RSS

mobil

WUG informačné okienko

prihlásenie

kalendár podujatí

máj 2024

št

dnes 06.05.2024

kto je online?

počet anonymných užívateľov: 42
počet prihlásených užívateľov: 1

teraz je online:
Google [Bot]

Top 10 najčítanejšie

1.	Vytvorenie USB boot jed...
2.	Oprava MBR sektoru bez ...
3.	Windows 7 download
4.	HTPC alebo ako si posta...
5.	Windows 7 RC v slovenč...
6.	Konzole pro zotavení v...
7.	Panika menom Conficker
8.	Platené vs Zadarmo
9.	Inštalujte Windows z U...
10.	Windows 7 RC download -...

Bezpečnosť > bezpečnosť

Kompromitovaná stránka McAffee.com

Ako vidieť ani antivírové či bezpečnostné firmy sa moc nesnažia venovať vlastnej bezpečnosti.

20.3.2011 sway1990, člen skupiny InSecurity.Ro, hackol opatovne stránku ESET.ro (rumunský reseller ESETu)

Podľa oficiálnych informácií neunikli žiadne dôležité údaje a eset.ro urýchlene vykonal opravy.

(vyjadrenie ESETu: It was an SQL injection on the page where we keep our reseller map. The problem was fixed in the same day. There where no changes in the page or other damage to our image.)
Povedzme že išlo o relatívne slabú chybu a operatívne riešenie (do 12 hodín)

Na druhej strane je McAfee. Skupina YGN Ethical Hackers našla a oznámila už 10.2.2011 do McAfee chyby na ich stránke mcafee.com. Išlo o Cross site script diery (XSS vulnerability), neskrývanie interných url a viditeľnosť zdrojových súborov.

McAfee vydalo vyjadrenie 12.2.2011 v nasledovnom znení:

"We are working to resolve the issue as quickly as possible."

Nuž a po overení 27.3.2011 - problém stále pretrváva. (Ako vidieť v nižšie vloženom emaili od YGN)

Problém oproti ESETu je podstatne väčší. ESET a ich lokálny resseleri nie sú prepojený z ničím (majú/mali by mať) lokálne servery na update a aj vlastnú databázu užívateľov.

Na druhej strane McAfee robí overovania aj pre zákazníkov a dáva im overenie bezpečnosti aj pre web (Verified by McAfee Secure) a ich databázy sú priamo prepojené s webstránkou.

Taktiež McAfee poskytuje firmám Security & Risk Management a analýzy. Takže by malo spĺňať isté normy.

Pokiaľ by ste daný problém chceli pozrieť podrobnejšie, pekne ho spracoval Pablo Ximenes z Security Research Teamu na Univerzite v Ceará (Brazília)

Popis problému na McAfee.com:

From: YGN Ethical Hacker Group 
Date: Mon, 28 Mar 2011 00:02:47 +0800
Vulnerabilities in *McAfee.com
1. VULNERABILITY DESCRIPTION
-> Cross Site Scripting
  http://download.mcafee.com/products/webhelp/4/1033/#javascript:top.location.replace('attacker.in')
-> Information Disclosure > Internal Hostname:
    http://www.mcafee.com/js/omniture/omniture_profile.js                     
    ($ ruby host-extract.rb -a
http://www.mcafee.com/js/omniture/omniture_profile.js)
-> Information Disclosure > Source Code Disclosure:
        view-source:http://download.mcafee.com/clinic/includes/commoninc/cookiecommon.asp
        view-source:http://download.mcafee.com/clinic/includes/commoninc/appcommon.asp
        view-source:http://download.mcafee.com/clinic/includes/commoninc/partnerCodesLibrary.asp
        view-source:http://download.mcafee.com/clinic/Includes/common.asp
        view-source:http://download.mcafee.com/updates/upgrade_patches.asp
        view-source:http://download.mcafee.com/updates/common/dat_common.asp
        view-source:http://download.mcafee.com/updates/updates.asp
        view-source:http://download.mcafee.com/updates/superDat.asp
        view-source:http://download.mcafee.com/eval/evaluate2.asp
        view-source:http://download.mcafee.com/common/ssi/conditionals.asp
        view-source:http://download.mcafee.com/common/ssi/errHandler_soft.asp
        view-source:http://download.mcafee.com/common/ssi/variables.asp
        view-source:http://download.mcafee.com/common/ssi/standard/oem/oem_controls.asp
        view-source:http://download.mcafee.com/common/ssi/errHandler.asp
        view-source:http://download.mcafee.com/common/ssi/common_subs.asp
        view-source:http://download.mcafee.com/us/upgradeCenter/productComparison_top.asp
        view-source:http://download.mcafee.com/us/bannerAd.asp
        view-source:http://download.mcafee.com/common/ssi/standard/global_foot_us.asp
2. RECOMMENDATION
- Fully utilize Mcafee FoundStone Experts
- Use outbound monitoring of traffic to detect potential information leakage
3. VENDOR
McAfee Inc
http://www.mcafee.com
4. DISCLOSURE TIME-LINE
2011-02-10: reported vendor
2011-02-12: vendor replied "we are working to resolve the issue as
quickly as possible"
2011-03-27: vulnerability found to be unfixed completely
2011-03-27: vulnerability disclosed
5. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/sites/mcafee.com/[mcafee]_xss_infoleak
Former Disclosure, 2008:
http://www.theregister.co.uk/2008/06/13/security_giants_xssed/
Former Disclosure, 2009:
http://news.softpedia.com/news/McAfee-Websites-Vulnerable-to-Attacks-110...
Former Disclosure, 2010:
http://security-sh3ll.blogspot.com/2010/04/mcafee-communities-xss-deface...
host-extract: http://code.google.com/p/host-extract/
Demo: http://yehg.net/lab/pr0js/training/view/misc/XSSing_McAfee_Secured/
xssed: http://www.xssed.com/search?key=mcafee.com
Lessont Learn: http://blogs.mcafee.com/mcafee-labs/from-xss-to-root-lessons-learned-fro...
#yehg [2011-03-27]

Redhawk | utorok 29. marca 2011 16:54 | Prečítané: 5002 x |

vyhľadávanie

partneri

2 % od Vás pre WUG

sponzori