One Article Review
| Source |  Code White |
|---|---|
| Identifiant | 351857 |
| Date de publication | 2015-08-04 07:59:03 (vue: 2015-08-04 07:59:03) |
| Titre | Compromised by Endpoint Protection |
| Texte | In a recent research project, Markus Wulftange of Code White discovered several critical vulnerabilities in the Symantec Endpoint Protection (SEP) suite 12.1, affecting versions prior to 12.1 RU6 MP1 (see SYM15-007). As with any centralized enterprise management solution, compromising a management server is quite attractive for an attacker, as it generally allows some kind of control over its managed clients. Taking control of the manager can yield a takeover of the whole enterprise network. In this post, we will take a closer look at some of the discovered vulnerabilities in detail and demonstrate their exploitation. In combination, they effectively allow an unauthenticated attacker the execution of arbitrary commands with 'NT Authority\SYSTEM' privileges on both the SEP Manager (SEPM) server, as well as on SEP clients running Windows. That can result in the full compromise of a whole corporate network. Vulnerabilities in Symantec Endpoint Protection 12.1 Code White discovered the following vulnerabilities in Symantec Endpoint Protection 12.1: SEP Manager Authentication Bypass (CVE-2015-1486) Allows unauthenticated attackers access to SEPM Mulitple Path Traversals (CVE-2015-1487, CVE-2015-1488, CVE-2015-1490) Allows reading and writing arbitrary files, resulting in the execution of arbitrary commands with 'NT Service\semsrv' privileges Privilege Escalation (CVE-2015-1489) Allows the execution of arbitrary OS commands with 'NT Authority\SYSTEM' privileges Multiple SQL Injections (CVE-2015-1491) Allows the execution of arbitrary SQL SEP Clients Binary Planting (CVE-2015-1492) Allows the execution of arbitrary code with 'NT Authority\SYSTEM' privileges on SEP clients running Windows The objective of our research was to find a direct way to take over a whole Windows domain and thus aimed at a full compromise of the SEPM server and the SEP clients running on Windows. Executing post exploitation techniques, like lateral movement, would be the next step if the domain controller hasn't already been compromised by this. Therefore, we focused on SEPM's Remote Java or Web Console, which is probably the most exposed interface (accessible via TCP ports 8443 and 9090) and offers most of the functionalities of SEPM's remote interfaces. There are further entry points, which may also be vulnerable and exploitable to gain access to SEPM, its server, or the SEP clients. For example, SEP clients for Mac and Linux may also be vulnerable to Binary Planting. Attack Vector and Exploitation A full compromise of the SEPM server and SEP clients running Windows was possible through the following steps: Gaining administrative access to the SEP Manager (CVE-2015-1486) Full compromise of SEP Manager server (CVE-2015-1487 and CVE-2015-1489) Full compromise of SEP clients running Windows (CVE-2015-1492) CVE-2015-1486: SEPM Authentication Bypass SEPM uses sessions after the initial authentication. User information is stored in a AdminCredential object, which is |
| Envoyé | Oui |
| Condensat | 0000 007 1486 1486: 1487 1487: 1488 1489 1489: 1490 1491 1492 1492: 189 196 2014 2015 3439 367 368 369 5337 8443 8447 9090 able access accessible accordingly action add address admin admincredential administrative administrator affecting after again aimed ajaxswing allow allows already also any apis application: arbitrary are asset assigning associated attack attacker attackers attractive attribute authentic authenticated authentication authority automatically back based been behavior binary binaryfile binaryfilehandler body both built but bypass call called calls can cannot case ccsvchst centralized checked choose class click clicking client clientremote clients clients: clientversion closer cmd code combination command commands commoncmd communicate communicates communication compromise compromised compromising conclusion console consolesession constructed containing contains context control controller cookie copy corporate corresponding crafted create created creates creating critical custom cve data default delete demonstrate demonstrated deploy deployed deploying deployment detail direct directory discovered dll dllmain dlls dogetadmincredentialwithoutauthentication domain download downloaded due during dynamically effectively elevated encrypted endpoint enterprise entry escalation etc example exe exec executable execute executed executing execution existing exploitable exploitation exploiting export exposed fatally feature features file files finally find findadminemail flaw: focused following from full function functionalities further gain gaining generally get getcredential gets give given group groups handed handled handler handlerequest handles handling hashed hasn have holds how however httpsession implementation implemented import increase influence information ini init initial injections installation instance instead interestingly interface interfaces issuing its java jsessionid jsp kind knownhosts lateral launch launcher let libraries like line lines linux listening listing: liveupdate load loaded loading loadlibrary located location locations loginhandler look looked looking loopback mac mail maintain making managed management manager markus may messages method might missing modify most movement mp1 mulitple multiple name network new newly next not note object objective observed obvious offers once one only open other over package packagechecksum packagefile packages packlist parameter parameters password path place planted planting point points policies port ports possible possibly post prior privilege privileges probably process processes productversion project prologue protection provided purpose quite reading recent recipient related remote rename request request: requested requesting requests require required research reset resetpasswordhandler response result resulting results retrieve root ru6 running scheduling searched searches see seen select semadministrator semlaunchservice semlaunchsvc semsrv sep separators sepm server serverversionand service services session sessions set setadmincredential setaid settings setup several shell should shown since single smcinst solution some something spc specially specify sql starts step steps steps: stored successfully such suite supported sym15 symantec system take takeover taking tamper tampered target tasks tcp techniques template: them then therefore through thus tomcat traversal traversals tries two unauthenticated unauthorized unforeseen untick upgrade upgrading upload uploadpackage used user userid uses uxtheme valid value values vector versions very vulnerabilities vulnerable want way web webapps well what when where which white who whole why will windows within without would write writing written wulftange xml yield you |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.