Verder naar navigatie Doorgaan naar hoofdinhoud Ga naar de voettekst

McAfee Email and Web Security Appliance v5.6 – Session hijacking (and bypassing client-side session timeouts)

Summary

Name: McAfee Email and Web Security Appliance v5.6 – Session hijacking (and
bypassing client-side session timeouts)
Release Date: 30 November 2012
Reference: NGS00154
Discoverer: Ben Williams 
Vendor: McAfee
Vendor Reference:
Systems Affected:
Risk: Medium
Status: Published

TimeLine

Discovered:  7 November 2011
Released: 28 November 2011
Approved: 28 November 2011
Reported:  4 December 2011
Fixed: 13 March 2012
Published: 30 November 2012

Description

McAfee Email and Web Security Appliance v5.6 – Session hijacking (and
bypassing client-side session timeouts)

McAfee Email and Web Security Appliance v5.6 (v5.6 1741.115) is prone to
session hijacking ( bypassing client-side session timeouts).

The exploit would enable an attacker to:

 – Login as authenticated user (having gained their session token)

Technical Details

I. VULNERABILITY

McAfee Email and Web Security Appliance v5.6 – Session hijacking (
bypassing client-side session timeouts)

II. BACKGROUND

McAfee (Owned by Intel) is one of the worlds best known providers of IT
security products.

The McAfee Email and Web Security Appliance provides security for Email and
Web protocols, and acts as a Firewall and Gateway solution.

http://www.mcafee.com

III. DESCRIPTION

McAfee Email and Web Security Appliance v5.6 – Session hijacking (and
bypassing client-side session timeouts)

IV. PROOF OF CONCEPT

Session management seems to be controlled by client-side javascript.

When and administrator closes the UI (without clicking “logout”) and comes
back to the UI later, he appears to be logged out. However, this is simply
the state of the javascript in his browser, and the session-token appears
to still be active on the server-side.

Administrators typically close browser windows without clicking logout.   
  

If an attacker gains a session-cookie (perhaps using XSS, or by some other
means), he can make a dummy login attempt (with a dummy password) and
simply edit the (failure) response to look like the one below. He is then
logged-in, and can use the UI as if he had logged-in as the administrator.

(this can be easily performed with an intercepting proxy, such as burp,
paros, owasp-zap, webscarab, etc)