exploit the possibilities

Symantec Encryption Management Server Remote Command Injection

Symantec Encryption Management Server Remote Command Injection
Posted Jan 30, 2015
Authored by Paul Craig from Vantage Point

Symantec Encryption Management Server versions prior to 3.2.0 MP6 suffers from a remote command injection vulnerability.

tags | exploit, remote
MD5 | 50510916c10731276008f34f7d1f6764

Symantec Encryption Management Server Remote Command Injection

Change Mirror Download
Vantage Point Security Advisory 2014-007
========================================

Title: Symantec Encryption Management Server - Remote Command Injection
ID: VP-2014-007
Vendor: Symantec
Affected Product: Symantec Encryption Gateway
Affected Versions: < 3.2.0 MP6
Product Website: http://www.symantec.com/en/sg/gateway-email-encryption/
Author: Paul Craig <paul[at]vantagepoint[dot]sg


Summary:
---------
Symantec Gateway Email Encryption provides centrally managed email encryption
to secure email communications with customers and partners regardless of whether
or not recipients have their own email encryption software.
With Gateway Email Encryption, organizations can minimize the risk of
a data breach while complying with regulatory mandates for information
security and privacy.

Details:
---------
Remote Command Injection vulnerabilities occur when user supplied
input is used directly as a command line argument to a fork(), execv()
or a CreateProcessA() function.

It was found that the binary /usr/bin/pgpsysconf calls the binary
/usr/bin/pgpbackup with unfiltered user supplied input when restoring
a Database Backup from the Symantec Encryption Management Web
Interface .
The user supplied 'filename' value is used directly as a command
argument, and can be concatenated to include additional commands with
the use of the pipe character.
This can allow a lower privileged Administrator to compromise the
Encryption Management Server.

This is demonstrated below in a snippet from pgpsysconf;

.text:08058FEA mov dword ptr [ebx], offset
aUsrBinPgpbacku ; "/usr/bin/pgpbackup"
.text:08058FF0 cmp [ebp+var_1D], 0
.text:08058FF4 jnz short loc_8059049
.text:08058FF6 mov ecx, 4
.text:08058FFB mov edx, 8
.text:08059000 mov eax, 0Ch
.text:08059005 mov dword ptr [ebx+ecx], offset unk_807AE50
.text:0805900C mov [ebx+edx], esi
.text:0805900F mov dword ptr [ebx+eax], 0
.text:08059016 call _fork ; Bingo..

An example to exploit this vulnerability and run the ping command can
be seen below.

POST /omc/uploadBackup.event ....
....

Content-Disposition: form-data; name="file";
filename="test123|`ping`|-whatever.tar.gz.pgp"

This vulnerability can be further exploited to gain local root access
by calling the setuid binary pgpsysconf to install a local package
file.


Fix Information:
---------
Upgrade to Symantec Encryption Management Server 3.3.2 MP7.
See http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150129_00
for more information



Timeline:
---------

2014/11/26: Issue Reported.
2015/01/30: Patch Released.


About Vantage Point Security:
---------

Vantage Point Security is the leading provider for penetration testing
and security advisory services in Singapore. Clients in the Financial,
Banking and Telecommunications industries select Vantage Point
Security based on technical competency and a proven track record to
deliver significant and measurable improvements in their security
posture.

Web: https://www.vantagepoint.sg/
Contact: office[at]vantagepoint[dot]sg

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    16 Files
  • 18
    Sep 18th
    8 Files
  • 19
    Sep 19th
    14 Files
  • 20
    Sep 20th
    20 Files
  • 21
    Sep 21st
    3 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close