Saltar a la navegación Saltar al contenido principal Ir al pie de página

McAfee Email and Web Security Appliance v5.6 – Password hashes can be recovered from a system backup and easily cracked

Summary

Name: McAfee Email and Web Security Appliance v5.6 – Password hashes can be
recovered from a system backup and easily cracked
Release Date: 30 November 2012
Reference: NGS00157
Discoverer: Ben Williams 
Vendor: McAfee
Vendor Reference:
Systems Affected:
Risk: Medium
Status: Published

TimeLine

Discovered: 25 November 2011
Released: 29 November 2011
Approved: 29 November 2011
Reported:  4 December 2011
Fixed: 13 March 2012
Published: 30 November 2012

Description

McAfee Email and Web Security Appliance v5.6 – Password hashes can be
recovered from a system backup and easily cracked

McAfee Email and Web Security Appliance v5.6 (v5.6 1741.115) is prone to
weak storage of passwords meaning that password hashes can be recovered
from a system backup and easily cracked

The exploit would enable an attacker to:

 – Having gained access to the UI, recover and crack administrator password
hashes
 – Having cracked the SuperAdministrator password, this will enable an
attacker to enable SSH and login to the appliance operating system

Technical Details

I. VULNERABILITY

McAfee Email and Web Security Appliance v5.6 – Password hashes can be
recovered from a system backup and easily cracked

II. BACKGROUND

McAfee (Owned by Intel) is one of the worlds best known providers of IT
security products.

The McAfee Email and Web Security Appliance provides security for Email and
Web protocols, and acts as a Firewall and Gateway solution.

http://www.mcafee.com

III. DESCRIPTION

McAfee Email and Web Security Appliance v5.6 – Password hashes can be
recovered from a system backup and easily cracked

IV. PROOF OF CONCEPT

Password hashes can be recovered from a system backup and easily cracked
(these are not salted and are stored as simmple MD5 hashes, so a simple
google search may be enough to find the password)

System > Cluster Management > Backup and Restore Configuration > Backup
Configuration > Backup the product

Unpack the zip file

unzip config_20111106152627.zip

Grep for passwords in “/proto/wsadmin/users.xml”

grep password proto/wsadmin/users.xml

md5sum –>
        MASTER” user=”scmadmin” builtin=”1″
role=”super” usekdc=”0″ kdc=”” log-session=”1″ sa_admin=”1″
password=”5a731a984ad01873cafab2ba10449b9a” vhost=””/>

If the password cannot be found by searching google (unlikely) then John
The Ripper can be used as follows:

john –format=raw-MD5 mcafee.txt
Loaded 1 password hash (Raw MD5 [raw-md5 64×1])
admin2           (?)
guesses: 1  time: 0:00:00:00 100.00% (2) (ETA: Mon Nov  7 13:10:15 2011)
c/s: 876800  trying: rabbit2 – altamira2

This password, is also the same as the password for the “support” user for
SSH logins.

To enable SSH:

System > Appliance Management > Remote Access > Enable the secure shell
(then save policy)

Fix Information

Password hashes should be stored in a secure format such as salted SHA1-512
Verification should be obtained before system backups can be taken

Update to Email and Web Security 5.5 Patch 6, Email and Web Security 5.6
Patch 3, McAfee Email Gateway 7.0 Patch 1