[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAOJKFBCYCDWerkVAdjif8T7BN5_-iffbeLMui6ASnas1GoWKxw@mail.gmail.com>
Date: Tue, 3 Dec 2013 16:05:20 -0600
From: Brandon Perry <bperry.volatile@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: McAfee Email Gateway multiple vulns
McAfee Email Gateway 7.6 multiple vulnerabilities
http <http://www.mcafee.com/us/products/email-gateway.aspx>://<http://www.mcafee.com/us/products/email-gateway.aspx>
www <http://www.mcafee.com/us/products/email-gateway.aspx>.<http://www.mcafee.com/us/products/email-gateway.aspx>
mcafee <http://www.mcafee.com/us/products/email-gateway.aspx>.<http://www.mcafee.com/us/products/email-gateway.aspx>
com <http://www.mcafee.com/us/products/email-gateway.aspx>/<http://www.mcafee.com/us/products/email-gateway.aspx>
us <http://www.mcafee.com/us/products/email-gateway.aspx>/<http://www.mcafee.com/us/products/email-gateway.aspx>
products <http://www.mcafee.com/us/products/email-gateway.aspx>/<http://www.mcafee.com/us/products/email-gateway.aspx>
email <http://www.mcafee.com/us/products/email-gateway.aspx>-<http://www.mcafee.com/us/products/email-gateway.aspx>
gateway <http://www.mcafee.com/us/products/email-gateway.aspx>.<http://www.mcafee.com/us/products/email-gateway.aspx>
aspx <http://www.mcafee.com/us/products/email-gateway.aspx> -- Has free
trial
Many instances of SQL injection were found as an unprivileged read-only
authenticated user that allow the user to completely take over the accounts
of other users by using a stacked injection technique to run UPDATE
statements. Other techniques available are error-based, time-based, and
boolean-based injections.
Several remote command execution vulnerabilities were found as an
administrator which are run as the local root user. By utilising the SQL
injections as an unprivileged user, a user can escalate privileges by
updating the password hash of an admin, and ultimately run commands on the
server as root.
However, no data seems to be able to be exfiltrated via the command
injections. You may receive a connect back, but no commands can be run over
the connect-back. My solution to this was to pipe the results of commands
into a file in /tmp, then use the SQL injections to read the file from the
FS and return the results.
---------------------------------------------------
As a read-only user with reporting capabilities, many SQL injection vectors
exist when creating new reports based on filters. You can get to this part
of the web app by clicking the Reports menu item at the top-center. The
following request contains four exploitable SQL injections each exploitable
via a few different techniques:
POST /admin/cgi-bin/rpc/doReport/18 HTTP/1.1
Host: 172.31.16.87:10443
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101
Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/plain; charset=UTF-8
Referer:
https://172.31.16.87:10443/admin/969bf547d36f6c7e4302952cf72a5ce3/en_US/html/index.html
Content-Length: 626
Cookie:
SCMUserSettings=lastUser%3Dusername%26popcheck%3D1%26lang%3Den_US%26last_page_id%3Ddashboard;
SHOW_BANNER_NOTICE=BannerShown%3D1;
ws_session=SID%3D616BF3CC-DA8B-401D-9220-ACED9A0FCD86
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
{"id":"loadreport","locale":"en_US","commands":[{"name":"getDDSData","args":{"what":["events"],"filters":{"filter_period":"week","start_date":"Now","event_type":"ui_events","event_id":"all","reason":"all"},"date_range":"week","events_col":"edate","events_order":"DESC","events_offset":0,"events_nitems":50,"tz":480,"start_date":1385491876.405,"is_mail":false,"itemized_nitems":10,"itemized_offset":0,"emailstatus_nitems":50,"emailstatus_offset":0,"emailstatus_col":"edate","emailstatus_order":"DESC","dig_filters":[],"dig_category":"","dig_summarize":true,"init":true,"type":"ui_events"}}],"filterType":"system","autoconv":1}
Within the above request, the events_col, event_id, reason, events_order,
emailstatus_order, and emailstatus_col JSON keys are vulnerable to SQL
injection. You can capture the request with burpsuite and alter each value
by adding an apostrophe to view the SQL error in the response. You can also
use SQLmap to try various techniques for exploitability.
------------------------------------------------------
Many remote command execution vulnerabilities exist for administrator
users. Every vector I found was being run as the root user and they all
exists within a single request. As an administrator, go to the System tab
in the top menu. You will be presented with general server settings. Remove
the last letter of the hostname, and replace it back. You will now have a
green checkmark in the top right of the web application. Click this, then
click OK on the dialog that pops up in the web app. The next captured
request will be the request susceptible to command execution. It is a very
large request with XML contained in JSON. Because this makes sense.
Within this XML, you may search for any XML element whose “name” attribute
contains TestFile. Any of these elements are susceptible to command
injection within the “value” attribute. These filenames seems to be passed
to a utility like ‘test’ to ensure whether or not it exists. By using shell
metacharacters, you can execute arbitrary commands on the system as root.
The hostname within this request is also susceptible to command injection
via shell metacharacters.
You may also search for any XML element called Command. Each of these
elements contains a small command to be run on a given event. You may alter
any of these to be run as root.
You may also search for an XML element called Script. This is used to
manage the cron jobs (make sure the corresponding Enabled element is set to
“1” instead of “0”). You may alter or create any cron jobs that will be run
as root.
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists