|
______________________________________________________________________
NSOADV-2010-004: McAfee LinuxShield remote/local code execution
______________________________________________________________________
______________________________________________________________________
111101111
11111 00110 00110001111
111111 01 01 1 11111011111111
11111 0 11 01 0 11 1 1 111011001
11111111101 1 11 0110111 1 1111101111
1001 0 1 10 11 0 10 11 1111111 1 111 111001
111111111 0 10 1111 0 11 11 111111111 1 1101 10
00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100
10111111 0 01 0 1 1 111110 11 1111111111111 11110000011
0111111110 0110 1110 1 0 11101111111111111011 11100 00
01111 0 10 1110 1 011111 1 111111111111111111111101 01
01110 0 10 111110 110 0 11101111111111111111101111101
111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111
111110110 10 0111110 1 0 0 1111111111111111111111111 110
111 11111 1 1 111 1 10011 101111111111011111111 0 1100
111 10 110 101011110010 11111111111111111111111 11 0011100
11 10 001100 0001 111111111111111111 10 11 11110
11110 00100 00001 10 1 1111 101010001 11111111
11101 0 1011 10000 00100 11100 00001101 0
0110 111011011 0110 10001 101 11110
1011 1 10 101 000001 01 00
1010 1 11001 1 1 101 10
110101011 0 101 11110
110000011
111
______________________________________________________________________
______________________________________________________________________
Title: McAfee LinuxShield remote/local code
execution
Severity: Medium
Advisory ID: NSOADV-2010-004
Found Date: 07.12.2009
Date Reported: 05.02.2010
Release Date: 02.03.2010
Author: Nikolas Sotiriu (lofi)
Website: http://sotiriu.de
Twitter: http://twitter.com/nsoresearch
Mail: nso-research at sotiriu.de
URL: http://sotiriu.de/adv/NSOADV-2010-004.txt
Vendor: McAfee (http://www.mcafee.com/)
Affected Products: McAfee LinuxShield <= 1.5.1
Not Affected Products: McAfee LinuxShield 1.5.1 with HF550192
Remote Exploitable: Yes (attacker must be authenticated)
Local Exploitable: Yes
Patch Status: Vendor released a patch (See Solution)
Discovered by: Nikolas Sotiriu
Thanks to: Thierry Zoller: For the permission to use his
Policy
Background:
==========
LinuxShield detects and removes viruses and other potentially unwanted
software on Linux-based systems. LinuxShield uses the powerful McAfee
scanning engine =E2=80=94 the engine common to all our anti-virus products.
Although a few years ago, the Linux operating system was considered a
secure environment, it is now seeing more occurrences of software
specifically written to attack or exploit security weaknesses in
Linux-based systems. Increasingly, Linux-based systems interact with
Windows-based computers. Although viruses written to attack Windows-
based systems do not directly attack Linux systems, a Linux server
can harbor these viruses, ready to infect any client that connects to
it.
When installed on your Linux systems, LinuxShield provides protection
against viruses, Trojan horses, and other types of potentially
unwanted software.
LinuxShield scans files as they are opened and closed =E2=80=94 a technique
known as on-access scanning. LinuxShield also incorporates an
on-demand scanner that enables you to scan any directory or file in
your host at any time.
When kept up-to-date with the latest virus-definition (DAT) files,
LinuxShield is an important part of your network security. We
recommend that you set up an anti-virus security policy for your
network, incorporating as many protective measures as possible.
LinuxShield uses a web-browser interface, and a large number of
LinuxShield installations can be centrally controlled by ePolicy
Orchestrator.
(Product description from LinuxShield Product Guide)
Description:
===========
This vulnerability allows remote attackers to execute arbitrary code
on vulnerable installations of McAfee LinuxShield. User interaction
is not required to exploit this vulnerability but an attacker must
be authenticated.
The LinuxShield Webinterface communicates with the localy installed
"nailsd" daemon, which listens on port 65443/tcp, to do configuration
changes, query the configuration and execute tasks.
Each user, which can login to the victim box, can also authenticate
it self to the "nailsd" and can do configuration changes and execute
tasks with root privileges.
A direct execution of commands is not possible, but it is possible to
download and execute code through manipulation of the config and
execute schedule tasks of the LinuxShield.
walk-through (after the TLS handshake):
+--------------------------------------
nailsd > +OK welcome to the NAILS Statistics Service
attacker> auth