McAfee Virtual Technician ActiveX Control GetObject() Method Remote Command Execution (SB10028)
High Nessus Plugin ID 61719
SynopsisAn ActiveX control installed on the remote Windows host can be abused to execute arbitrary code.
DescriptionThe remote Windows host has a version of the McAfee Virtual Technician / ePolicy Orchestrator ActiveX control that allows execution of arbitrary code. The 'GetObject()' method can be used to load any class on the underlying operating system. For example, by loading the 'WScript.Shell' class, attackers can then run arbitrary operating system commands.
If an attacker can trick a user on the affected host into viewing a specially crafted HTML document, he can leverage this issue to execute arbitrary commands on the affected system subject to the user's privileges.
SolutionUpgrade to McAfee Virtual Technician 6.4 / ePolicy Orchestrator 1.0.8 or later.