Vulnerabilities > CVE-2016-8024 - HTTP Response Splitting vulnerability in Mcafee Virusscan Enterprise
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Improper neutralization of CRLF sequences in HTTP headers vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote unauthenticated attacker to obtain sensitive information via the server HTTP response spoofing.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 5 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Accessing/Intercepting/Modifying HTTP Cookies This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form of this attack involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the attacker to impersonate the remote user/session. The third form is when the cookie's content is modified by the attacker before it is sent back to the server. Here the attacker seeks to convince the target server to operate on this falsified information.
- HTTP Response Splitting This attack uses a maliciously-crafted HTTP request in order to cause a vulnerable web server to respond with an HTTP response stream that will be interpreted by the client as two separate responses instead of one. This is possible when user-controlled input is used unvalidated as part of the response headers. The target software, the client, will interpret the injected header as being a response to a second request, thereby causing the maliciously-crafted contents be displayed and possibly cached. To achieve HTTP Response Splitting on a vulnerable web server, the attacker:
- Simple Script Injection An attacker embeds malicious scripts in content that will be served to web browsers. The goal of the attack is for the target software, the client-side browser, to execute the script with the users' privilege level. An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute code and scripts. Web browsers, for example, have some simple security controls in place, but if a remote attacker is allowed to execute scripts (through injecting them in to user-generated content like bulletin boards) then these controls may be bypassed. Further, these attacks are very difficult for an end user to detect.
- AJAX Fingerprinting This attack utilizes the frequent client-server roundtrips in Ajax conversation to scan a system. While Ajax does not open up new vulnerabilities per se, it does optimize them from an attacker point of view. In many XSS attacks the attacker must get a "hole in one" and successfully exploit the vulnerability on the victim side the first time, once the client is redirected the attacker has many chances to engage in follow on probes, but there is only one first chance. In a widely used web application this is not a major problem because 1 in a 1,000 is good enough in a widely used application. A common first step for an attacker is to footprint the environment to understand what attacks will work. Since footprinting relies on enumeration, the conversational pattern of rapid, multiple requests and responses that are typical in Ajax applications enable an attacker to look for many vulnerabilities, well-known ports, network locations and so on.
Exploit-Db
description | McAfee Virus Scan Enterprise for Linux - Remote Code Execution. CVE-2016-8016,CVE-2016-8017,CVE-2016-8018,CVE-2016-8019,CVE-2016-8020,CVE-2016-8021,CVE-2016-... |
file | exploits/linux/remote/40911.py |
id | EDB-ID:40911 |
last seen | 2016-12-13 |
modified | 2016-12-13 |
platform | linux |
port | |
published | 2016-12-13 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/40911/ |
title | McAfee Virus Scan Enterprise for Linux - Remote Code Execution |
type | remote |
Nessus
NASL family | Misc. |
NASL id | MCAFEE_VSEL_SB10181.NASL |
description | The remote host has a version of McAfee VirusScan Enterprise for Linux (VSEL) installed that is prior or equal to 2.0.3. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in the web interface due to improper error reporting. An authenticated, remote attacker can exploit this, by manipulating the |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 95812 |
published | 2016-12-14 |
reporter | This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/95812 |
title | McAfee VirusScan Enterprise for Linux <= 2.0.3 Multiple vulnerabilities (SB10181) |
code |
|
Packetstorm
data source | https://packetstormsecurity.com/files/download/140147/mvsel-exec.txt |
id | PACKETSTORM:140147 |
last seen | 2016-12-14 |
published | 2016-12-14 |
reporter | Andrew Fasano |
source | https://packetstormsecurity.com/files/140147/McAfee-Virus-Scan-Enterprise-For-Linux-Remote-Code-Execution.html |
title | McAfee Virus Scan Enterprise For Linux Remote Code Execution |
Saint
bid | 94823 |
description | McAfee VirusScan Enterprise for Linux authentication token brute force |
title | mcafee_virus_scan_linux_brute |
type | remote |
References
- http://www.securityfocus.com/bid/94823
- http://www.securityfocus.com/bid/94823
- http://www.securitytracker.com/id/1037433
- http://www.securitytracker.com/id/1037433
- https://kc.mcafee.com/corporate/index?page=content&id=SB10181
- https://kc.mcafee.com/corporate/index?page=content&id=SB10181
- https://www.exploit-db.com/exploits/40911/
- https://www.exploit-db.com/exploits/40911/