ePO version (4.6.4) in your labs. Example: install an “ePO server” and at least one “managed station”. You can also deploy Agent handlers (kind of ePO proxies) to simulate complex environments. Try to p0wn them all.. :-)
The last words
Please remember that any actions and/or activities related to ePowner is solely your responsibility. Usage of ePowner for attacking (or testing) targets without prior mutual consent is illegal. As usual, be responsible. On top of that: enjoy !
© 2014, Fun Over IP. All rights reserved.