One Article Review
| Source |  Code White |
|---|---|
| Identifiant | 351854 |
| Date de publication | 2016-02-23 14:50:40 (vue: 2016-02-23 14:50:40) |
| Titre | Compromised by Endpoint Protection: Legacy Edition |
| Texte | The previous disclosure of the vulnerabilities in Symantec Endpoint Protection (SEP) 12.x showed that a compromise of both the SEP Manager as well as the managed clients is possible and can have a severe impact on a whole corporate environment. Unfortunately, in older versions of SEP, namely the versions 11.x, some of the flawed features of 12.x weren't even implemented, e. g., the password reset feature. However, SEP 11.x has other vulnerabilities that can have in the same impact. Vulnerabilities in Symantec Endpoint Protection 11.x The following vulnerabilities have been discovered in Symantec Endpoint Protection 11.x: SEP Manager SQL Injection Allows the execution of arbitrary SQL on the SQL Server by unauthenticated users. Command Injection Allows the execution of arbitrary commands with 'NT Authority\SYSTEM' privileges by users with write acceess to the database, e. g., via the before-mentioned SQL injection. SEP Client Binary Planting Allows the execution of arbitrary code with 'NT Authority\SYSTEM' privileges on SEP clients running Windows by local users. As SEP 11.x is out of support since early 2015 and Symantec won't provide a patch, you are highly advised to upgrade to 12.1. SEP Manager SQL Injection The AgentRegister operation of the AgentServlet is vulnerable to SQL injections within the HardwareKey attribute: To reach that point, we need to provide a valid DomainID, which can be retrieved from a SEP client installation from the SyLink.xml file located in C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Config. Exploiting this vulnerability is a little more complicated. For example, changing a SEPM administrator user's password requires the manipulation of a configuration stored as an XML document in the database. The administrative users are stored in the SemConfigRoot document in the basic_metadata table with the hard-coded ID B655E64D0A320801000000E164041B79. An administrator entry might look like this: The complicated part is that this configuration document is crucial for the whole SEPM. Any changes resulting in an invalid XML document result in a denial of service. That's why it's important that any change results in a valid document as well. So how can we modify that document to our advantages? The stored PasswordHash is simply the MD5 of the password in hexadecimal representation. So replacing that attribute value with a new one would allow us to login with that password. But we neither know the current PasswordHash value (obviously!) nor any other attribute value that we can use as an anchor point for the string manipulate. However, we know other parts of the SemAdministrator element that we can use. For example, if we replace ' PasswordHash=' by ' PasswordHash="[…]" OldPasswordHash=', we can set our own PasswordHash value while being able to reverse the operation by replacing ' PasswordHash="[…]" OldPasswordHash=' by ' PasswordHash=': Here we first do the reverse operation in line 14 before updating the PasswordHash value with ours in line 15 to avoid accidentally creating an invalid document in the case the update is executed multiple times. There |
| Envoyé | Oui |
| Condensat | &calc& 1490 2015 able acceess accidentally additional admin administrative administrator advantages advised again agentregister agentservlet alert alerts allow allows also anchor antivirus any applications arbitrary are argument arguments attribute attribute: attributes authentication authenticationmethod authority avoid b655e64d0a320801000000e164041b79 basic bat batch batchfile been before being bin binary blog both building built but calc call called can case change changes changing class client clients cmd code coded collection command commands complicated compromise compromised config configuration containing contains copy corporate could create createprocess creating crucial current currentversion custom cve data database dbtools definitions denial described desktop directory disclosure discovered dll document document: does doing domainid dorunexecutable during each early easy edition element email endpoint engines entry environment escalation even example exe executable executed execution existing exploit exploited exploiting feature features file files find first flawed following found: from genuine get given group: gui happens hard hardwarekey has have help here hexadecimal highly how however impact implemented important information injecting injection injections installation installed instead integers interpreted invalid is: java john just know legacy less like line little loading local located locations log login look looking managed manager manipulate manipulating manipulation may md5 members mentioned message messages metadata method might modified modify more most multiple name namely need needs neither new next nor not notification now obviously older oldpasswordhash= once one only operation original originates originating other ours out own parameter parameterized parent part parts passed password passwordhash passwordhash= patch payload place planting point possible post predefined present previous privilege privileges problem process processbuilder processes program programdata promising properties protection protection: provide reach reasons register replace replacing representation requires reset result resulting results retrieved reverse risk rsa rtvscan running same scenario: secureid security securityalertnotifytask seem semadministrator semconfigroot sep sepm server service set severe shell should showed silently simply since some specified sql started statements stored string support syknapps sylink symantec system system32 table taken tasks that them then this: time: times trigger triggered troubleshooting unauthenticated unfortunately update updates updates: updating upgrade upload use used user users utilized valid value values verification version versions virus vulnerabilities vulnerability vulnerable way well weren when which whole why windows within won work would writable write x86 xml … |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.