Back
NCC Group Publication Archive
Cyber Security
Technical advisories

November 5, 2015

2 mins read

McAfee Email and Web Security Appliance v5.6 – Session hijacking (and bypassing client-side session timeouts)

Summary

Name: McAfee Email and Web Security Appliance v5.6 – Session hijacking (and
bypassing client-side session timeouts)
Release Date: 30 November 2012
Reference: NGS00154
Discoverer: Ben Williams 
Vendor: McAfee
Vendor Reference:
Systems Affected:
Risk: Medium
Status: Published

TimeLine

Discovered:  7 November 2011
Released: 28 November 2011
Approved: 28 November 2011
Reported:  4 December 2011
Fixed: 13 March 2012
Published: 30 November 2012

Description

McAfee Email and Web Security Appliance v5.6 – Session hijacking (and
bypassing client-side session timeouts)

McAfee Email and Web Security Appliance v5.6 (v5.6 1741.115) is prone to
session hijacking ( bypassing client-side session timeouts).

The exploit would enable an attacker to:

 – Login as authenticated user (having gained their session token)

Technical Details

I. VULNERABILITY

McAfee Email and Web Security Appliance v5.6 – Session hijacking (
bypassing client-side session timeouts)

II. BACKGROUND

McAfee (Owned by Intel) is one of the worlds best known providers of IT
security products.

The McAfee Email and Web Security Appliance provides security for Email and
Web protocols, and acts as a Firewall and Gateway solution.

http://www.mcafee.com

III. DESCRIPTION

McAfee Email and Web Security Appliance v5.6 – Session hijacking (and
bypassing client-side session timeouts)

IV. PROOF OF CONCEPT

Session management seems to be controlled by client-side javascript.

When and administrator closes the UI (without clicking “logout”) and comes
back to the UI later, he appears to be logged out. However, this is simply
the state of the javascript in his browser, and the session-token appears
to still be active on the server-side.

Administrators typically close browser windows without clicking logout.   
  

If an attacker gains a session-cookie (perhaps using XSS, or by some other
means), he can make a dummy login attempt (with a dummy password) and
simply edit the (failure) response to look like the one below. He is then
logged-in, and can use the UI as if he had logged-in as the administrator.

(this can be easily performed with an intercepting proxy, such as burp,
paros, owasp-zap, webscarab, etc)

 

Published by NCC Group Publication Archive

Here are some related articles you may find interesting

Ghidra nanoMIPS ISA module

Introduction In late 2023 and early 2024, the NCC Group Hardware and Embedded Systems practice undertook an engagement to reverse engineer baseband firmware on several smartphones. This included MediaTek 5G baseband firmware based on the nanoMIPS architecture. While we were aware of some nanoMIPS modules for Ghidra having been developed…

Hardware & Embedded Systems
Reverse Engineering
Tool Release

May 7, 2024

6 mins read

Sifting through the spines: identifying (potential) Cactus ransomware victims

Authored by Willem Zeeman and Yun Zheng Hu This blog is part of a series written by various Dutch cyber security firms that have collaborated on the Cactus ransomware group, which exploits Qlik Sense servers for initial access. To view all of them please check the central blog by Dutch…

Digital Forensics and Incident Response (DFIR)
Fox-IT and European Research
Vulnerability Research

April 25, 2024

7 mins read

Public Report – Confidential Mode for Hyperdisk – DEK Protection Analysis

During the spring of 2024, Google engaged NCC Group to conduct a design review of Confidential Mode for Hyperdisk (CHD) architecture in order to analyze how the Data Encryption Key (DEK) that encrypts data-at-rest is protected. The project was 10 person days and the goal is to validate that the…

Public Reports

April 12, 2024

1 min read

Previous post Next post

View articles by category

Most popular posts

Most recent posts

Call us before you need us.

Our experts will help you.

Get in touch