exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Symantec Endpoint Protection 11.0 / 12.0 / 12.1 XXE / SQL Injection

Symantec Endpoint Protection 11.0 / 12.0 / 12.1 XXE / SQL Injection
Posted Feb 19, 2014
Authored by S. Viehbock | Site sec-consult.com

Symantec Endpoint Protection versions 11.0, 12.0, and 12.1 suffer from unauthenticated XML external entity injection and unauthenticated local SQL injection vulnerabilities.

tags | advisory, local, vulnerability, sql injection, xxe
advisories | CVE-2013-5014, CVE-2013-5015
SHA-256 | 8dc0a7d04b4648d74f8859b867b10ed25093390acfa65b509cef76bb983b8a1a

Symantec Endpoint Protection 11.0 / 12.0 / 12.1 XXE / SQL Injection

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20140218-0 >
=======================================================================
title: Multiple critical vulnerabilities
product: Symantec Endpoint Protection
vulnerable version: 11.0, 12.0, 12.1
fixed version: >=11.0.7405.1424
>=12.1.4023.4080
impact: Critical
CVE number: CVE-2013-5014, CVE-2013-5015
homepage: https://www.symantec.com
found: 2013-12-03
by: Stefan Viehböck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================


Vendor description:
-------------------
"Symantec Endpoint Protection is a client-server solution that protects
laptops, desktops, Windows and Mac computers, and servers in your network
against malware. Symantec Endpoint Protection combines virus protection with
advanced threat protection to proactively secure your computers against known
and unknown threats.
Symantec Endpoint Protection protects against malware such as viruses, worms,
Trojan horses, spyware, and adware. It provides protection against even the
most sophisticated attacks that evade traditional security measures, such as
rootkits, zero-day attacks, and spyware that mutates. Providing low maintenance
and high power, Symantec Endpoint Protection communicates over your network to
automatically safeguard for both physical systems and virtual systems against
attacks."

Source:
https://www.symantec.com/endpoint-protection
https://www.symantec.com/business/support/index?page=content&id=DOC6153


Business recommendation:
------------------------
Attackers are able to completely compromise the Endpoint Protection Manager
server as they can gain access at the system and database level.
Furthermore attackers can manage all endpoints and possibly deploy
attacker-controlled code on endpoints.

The Endpoint Protection Manager server can be used as an entry point into
the target infrastructure (lateral movement, privilege escalation).

It is highly recommended by SEC Consult not to use this software until a
thorough security review has been performed by security professionals and all
identified issues have been resolved.

It is assumed that further critical vulnerabilities exist.


Vulnerability overview/description:
-----------------------------------
1) Unauthenticated XML External Entity Injection (XXE) (CVE-2013-5014)
Multiple XXE vulnerabilities were found in the Endpoint Protection Manager
application. These vulnerabilities can be used to execute server side request
forgery (SSRF) attacks used for portscanning/fingerprinting, denial of service,
possibly file disclosure as well as attacks against functionality that is only
exposed internally (see 2).

2) Unauthenticated local SQL injection (CVE-2013-5015)
The identified SQL injection vulnerability enables an unauthenticated attacker
to execute arbitrary commands on the underlying operating system with the
privileges of the SQL server service (SYSTEM). This was confirmed in the
default setup using the internal SQL server (SQL Anywhere). This vulnerability
can be used to exfiltrate database content (eg. usernames and password hashes)
as well (eg. on other DMBS).

As the vulnerable functionality is only available for requests coming from
localhost, the XXE vulnerability (see 1) can be used to exploit it remotely.

Note:
These vulnerabilities can be exploited via Cross-Site Request Forgery (CSRF)
as well. An attacker does not need direct network access to the vulnerable
application!


Proof of concept:
-----------------
1) Unauthenticated XML External Entity Injection (XXE) (CVE-2013-5014)
The following request shows how XXE injection can be used to request arbitrary
resources. The affected functionality is available via TCP port 9090 (HTTP)
and 8443 (HTTPS).
Affected script: /servlet/ConsoleServlet

Detailed proof of concept exploits have been removed for this vulnerability.


2) Unauthenticated local SQL injection (CVE-2013-5015)
The following request exploits the SQL injection vulnerability to execute
arbitrary commands using the xp_cmdshell() system procedure (available in SQL
Anywhere), no authentication is needed but it only works when executed from
localhost.

Using the XXE vulnerability, SQL injection can be exploited via the local
network/Internet. The affected functionality is available via TCP port 9090
(HTTP) and 8443 (HTTPS).
Affected script: /servlet/ConsoleServlet


This vulnerability can be used to exfiltrate database content (eg. usernames
and password hashes) as well. All usernames and password hashes are stored
within the database as MD5 hash without salt.


Detailed proof of concept exploits have been removed for this vulnerability.


Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in Symantec Endpoint Protection
version 12.1.4013, which was the most recent version at the time of discovery.
According to Symantec versions 11.0, 12.0 and 12.1 are affected.


Vendor contact timeline:
------------------------
2013-12-16: Sending advisory and proof of concept exploit via encrypted
channel.
2013-12-16: Vendor acknowledges receipt of advisory.
2014-01-09: Requesting status update and setting release date (2014-01-31).
2014-01-09: Vendor responds and wants to release update in "March timeframe"
2014-01-14: Clarifying reasons for accelerated disclosure (criticality,
increased expectations from European customers, ...) in compliance
with the SEC Consult Responsible Disclosure Policy.
2014-01-23: Contacting CERT teams (CERT-Bund Germany, CERT-CC and CERT.at).
2014-01-27: Conference call: extending advisory release date (2014-02-18).
2014-02-13: Symantec releases fixed versions.
2014-02-18: SEC Consult releases coordinated security advisory.


Solution:
---------
Update to the most recent version (11.0.7405.1424 and 12.1.4023.4080) of
Symantec Endpoint Protection.

More information can be found at:
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140213_00

https://www.symantec.com/business/support/index?page=content&id=TECH214866


Workaround:
-----------
No workaround available.


Advisory URL:
--------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested in working with the experts of SEC Consult?
Write to career@sec-consult.com

EOF Stefan Viehböck / @2014
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close