Knowledge Center

4 stars based on 39 reviews

A system running Intel's McAfee VirusScan Enterprise for Linux can be compromised by remote attackers due to a number of security vulnerabilities.

Some of these vulnerabilities can be chained together to allow remote code execution as root. When I noticed all these, I decided to take a look. Before getting into the details of the vulnerabilities in this product, it helps to have a quick understanding of the system architecture. Services This product contains two separate services; one running as linuxshield nails options trading and one running as an unprivileged user called nails.

The webserver runs as the nails user and listens on 0. The webserver is essentially a UI on top of the scanner service. When a user makes a request to the webserver, the request is reformatted, sent to the root service and then the user is shown the response rendered in an html template. The web interface doesn't linuxshield nails options trading much to limit what linuxshield nails options trading a malicious user can send to the root service.

These ten vulnerabilities are described in this section: Authenticated SQL Injection When chaned together, these vulnerabilities allow a remote attacker to execute code as root.

When browsing to many sections of the web interface, an html file path is specified in the tplt parameter, in the figure shown above tplt is set to tasks. The two different error messages can reveal to an unauthorized remote user if files by a given name exist linuxshield nails options trading the system.

This leads to the question of what is different between the valid web templates such as tasks. If an attacker is able to place these strings into a file on the system which may be trivial for log filesthe attacker could then use the webserver to remotely read the entire file. Linuxshield nails options trading limitation of this vulnerability is that the files are being read by the nails user. There are no CSRF-tokens accompanying any forms on the web interface which allows attackers to submit authenticated requests when an authenticated user browsers to an attacker-controlled, external domain.

Seeing this basic of a vulnerability in an AntiVirus product in is quite surprising. The lack of CSRF-tokens is one of the ways that a remote attacker can exploit a vulnerability that should only be exposed to authenticated users. When tplt is set to Linuxshield nails options trading.

A typical value for info: This is then placed into a single-quoted string passed to formatData. This payload can then be modified to alert the message "xss". When the final page of the form is submitted, a large request is sent to the linuxshield nails options trading.

A subset of the parameters posted are shown here:. Attaching strace shows that this parameter is passed directly to execve from a process running as root. By changing this variable to an executable on the system, an authenticated user can have that binary executed by the root user. This can't easily be extended into arbitrary code execution because there are multiple arguments are passed to the binary.

However, the scannerPath variable is not the only variable passed directly from the webserver to execve; while some values are hard-coded, four are entirely attacker-controlled leading to the following command: A local user linuxshield nails options trading use this to escalate privileges, but a remote attacker would need a way to place a malicious shell script onto the system.

The web interface allows users to specify an update server and request updates from it. Since Linuxshield nails options trading wanted to find a way for a remote user to write a file to the system this seemed like it might be a useful feature. To find linuxshield nails options trading the update server was used, I cloned McAfee's update repository linuxshield nails options trading and then reconfigure the server to download updates from my server.

Two requests are made as part of the update process. The SiteStat file is just a standard XML file that says if a site is enabled and what version of the catalog it is serving. Presumably an update will only be downloaded if this is newer than whatever version the application had last used to update.

I made the choice to to assume that this used good crypto and that the update was signed so there would be no way to push down a malicious update to compromise a system. Instead, I wanted to use this to push down a shell script to later execute with the previous vulnerability. The log files claim that the update process consists of: It's trivial to generate a shell script that will take a while to download, but will execute a given payload when run before the download is finished.

This can be done by creating a script that contains a desired payload and then appending the payload with a large comment. Combining vulnerabilities 5 and 6 now gives us a privilege escalation allowing us to go from the nails user to root. But when I tried to use the cookie from my "attacker" machine, my authentication was denied:.

After confirming that the token worked on the original machine, Linuxshield nails options trading thought that the authentication tokens might be limited to a specific IP address. This would make writing an exploit more difficult, but it could still all be done via XSS using JavaScript in a victim's browser.

When a user authenticates through the website, a message is passed via a unix-socket to the root service.

The root service validates the credentials and returns its results to the webserver. To find what was going wrong when a remote machine used my cookie, I used socat to man-in-the-middle the socket to see the messages. It looks like the webserver is sending the requester's IP address in linuxshield nails options trading to their cookie when it makes an AUTH request. Although linuxshield nails options trading a bit unusual, it's not a terrible security decision.

Our cookie is linuxshield nails options trading sent via linuxshield nails options trading text-based protocol and after our cookie, there's some number of spaces and the IP address.

But if we modify this to make our cookie end with a space followed by the victim's IP address and then a number of spaces, it will be parsed incorrectly. The service incorrectly parses this line and believes that it's reading a cookie sent from the victim's IP address. After seeing the previous cookie-parsing logic fail, I wanted to test how well the other cookie validation logic worked.

Here are a few sample values for the nailsSessionId cookies that were generated by logging in and out for the nails account Only two parts of the cookie seems to change between typical login attempts. The cookie format seems to be. While using a time stamp for a secret value is a bad idea since it could be brute forced, using two in conjunction would normally make this difficult.

Fortunately, that's not the case here. Some basic testing found that the acceptable values for these fields differed significantly from what they were typically set to:. This linuxshield nails options trading us with one value to brute force; the time at which the server was started at. Starting at the current date and decrementing it until we've successfully authenticated can be done by modifying the DATE value in the following cookie:.

The server responds to this request with a header Content-Type: An attacker can create a link that responds with arbitrary headers by simply urlencoding newlines plus additional headers.

The database isn't used for authentication, just to track which files have been scanned and the event log. After exploiting other vulnerabilities to compromise a machine, an attacker could use SQL injections to modify the event log to clean up their tracks.

The schema of this database is: Exploiting this vulnerability depends on the existence of a valid login token which is generated whenever a user logs into the web interface.

These tokens are valid for approximately an hour after login. Overview A system running Intel's McAfee VirusScan Enterprise for Linux can be compromised by remote attackers due to a number of security vulnerabilities. Versions Affected Linuxshield nails options trading vulnerabilities described here are present from at least v1. The only difference from the older release appears to be updating to a newer version of libc which makes exploiting these vulnerabilities easier.

System Architecture Before getting into the details of the vulnerabilities in this product, it helps to have a quick understanding of the system architecture. Interprocess Communication The webserver is essentially a UI on top of the scanner service. Vulnerabilities These ten vulnerabilities are described linuxshield nails options trading this section: Remote Unauthenticated File Existence Test When browsing to many sections of the web linuxshield nails options trading, an html file path is specified in the tplt parameter, in the figure shown above tplt is set to tasks.

The two different error messages can reveal to an unauthorized remote user if files by a given name exist on the system This leads to the question of what is different between the valid web templates such as tasks. No Cross-Site Request Forgery Tokens There are no CSRF-tokens accompanying any forms on the web interface which allows attackers to submit authenticated requests when an authenticated user browsers to an attacker-controlled, external domain.

This payload can linuxshield nails options trading be modified to alert the message "xss" Vulnerability 5 CVE A subset of the parameters posted are shown here: But when I tried to use the cookie from my "attacker" machine, my authentication was denied: Brute Force Authentication Tokens After seeing the previous cookie-parsing logic fail, I wanted to test how well the other cookie validation logic worked.

Some basic testing found that the acceptable values for these fields differed significantly from what they were typically set to: Starting at the current date and decrementing it until we've successfully authenticated can be done by modifying the DATE value in the following cookie: Every entry point to this database I looked at was vulnerable to SQL injections.

Remote Code Execution as Root To execute code as the root user on a remote machine: Brute force authentication token using Vulnerability 7 and Vulnerability 8. Start running malicious update server. Send request with authentication token to update update server using Vulnerability 7. Force target to create malicious script on their system using Vulnerability 6. Send malformed request with authentication token to start virus scan but execute malicious script instead by using Vulnerability 5 and Vulnerability 6.

The malicious script is then run by the root user on the victim machine.

4 hour binary options platform regulated

  • Voyage century online trading goods

    Modelo de plan de stock options

  • Simple forex trading strategy pdf

    Tablero de la espuma del pvc de forex

Trading yesterday for you only traduction

  • Sind binare optionen steuerpflichtig

    Signals binary option dubai

  • Tr binary trading software

    Cheapest 60 seconds binary options platforms

  • Broker bitcoin terpercaya

    Error bitcoin binary option brokers

Global options inc

20 comments Simple forex trading strategy pdf

Forex strategy builder forum dubai

Secret strategies revealed on binary options trading. Kratter Looking to generate some extra monthly income. To learn more about Amazon Sponsored Products, click here.