5 stars based on
A system running Intel's McAfee VirusScan Enterprise for Linux can be compromised by remote attackers due to a number of security vulnerabilities. Some of these vulnerabilities can be chained together to allow remote code execution as root. When I noticed all linuxshield nails options trading, I decided to take a look.
Before getting into the details of the vulnerabilities in this product, it helps to have a quick understanding of the system architecture. Services This product contains two linuxshield nails options trading services; one running as root and one running as an unprivileged user called nails. The webserver runs as the nails user and listens on 0. The webserver is essentially a UI on top of the scanner service. When a user makes a request to the webserver, the request is reformatted, sent to the root service and then the user is shown the response rendered in an html template.
The web interface doesn't do much to limit what data a malicious user can send to the root service. These ten vulnerabilities are described in this section: Authenticated SQL Injection When chaned together, these vulnerabilities allow a remote attacker to execute code as root. When browsing to many sections of the web interface, an html file path is specified in the tplt parameter, in the figure shown linuxshield nails options trading tplt is set to tasks.
The two different error messages can reveal to an unauthorized remote user if files by a given name exist on the system. This leads to the question of what is different linuxshield nails options trading the valid web templates such as tasks. If an attacker is able to place these strings into a file on the system which may be trivial for log filesthe attacker could then use the webserver to remotely read the entire file.
A limitation of this linuxshield nails options trading is that the files are being read by the nails user. There are no CSRF-tokens accompanying any forms on the web interface which allows attackers to submit authenticated requests when an authenticated user browsers to an attacker-controlled, external domain.
Seeing this basic of a vulnerability in an AntiVirus product in is quite surprising. The lack of CSRF-tokens is one of the ways that a remote attacker can exploit a vulnerability linuxshield nails options trading should only be exposed to authenticated users.
When tplt is set to NailsConfig. A typical value for info: This is then placed into a single-quoted string passed to formatData. This payload can then be modified to alert the message "xss".
When the final page of the form is submitted, a large request is sent to the server. A subset of the parameters posted are shown here:. Attaching strace shows that this parameter is passed directly to execve from a process running as root.
By changing this variable to an executable on the system, an authenticated user can have that binary executed by the root user. This can't easily be extended into arbitrary code execution because there are multiple arguments are passed to the binary. However, the scannerPath variable is not the only variable passed directly from the webserver to execve; while some values are hard-coded, four are entirely attacker-controlled leading to the following command: A local user could use this to escalate privileges, but a remote attacker would need a way to place a malicious shell script onto the system.
The web interface allows users to specify an update server and request updates from it. Since I wanted to linuxshield nails options trading a way for a remote user to write a file to the system this seemed like it might be a useful feature.
To find how the update server was used, I cloned McAfee's update repository locally and then reconfigure the server to download updates from my server. Two requests are made as part of the update process. The SiteStat file is just a standard XML file that says if a site linuxshield nails options trading enabled and what version of the catalog it is serving. Presumably an update will only be downloaded if this is newer than whatever version the application had last used to update.
I made the choice to to assume that this used good crypto and that linuxshield nails options trading update was signed so there would be no linuxshield nails options trading to push down a malicious update to compromise a system.
Instead, I wanted to use linuxshield nails options trading to push down a linuxshield nails options trading script to later execute with the previous vulnerability. The log files claim that the update process consists of: It's trivial to generate a shell script that linuxshield nails options trading take a while to download, but will execute a given payload when run before the download is finished.
This can be done by linuxshield nails options trading a script that contains a desired payload and then appending the payload with a large comment. Combining vulnerabilities 5 and 6 now gives us a privilege escalation allowing us to go from the nails user to root.
The root service validates the credentials and returns its results to the webserver. To find linuxshield nails options trading was going wrong when a remote machine used my cookie, I used socat to man-in-the-middle the socket to see the messages. It looks like the webserver is sending the requester's IP address in addition to their cookie when it makes an AUTH request.
Although it's a bit unusual, it's not a terrible security decision. Our cookie is being sent via a text-based protocol and after our cookie, there's some number of spaces and the IP address.
But if we modify this to make our cookie end with a space followed by the victim's IP address and then a number of spaces, it will be parsed linuxshield nails options trading.
The service incorrectly parses this line and believes that it's reading a cookie sent from the victim's IP address. After seeing the previous cookie-parsing logic fail, I wanted to test how well the other cookie validation logic worked. Here are a few sample values for the nailsSessionId cookies linuxshield nails options trading were generated by logging in and out for the nails account Only two parts of the cookie seems to change between typical login attempts. The cookie format seems to be.
While using a time stamp for a secret value is a bad idea since it could be brute forced, using two in conjunction would normally make this difficult. Fortunately, that's not linuxshield nails options trading case here. Some basic testing found that the acceptable values for these fields differed significantly from what they were typically set to:.
This leaves us with linuxshield nails options trading value to brute force; the time at linuxshield nails options trading the server was started at.
Starting at the current date and decrementing it until we've successfully authenticated can be done by modifying the DATE value in the following cookie:. The server responds to this request with a header Content-Type: An attacker can create a link that responds with arbitrary headers by simply urlencoding newlines plus additional headers.
The database isn't used for authentication, just to track which files have been scanned and the event log. After exploiting other vulnerabilities to compromise a machine, an attacker could use SQL injections to modify the event log to clean up their tracks.
The schema of this database is: Exploiting this vulnerability depends on the existence of a valid login token which is generated whenever a user logs into the web interface. These tokens are valid for approximately an hour after login. Overview Linuxshield nails options trading system running Intel's McAfee VirusScan Enterprise for Linux can be compromised by remote attackers due to a number of security vulnerabilities. Versions Affected The vulnerabilities described here are present from at least v1.
The only difference from the older release appears to be updating to a newer version of libc which makes exploiting these vulnerabilities easier. System Architecture Before getting into the details of the vulnerabilities in this product, it helps to have a quick understanding of the system architecture. Interprocess Communication The linuxshield nails options trading is essentially a UI on top of the scanner service.
Vulnerabilities These ten vulnerabilities are described in this section: Remote Unauthenticated File Existence Test When browsing to many sections of the web interface, an html file path is specified in the tplt parameter, in the figure shown above tplt is set to tasks. The two different error messages can reveal to an unauthorized remote user if files by a given name exist on the system This leads to the question of what is different between the valid web templates such as tasks.
No Cross-Site Request Forgery Tokens There are no CSRF-tokens linuxshield nails options trading any forms on the web interface which allows attackers to submit authenticated requests when an authenticated user browsers to an attacker-controlled, external domain. This payload can then be modified to alert the message "xss" Vulnerability 5 CVE A subset of the parameters posted are shown here: But when I tried to use the cookie from my "attacker" machine, my authentication was denied: Brute Force Authentication Tokens After seeing the previous cookie-parsing logic fail, I wanted to test how well the other cookie validation logic worked.
Some basic testing found that the acceptable values for these fields differed significantly from what they were typically set to: Starting at the current date and decrementing it until we've successfully authenticated can be done by modifying the DATE value in the following cookie: Every entry point to this database I looked at was vulnerable to SQL injections. Remote Code Execution as Root To execute code as the root user on a remote machine: Linuxshield nails options trading force authentication token using Vulnerability 7 and Vulnerability 8.
Start running malicious update server. Send request with authentication token to update update server using Vulnerability 7.
Force target to create malicious script on their system using Vulnerability 6. Send malformed request with authentication token to linuxshield nails options trading virus scan but execute malicious script instead by using Vulnerability 5 and Vulnerability 6. The malicious script is then run by the root user on the victim machine.