McAfee has its own website vulnerable to attacks

Today, as every ordinary Monday, I went to my e-mail box and checked messages from the security community in Full-Disclosure. As usual I came across an advisory pointing out some web security vulnerabilities that differently from usual certainly had my attention. I could say the post called my attention for its organization (not so common among web vuln disclosers), or because it included not only one but a myriad of different vulnerabilities, or maybe because these vulnerabilities included some unusual (and potentially dangerous) stuff like server side source code disclosure, or even because these vulnerabilities were not patched by the vendor even after 15 full days it was informed about them. But no, those were not the reasons I had my eyes rolling. The thing that really got me is that all of this is not about any vendor, it is about Mcafee, a vendor well known by its anti-virus software but also by its web security service McAfee Secure. This service provides customers with the label “Verified by McAfee Secure” so they can put in their website as a mark of safety. According to McAfee: “The McAfee SECURE™ trustmark only appears when the website has passed our intensive, daily security scan. We test for possible personal information access, links to dangerous sites, phishing, and other online dangers.” In other words, the presence of this label means that the website is not vulnerable to the exact same vulnerabilities McAfee currently has.

Don’t get me wrong, I have no interest in damaging McAfee’s image, I even own a company that sells McAfee products, but this is a serious lack of diligence with costumers and resellers that must not go unnoticed. Having that in mind, let’s discuss those vulnerabilities a bit. Have in mind that this post is written for those non tech savvy enough to need it. So, go light on the criticism. :)

0) First of all credits to where they belong. This find was brought to light by the YGN Ethical Hacker Group and the original post can be found here. They have contacted McAfee 15 days ago and today have decided enough is enough.

1) First vulnerability: Cross Site Scripting.

This is the first bulnerability YGN found in McAfee’s website. In order not to waste any time, let me paste wikipedia’s definition here: “Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all security vulnerabilities documented by Symantec as of 2007. Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by the site’s owner.”

In the case of McAfee, the vulnerable portion of the site is this: http://download.mcafee.com/products/webhelp/4/1033/#

Basically, whatever javascript code you put after that address is going to be executed in the client’s browser like it came directly from McAfee’s own page having access to all cookies and privileges bound to the domain. An example would be:

http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.location.replace(‘attacker.in’)

2) Second Vulnerability: Information Disclosure > Internal Hostname

This javascript http://www.mcafee.com/js/omniture/omniture_profile.js reveals McAfee’s internal hostname. I supose the check done by the script should be done server side, so this information doesn’t get disclosed. But, hack, it seems for McAfee it’s no big deal to have it this way.

3) Third Vulnerability: Information Disclosure > Source Code Disclosure

This one is serious. Usually, sever side scripts have their source hidden in the server. They stay in the sever, run in the server, and their output is supposed to be the result of their execution and not their source. With this premise, programmers generally add stuff in the sever side script code that should not see the light of day in the hopes it really won’t. This is why this vulnerability is potentially dangerous. In McAfee’s case they have the following server side scripts fully open with their source code available to the world:

http://download.mcafee.com/clinic/includes/commoninc/cookiecommon.asp
http://download.mcafee.com/clinic/includes/commoninc/appcommon.asp
http://download.mcafee.com/clinic/includes/commoninc/partnerCodesLibrary.asp
http://download.mcafee.com/clinic/Includes/common.asp
http://download.mcafee.com/updates/upgrade_patches.asp
http://download.mcafee.com/updates/common/dat_common.asp
http://download.mcafee.com/updates/updates.asp
http://download.mcafee.com/updates/superDat.asp
http://download.mcafee.com/eval/evaluate2.asp
http://download.mcafee.com/common/ssi/conditionals.asp
http://download.mcafee.com/common/ssi/errHandler_soft.asp
http://download.mcafee.com/common/ssi/variables.asp
http://download.mcafee.com/common/ssi/standard/oem/oem_controls.asp
http://download.mcafee.com/common/ssi/errHandler.asp
http://download.mcafee.com/common/ssi/common_subs.asp
http://download.mcafee.com/us/upgradeCenter/productComparison_top.asp
http://download.mcafee.com/us/bannerAd.asp
http://download.mcafee.com/common/ssi/standard/global_foot_us.asp

As a potential solution to these problems, YGN has acidly recommended McAfee to make better use of their own technicians and engineers, or in their own words “Fully utilize Mcafee FoundStone Experts”. In fact, this problem leaves McAfee wide open to sarcasm and the jokes have already started in Full-Disclosure. Let’s hope that after this McAfee will honor their clients and fix things at home as a priority.

Well, one can only conclude one thing about all of this: “The shoemaker’s son always goes barefoot”.

Esta entrada foi publicada em Security e marcada com a tag , , , , , , , . Adicione o link permanente aos seus favoritos.