VARIoT IoT vulnerabilities database

The management console on the Symantec Web Gateway (SWG) appliance before 5.1.1 allows remote attackers to execute arbitrary commands by injecting a command into an application script. Symantec Web Gateway is prone to a remote command-injection vulnerability. Successful exploits will result in the execution of arbitrary commands with elevated privileges in the context of the affected appliance. Versions prior to Symantec Web Gateway 5.1.1 are vulnerable. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more. A security vulnerability exists in the management console of SWG Appliance 5.1 and earlier. SEC Consult Vulnerability Lab Security Advisory < 20130726-0 > ======================================================================= title: Multiple vulnerabilities - Surveillance via Symantec Web Gateway product: Symantec Web Gateway vulnerable version: <= 5.1.0.* fixed version: 5.1.1 CVE number: CVE-2013-1616, CVE-2013-1617, CVE-2013-4670, CVE-2013-4671, CVE-2013-4672 impact: Critical homepage: https://www.symantec.com/ found: 2012-12-18 by: Wolfgang Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: ----------------------------- "Symantec Web Gateway protects organizations against multiple types of Web-borne malware and gives organizations the flexibility of deploying it as either a virtual appliance or on physical hardware. Powered by Insight, Symantec’s innovative reputation based malware filtering technology, Web Gateway relies on a global network of greater than 210 million systems to identify new threats before they cause disruption in organizations." URL: https://www.symantec.com/web-gateway Business recommendation: ------------------------ SEC Consult has identified several vulnerabilities within the components of Symantec Web Gateway in the course of a short crash test. Some components have been spot-checked, while others have not been tested at all. An attacker can get unauthorized access to the appliance and plant backdoors or access configuration files containing credentials for other systems (eg. Active Directory/LDAP credentials) which can be used in further attacks. Since all web traffic passes through the appliance, interception of HTTP as well as the plaintext form of HTTPS traffic (if SSL Deep Inspection feature in use), including sensitive information like passwords and session cookies is possible. If SSL Deep Inspection is enabled, the appliance holds a private key for a Certificate Authority (CA) certificate that is installed/trusted on all workstations in the company. If this private key is compromised by an attacker, arbitrary certificates can be signed. These certificates will then pass validation on the client machines, enabling in various attacks targeting clients (further MITM attacks, phishing, evilgrade, ...). The recommendation of SEC Consult is to switch off the product until a comprehensive security audit based on a security source code review has been performed and all identified security deficiencies have been resolved by the vendor. Vulnerability overview/description: ----------------------------------- 1) Reflected Cross Site Scripting (XSS) (CVE-2013-4670) A reflected cross site scripting vulnerability was found. This allows effective session hijacking attacks of administrator session cookies. 2) Persistent Cross Site Scripting (XSS) (CVE-2013-4670) Moreover a persistent cross site scripting vulnerability allows an unauthenticated user to inject script code into the administration interface. This script code will be executed once an administrator visits the administration interface. 3) OS Command Injection (CVE-2013-1616) Multiple OS command injection vulnerabilities were discovered. Authenticated users can execute arbitrary commands on the underlying operating system with the privileges of the "apache" operating system user. This can be used to get persistent access to the affected system (eg. by planting backdoors), accessing all kinds of locally stored information or interception of web traffic that passes through the appliance. 4) Security Misconfiguration (CVE-2013-4672) Unprivileged operating system users (eg. apache) can gain root privileges due to a misconfiguration of the sudo program. 5) SQL Injection (CVE-2013-1617) Several SQL injection vulnerabilities were identified that allow an authenticated administrator to issue manipulated SQL commands. 6) Cross Site Request Forgery (CVE-2013-4671) The cross site request forgery protection implemented can be bypassed easily. Using this vulnerability, an attacker can issue requests in the context of administrative user sessions. Proof of concept: ----------------- 1) Reflected Cross Site Scripting (XSS) (CVE-2013-4670) The following URL demonstrates a reflected cross site scripting vulnerability: https://<host>/spywall/feedback_report.php?rpp=0%27%20onfocus=%22alert%28%27xss%27%29%22%20autofocus/%3E 2) Persistent Cross Site Scripting (XSS) (CVE-2013-4670) The "blocked.php" page which is accessible without authentication allows to inject script code to the "Blocking Feedback" functionality on the administration interface. The following URL demonstrates this issue. The payload of the parameter "u" will be stored permanently: https://<host>/spywall/blocked.php?id=1&history=-2&u=%27/%3E%3Cscript%3Ealert%28%27xss%27%29;%3C/script%3E 3) OS Command Injection (CVE-2013-1616) The functionality to change the hostname as well as the "Test Ping" functionality allow to inject commands enclosed in backticks (`). These commands are run as the system user "apache". Affected scripts: /spywall/nameConfig.php /spywall/networkConfig.php Detailed proof of concept exploits have beem removed for this vulnerability. 4) Security Misconfiguration (CVE-2013-4672) The /etc/sudoers file allows the users "apache" and "admin" to run several critical commands with root privileges. As the user "apache" is able to run commands like "chmod", "chown" and "insmod" without the need of a password, an attacker that is able to issue commands as this user (see 3) can effectively gain root privileges. 5) SQL Injection (CVE-2013-1617) The following URLs demonstrate the SQL injection flaws found by printing the username and password hash of all users: https://<host>/spywall/feedback_report.php?variable[]=1) UNION SELECT 1,2,3,4,username,6,7,8,9,password FROM users -- &operator[]=notequal&operand[]=x https://<host>/spywall/edit_alert.php?alertid=11%20UNION%20SELECT%201,2,username,password,5,6,7,8,9,10,111,12,13,14,15,16,17,18%20FROM%20users%20--%20 6) Cross Site Request Forgery (CVE-2013-4671) As an example, the following request configures a LDAP server to authenticate administrative users: POST /spywall/ldapConfig.php HTTP/1.1 Host: <host> Cookie: PHPSESSID=<valid-cookie> Content-Type: application/x-www-form-urlencoded Content-Length: 247 posttime=9999999999&saveForm=Save&useldap=1&ldap_host=0.0.0.0&ldap_port=389&auth_method=Simple&search_base=dc%3Dtest%2Cdc%3Dlocal&ldap_user=test&ldap_password=test&dept_type=dept&user_attribute=sAMAccountName&user_attribute_other=&ldap_timeout=168 The sole CSRF protection is the "posttime" parameter that contains a unix timestamp that has to be greater than the one in the last request. Using the value of eg. "9999999999" would always succeed. Attack scenario: ---------------- Using the vulnerabilities mentioned above, the following attack has been implemented (the exploit code will not be published): 1) A user protected by Symantec Web Gateway visits a website that embeds an image (possible in most web forums), a URL or an IFrame. The URL of the resource points to a blocked page (eg. the EICAR test file) and also includes script code (Persistent XSS). If the blocked URL contains the parameter "history=-2" (which has been added by the attacker) the URL/script (Persistent XSS) is automatically stored as a "Blocking Feedback" entry in the admin interface 3) When the administrator visits the "Blocking Feedback" page, the injected script is executed. Using the OS command injection flaw, the script now automatically downloads and executes a shell script. 4) As the user "apache" has permission to execute "chmod" and "chown" as root, the shell script can now create a SUID binary and run a reverse shell as root. 5) The attacker can now access the system with highest (root) privileges Note: This attack only requires a user (protected by the Symantec Web Gateway) to visit a "malicious" page. This can be achieved by sending phishing mails to employees, or embedding images, URLs or IFrames in websites employees would likely visit. If the attacker has already access to the target network, this is of course not necessary - the persistent XSS vulnerability can be exploited directly. Note: No prior knowledge about hostnames or internal IP addresses in the target network is needed! A detailed proof of concept exploit has been created but will not be published. Vendor contact timeline: ------------------------ 2013-02-22: Sending advisory and proof of concept exploit via encrypted channel. 2013-02-22: Vendor acknowledges receipt of advisory. 2013-03-05: Requesting status update. 2013-03-05: Vendor confirms vulnerabilities, is working on solutions. 2013-03-22: Requesting status update. 2013-03-22: Vendor is still working on solutions. 2013-04-19: Requesting status update and release schedule. 2013-04-19: Vendor is in the "final phases" of releasing an update. 2013-06-05: Sending reminder regarding deadlindes defined in disclosure policy. 2013-06-05: Vendor will release an update in "Mid-July". 2013-07-16: Vendor postpones update to timeframe beween July 22 and 25. 2013-07-25: Vendor releases advisory and product update (version 5.1.1). 2013-07-26: SEC Consult releases coordinated security advisory. More information can be found at: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20130725_00 Workaround: ----------- No workaround available. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Wolfgang Ettlinger / @2013

Multiple SQL injection vulnerabilities in the management console on the Symantec Web Gateway (SWG) appliance before 5.1.1 allow remote authenticated administrators to execute arbitrary SQL commands via unspecified vectors. Symantec Web Gateway is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Versions prior to Symantec Web Gateway 5.1.1 are vulnerable. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more. SEC Consult Vulnerability Lab Security Advisory < 20130726-0 > ======================================================================= title: Multiple vulnerabilities - Surveillance via Symantec Web Gateway product: Symantec Web Gateway vulnerable version: <= 5.1.0.* fixed version: 5.1.1 CVE number: CVE-2013-1616, CVE-2013-1617, CVE-2013-4670, CVE-2013-4671, CVE-2013-4672 impact: Critical homepage: https://www.symantec.com/ found: 2012-12-18 by: Wolfgang Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: ----------------------------- "Symantec Web Gateway protects organizations against multiple types of Web-borne malware and gives organizations the flexibility of deploying it as either a virtual appliance or on physical hardware. Powered by Insight, Symantec’s innovative reputation based malware filtering technology, Web Gateway relies on a global network of greater than 210 million systems to identify new threats before they cause disruption in organizations." URL: https://www.symantec.com/web-gateway Business recommendation: ------------------------ SEC Consult has identified several vulnerabilities within the components of Symantec Web Gateway in the course of a short crash test. Some components have been spot-checked, while others have not been tested at all. Several of the discovered vulnerabilities below can be chained together in order to run arbitrary commands with the privileges of the "root" user on the appliance. An attacker can get unauthorized access to the appliance and plant backdoors or access configuration files containing credentials for other systems (eg. Active Directory/LDAP credentials) which can be used in further attacks. Since all web traffic passes through the appliance, interception of HTTP as well as the plaintext form of HTTPS traffic (if SSL Deep Inspection feature in use), including sensitive information like passwords and session cookies is possible. If SSL Deep Inspection is enabled, the appliance holds a private key for a Certificate Authority (CA) certificate that is installed/trusted on all workstations in the company. If this private key is compromised by an attacker, arbitrary certificates can be signed. These certificates will then pass validation on the client machines, enabling in various attacks targeting clients (further MITM attacks, phishing, evilgrade, ...). The recommendation of SEC Consult is to switch off the product until a comprehensive security audit based on a security source code review has been performed and all identified security deficiencies have been resolved by the vendor. Vulnerability overview/description: ----------------------------------- 1) Reflected Cross Site Scripting (XSS) (CVE-2013-4670) A reflected cross site scripting vulnerability was found. This allows effective session hijacking attacks of administrator session cookies. 2) Persistent Cross Site Scripting (XSS) (CVE-2013-4670) Moreover a persistent cross site scripting vulnerability allows an unauthenticated user to inject script code into the administration interface. This script code will be executed once an administrator visits the administration interface. 3) OS Command Injection (CVE-2013-1616) Multiple OS command injection vulnerabilities were discovered. Authenticated users can execute arbitrary commands on the underlying operating system with the privileges of the "apache" operating system user. This can be used to get persistent access to the affected system (eg. by planting backdoors), accessing all kinds of locally stored information or interception of web traffic that passes through the appliance. 4) Security Misconfiguration (CVE-2013-4672) Unprivileged operating system users (eg. apache) can gain root privileges due to a misconfiguration of the sudo program. 6) Cross Site Request Forgery (CVE-2013-4671) The cross site request forgery protection implemented can be bypassed easily. Using this vulnerability, an attacker can issue requests in the context of administrative user sessions. Several of the vulnerabilities above can be chained together by an unauthenticated attacker in order to run arbitrary commands with the privileges of the "root" operating system user on the appliance. Proof of concept: ----------------- 1) Reflected Cross Site Scripting (XSS) (CVE-2013-4670) The following URL demonstrates a reflected cross site scripting vulnerability: https://<host>/spywall/feedback_report.php?rpp=0%27%20onfocus=%22alert%28%27xss%27%29%22%20autofocus/%3E 2) Persistent Cross Site Scripting (XSS) (CVE-2013-4670) The "blocked.php" page which is accessible without authentication allows to inject script code to the "Blocking Feedback" functionality on the administration interface. The following URL demonstrates this issue. The payload of the parameter "u" will be stored permanently: https://<host>/spywall/blocked.php?id=1&history=-2&u=%27/%3E%3Cscript%3Ealert%28%27xss%27%29;%3C/script%3E 3) OS Command Injection (CVE-2013-1616) The functionality to change the hostname as well as the "Test Ping" functionality allow to inject commands enclosed in backticks (`). These commands are run as the system user "apache". Affected scripts: /spywall/nameConfig.php /spywall/networkConfig.php Detailed proof of concept exploits have beem removed for this vulnerability. 4) Security Misconfiguration (CVE-2013-4672) The /etc/sudoers file allows the users "apache" and "admin" to run several critical commands with root privileges. As the user "apache" is able to run commands like "chmod", "chown" and "insmod" without the need of a password, an attacker that is able to issue commands as this user (see 3) can effectively gain root privileges. 5) SQL Injection (CVE-2013-1617) The following URLs demonstrate the SQL injection flaws found by printing the username and password hash of all users: https://<host>/spywall/feedback_report.php?variable[]=1) UNION SELECT 1,2,3,4,username,6,7,8,9,password FROM users -- &operator[]=notequal&operand[]=x https://<host>/spywall/edit_alert.php?alertid=11%20UNION%20SELECT%201,2,username,password,5,6,7,8,9,10,111,12,13,14,15,16,17,18%20FROM%20users%20--%20 6) Cross Site Request Forgery (CVE-2013-4671) As an example, the following request configures a LDAP server to authenticate administrative users: POST /spywall/ldapConfig.php HTTP/1.1 Host: <host> Cookie: PHPSESSID=<valid-cookie> Content-Type: application/x-www-form-urlencoded Content-Length: 247 posttime=9999999999&saveForm=Save&useldap=1&ldap_host=0.0.0.0&ldap_port=389&auth_method=Simple&search_base=dc%3Dtest%2Cdc%3Dlocal&ldap_user=test&ldap_password=test&dept_type=dept&user_attribute=sAMAccountName&user_attribute_other=&ldap_timeout=168 The sole CSRF protection is the "posttime" parameter that contains a unix timestamp that has to be greater than the one in the last request. Using the value of eg. "9999999999" would always succeed. Attack scenario: ---------------- Using the vulnerabilities mentioned above, the following attack has been implemented (the exploit code will not be published): 1) A user protected by Symantec Web Gateway visits a website that embeds an image (possible in most web forums), a URL or an IFrame. The URL of the resource points to a blocked page (eg. the EICAR test file) and also includes script code (Persistent XSS). If the blocked URL contains the parameter "history=-2" (which has been added by the attacker) the URL/script (Persistent XSS) is automatically stored as a "Blocking Feedback" entry in the admin interface 3) When the administrator visits the "Blocking Feedback" page, the injected script is executed. Using the OS command injection flaw, the script now automatically downloads and executes a shell script. 4) As the user "apache" has permission to execute "chmod" and "chown" as root, the shell script can now create a SUID binary and run a reverse shell as root. 5) The attacker can now access the system with highest (root) privileges Note: This attack only requires a user (protected by the Symantec Web Gateway) to visit a "malicious" page. This can be achieved by sending phishing mails to employees, or embedding images, URLs or IFrames in websites employees would likely visit. If the attacker has already access to the target network, this is of course not necessary - the persistent XSS vulnerability can be exploited directly. Note: No prior knowledge about hostnames or internal IP addresses in the target network is needed! A detailed proof of concept exploit has been created but will not be published. Vendor contact timeline: ------------------------ 2013-02-22: Sending advisory and proof of concept exploit via encrypted channel. 2013-02-22: Vendor acknowledges receipt of advisory. 2013-03-05: Requesting status update. 2013-03-05: Vendor confirms vulnerabilities, is working on solutions. 2013-03-22: Requesting status update. 2013-03-22: Vendor is still working on solutions. 2013-04-19: Requesting status update and release schedule. 2013-04-19: Vendor is in the "final phases" of releasing an update. 2013-06-05: Sending reminder regarding deadlindes defined in disclosure policy. 2013-06-05: Vendor will release an update in "Mid-July". 2013-07-16: Vendor postpones update to timeframe beween July 22 and 25. 2013-07-25: Vendor releases advisory and product update (version 5.1.1). 2013-07-26: SEC Consult releases coordinated security advisory. More information can be found at: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20130725_00 Workaround: ----------- No workaround available. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Wolfgang Ettlinger / @2013

Multiple cross-site scripting (XSS) vulnerabilities in the management console on the Symantec Web Gateway (SWG) appliance before 5.1.1 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. Versions prior to Symantec Web Gateway 5.1.1 are vulnerable. The software provides web content filtering, data loss prevention, and more. SEC Consult Vulnerability Lab Security Advisory < 20130726-0 > ======================================================================= title: Multiple vulnerabilities - Surveillance via Symantec Web Gateway product: Symantec Web Gateway vulnerable version: <= 5.1.0.* fixed version: 5.1.1 CVE number: CVE-2013-1616, CVE-2013-1617, CVE-2013-4670, CVE-2013-4671, CVE-2013-4672 impact: Critical homepage: https://www.symantec.com/ found: 2012-12-18 by: Wolfgang Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: ----------------------------- "Symantec Web Gateway protects organizations against multiple types of Web-borne malware and gives organizations the flexibility of deploying it as either a virtual appliance or on physical hardware. Powered by Insight, Symantec’s innovative reputation based malware filtering technology, Web Gateway relies on a global network of greater than 210 million systems to identify new threats before they cause disruption in organizations." URL: https://www.symantec.com/web-gateway Business recommendation: ------------------------ SEC Consult has identified several vulnerabilities within the components of Symantec Web Gateway in the course of a short crash test. Some components have been spot-checked, while others have not been tested at all. Several of the discovered vulnerabilities below can be chained together in order to run arbitrary commands with the privileges of the "root" user on the appliance. An attacker can get unauthorized access to the appliance and plant backdoors or access configuration files containing credentials for other systems (eg. Since all web traffic passes through the appliance, interception of HTTP as well as the plaintext form of HTTPS traffic (if SSL Deep Inspection feature in use), including sensitive information like passwords and session cookies is possible. If SSL Deep Inspection is enabled, the appliance holds a private key for a Certificate Authority (CA) certificate that is installed/trusted on all workstations in the company. If this private key is compromised by an attacker, arbitrary certificates can be signed. These certificates will then pass validation on the client machines, enabling in various attacks targeting clients (further MITM attacks, phishing, evilgrade, ...). The recommendation of SEC Consult is to switch off the product until a comprehensive security audit based on a security source code review has been performed and all identified security deficiencies have been resolved by the vendor. Vulnerability overview/description: ----------------------------------- 1) Reflected Cross Site Scripting (XSS) (CVE-2013-4670) A reflected cross site scripting vulnerability was found. This allows effective session hijacking attacks of administrator session cookies. 2) Persistent Cross Site Scripting (XSS) (CVE-2013-4670) Moreover a persistent cross site scripting vulnerability allows an unauthenticated user to inject script code into the administration interface. This script code will be executed once an administrator visits the administration interface. 3) OS Command Injection (CVE-2013-1616) Multiple OS command injection vulnerabilities were discovered. Authenticated users can execute arbitrary commands on the underlying operating system with the privileges of the "apache" operating system user. This can be used to get persistent access to the affected system (eg. by planting backdoors), accessing all kinds of locally stored information or interception of web traffic that passes through the appliance. 4) Security Misconfiguration (CVE-2013-4672) Unprivileged operating system users (eg. apache) can gain root privileges due to a misconfiguration of the sudo program. 5) SQL Injection (CVE-2013-1617) Several SQL injection vulnerabilities were identified that allow an authenticated administrator to issue manipulated SQL commands. 6) Cross Site Request Forgery (CVE-2013-4671) The cross site request forgery protection implemented can be bypassed easily. Using this vulnerability, an attacker can issue requests in the context of administrative user sessions. Several of the vulnerabilities above can be chained together by an unauthenticated attacker in order to run arbitrary commands with the privileges of the "root" operating system user on the appliance. Proof of concept: ----------------- 1) Reflected Cross Site Scripting (XSS) (CVE-2013-4670) The following URL demonstrates a reflected cross site scripting vulnerability: https://<host>/spywall/feedback_report.php?rpp=0%27%20onfocus=%22alert%28%27xss%27%29%22%20autofocus/%3E 2) Persistent Cross Site Scripting (XSS) (CVE-2013-4670) The "blocked.php" page which is accessible without authentication allows to inject script code to the "Blocking Feedback" functionality on the administration interface. The following URL demonstrates this issue. The payload of the parameter "u" will be stored permanently: https://<host>/spywall/blocked.php?id=1&history=-2&u=%27/%3E%3Cscript%3Ealert%28%27xss%27%29;%3C/script%3E 3) OS Command Injection (CVE-2013-1616) The functionality to change the hostname as well as the "Test Ping" functionality allow to inject commands enclosed in backticks (`). These commands are run as the system user "apache". Affected scripts: /spywall/nameConfig.php /spywall/networkConfig.php Detailed proof of concept exploits have beem removed for this vulnerability. 4) Security Misconfiguration (CVE-2013-4672) The /etc/sudoers file allows the users "apache" and "admin" to run several critical commands with root privileges. As the user "apache" is able to run commands like "chmod", "chown" and "insmod" without the need of a password, an attacker that is able to issue commands as this user (see 3) can effectively gain root privileges. 5) SQL Injection (CVE-2013-1617) The following URLs demonstrate the SQL injection flaws found by printing the username and password hash of all users: https://<host>/spywall/feedback_report.php?variable[]=1) UNION SELECT 1,2,3,4,username,6,7,8,9,password FROM users -- &operator[]=notequal&operand[]=x https://<host>/spywall/edit_alert.php?alertid=11%20UNION%20SELECT%201,2,username,password,5,6,7,8,9,10,111,12,13,14,15,16,17,18%20FROM%20users%20--%20 6) Cross Site Request Forgery (CVE-2013-4671) As an example, the following request configures a LDAP server to authenticate administrative users: POST /spywall/ldapConfig.php HTTP/1.1 Host: <host> Cookie: PHPSESSID=<valid-cookie> Content-Type: application/x-www-form-urlencoded Content-Length: 247 posttime=9999999999&saveForm=Save&useldap=1&ldap_host=0.0.0.0&ldap_port=389&auth_method=Simple&search_base=dc%3Dtest%2Cdc%3Dlocal&ldap_user=test&ldap_password=test&dept_type=dept&user_attribute=sAMAccountName&user_attribute_other=&ldap_timeout=168 The sole CSRF protection is the "posttime" parameter that contains a unix timestamp that has to be greater than the one in the last request. Using the value of eg. "9999999999" would always succeed. Attack scenario: ---------------- Using the vulnerabilities mentioned above, the following attack has been implemented (the exploit code will not be published): 1) A user protected by Symantec Web Gateway visits a website that embeds an image (possible in most web forums), a URL or an IFrame. The URL of the resource points to a blocked page (eg. the EICAR test file) and also includes script code (Persistent XSS). If the blocked URL contains the parameter "history=-2" (which has been added by the attacker) the URL/script (Persistent XSS) is automatically stored as a "Blocking Feedback" entry in the admin interface 3) When the administrator visits the "Blocking Feedback" page, the injected script is executed. Using the OS command injection flaw, the script now automatically downloads and executes a shell script. 4) As the user "apache" has permission to execute "chmod" and "chown" as root, the shell script can now create a SUID binary and run a reverse shell as root. 5) The attacker can now access the system with highest (root) privileges Note: This attack only requires a user (protected by the Symantec Web Gateway) to visit a "malicious" page. This can be achieved by sending phishing mails to employees, or embedding images, URLs or IFrames in websites employees would likely visit. If the attacker has already access to the target network, this is of course not necessary - the persistent XSS vulnerability can be exploited directly. Note: No prior knowledge about hostnames or internal IP addresses in the target network is needed! A detailed proof of concept exploit has been created but will not be published. Vendor contact timeline: ------------------------ 2013-02-22: Sending advisory and proof of concept exploit via encrypted channel. 2013-02-22: Vendor acknowledges receipt of advisory. 2013-03-05: Requesting status update. 2013-03-05: Vendor confirms vulnerabilities, is working on solutions. 2013-03-22: Requesting status update. 2013-03-22: Vendor is still working on solutions. 2013-04-19: Requesting status update and release schedule. 2013-04-19: Vendor is in the "final phases" of releasing an update. 2013-06-05: Sending reminder regarding deadlindes defined in disclosure policy. 2013-06-05: Vendor will release an update in "Mid-July". 2013-07-16: Vendor postpones update to timeframe beween July 22 and 25. 2013-07-25: Vendor releases advisory and product update (version 5.1.1). 2013-07-26: SEC Consult releases coordinated security advisory. More information can be found at: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20130725_00 Workaround: ----------- No workaround available. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Wolfgang Ettlinger / @2013

Cross-site request forgery (CSRF) vulnerability in the management console on the Symantec Web Gateway (SWG) appliance before 5.1.1 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors. Other attacks are also possible. Versions prior to Symantec Web Gateway 5.1.1 are vulnerable. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more. SEC Consult Vulnerability Lab Security Advisory < 20130726-0 > ======================================================================= title: Multiple vulnerabilities - Surveillance via Symantec Web Gateway product: Symantec Web Gateway vulnerable version: <= 5.1.0.* fixed version: 5.1.1 CVE number: CVE-2013-1616, CVE-2013-1617, CVE-2013-4670, CVE-2013-4671, CVE-2013-4672 impact: Critical homepage: https://www.symantec.com/ found: 2012-12-18 by: Wolfgang Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: ----------------------------- "Symantec Web Gateway protects organizations against multiple types of Web-borne malware and gives organizations the flexibility of deploying it as either a virtual appliance or on physical hardware. Powered by Insight, Symantec’s innovative reputation based malware filtering technology, Web Gateway relies on a global network of greater than 210 million systems to identify new threats before they cause disruption in organizations." URL: https://www.symantec.com/web-gateway Business recommendation: ------------------------ SEC Consult has identified several vulnerabilities within the components of Symantec Web Gateway in the course of a short crash test. Some components have been spot-checked, while others have not been tested at all. Several of the discovered vulnerabilities below can be chained together in order to run arbitrary commands with the privileges of the "root" user on the appliance. An attacker can get unauthorized access to the appliance and plant backdoors or access configuration files containing credentials for other systems (eg. Since all web traffic passes through the appliance, interception of HTTP as well as the plaintext form of HTTPS traffic (if SSL Deep Inspection feature in use), including sensitive information like passwords and session cookies is possible. If SSL Deep Inspection is enabled, the appliance holds a private key for a Certificate Authority (CA) certificate that is installed/trusted on all workstations in the company. If this private key is compromised by an attacker, arbitrary certificates can be signed. These certificates will then pass validation on the client machines, enabling in various attacks targeting clients (further MITM attacks, phishing, evilgrade, ...). The recommendation of SEC Consult is to switch off the product until a comprehensive security audit based on a security source code review has been performed and all identified security deficiencies have been resolved by the vendor. Vulnerability overview/description: ----------------------------------- 1) Reflected Cross Site Scripting (XSS) (CVE-2013-4670) A reflected cross site scripting vulnerability was found. This allows effective session hijacking attacks of administrator session cookies. 2) Persistent Cross Site Scripting (XSS) (CVE-2013-4670) Moreover a persistent cross site scripting vulnerability allows an unauthenticated user to inject script code into the administration interface. This script code will be executed once an administrator visits the administration interface. 3) OS Command Injection (CVE-2013-1616) Multiple OS command injection vulnerabilities were discovered. Authenticated users can execute arbitrary commands on the underlying operating system with the privileges of the "apache" operating system user. This can be used to get persistent access to the affected system (eg. by planting backdoors), accessing all kinds of locally stored information or interception of web traffic that passes through the appliance. 4) Security Misconfiguration (CVE-2013-4672) Unprivileged operating system users (eg. apache) can gain root privileges due to a misconfiguration of the sudo program. 5) SQL Injection (CVE-2013-1617) Several SQL injection vulnerabilities were identified that allow an authenticated administrator to issue manipulated SQL commands. 6) Cross Site Request Forgery (CVE-2013-4671) The cross site request forgery protection implemented can be bypassed easily. Using this vulnerability, an attacker can issue requests in the context of administrative user sessions. Several of the vulnerabilities above can be chained together by an unauthenticated attacker in order to run arbitrary commands with the privileges of the "root" operating system user on the appliance. Proof of concept: ----------------- 1) Reflected Cross Site Scripting (XSS) (CVE-2013-4670) The following URL demonstrates a reflected cross site scripting vulnerability: https://<host>/spywall/feedback_report.php?rpp=0%27%20onfocus=%22alert%28%27xss%27%29%22%20autofocus/%3E 2) Persistent Cross Site Scripting (XSS) (CVE-2013-4670) The "blocked.php" page which is accessible without authentication allows to inject script code to the "Blocking Feedback" functionality on the administration interface. The following URL demonstrates this issue. The payload of the parameter "u" will be stored permanently: https://<host>/spywall/blocked.php?id=1&history=-2&u=%27/%3E%3Cscript%3Ealert%28%27xss%27%29;%3C/script%3E 3) OS Command Injection (CVE-2013-1616) The functionality to change the hostname as well as the "Test Ping" functionality allow to inject commands enclosed in backticks (`). These commands are run as the system user "apache". Affected scripts: /spywall/nameConfig.php /spywall/networkConfig.php Detailed proof of concept exploits have beem removed for this vulnerability. 4) Security Misconfiguration (CVE-2013-4672) The /etc/sudoers file allows the users "apache" and "admin" to run several critical commands with root privileges. As the user "apache" is able to run commands like "chmod", "chown" and "insmod" without the need of a password, an attacker that is able to issue commands as this user (see 3) can effectively gain root privileges. 5) SQL Injection (CVE-2013-1617) The following URLs demonstrate the SQL injection flaws found by printing the username and password hash of all users: https://<host>/spywall/feedback_report.php?variable[]=1) UNION SELECT 1,2,3,4,username,6,7,8,9,password FROM users -- &operator[]=notequal&operand[]=x https://<host>/spywall/edit_alert.php?alertid=11%20UNION%20SELECT%201,2,username,password,5,6,7,8,9,10,111,12,13,14,15,16,17,18%20FROM%20users%20--%20 6) Cross Site Request Forgery (CVE-2013-4671) As an example, the following request configures a LDAP server to authenticate administrative users: POST /spywall/ldapConfig.php HTTP/1.1 Host: <host> Cookie: PHPSESSID=<valid-cookie> Content-Type: application/x-www-form-urlencoded Content-Length: 247 posttime=9999999999&saveForm=Save&useldap=1&ldap_host=0.0.0.0&ldap_port=389&auth_method=Simple&search_base=dc%3Dtest%2Cdc%3Dlocal&ldap_user=test&ldap_password=test&dept_type=dept&user_attribute=sAMAccountName&user_attribute_other=&ldap_timeout=168 The sole CSRF protection is the "posttime" parameter that contains a unix timestamp that has to be greater than the one in the last request. Using the value of eg. "9999999999" would always succeed. Attack scenario: ---------------- Using the vulnerabilities mentioned above, the following attack has been implemented (the exploit code will not be published): 1) A user protected by Symantec Web Gateway visits a website that embeds an image (possible in most web forums), a URL or an IFrame. The URL of the resource points to a blocked page (eg. the EICAR test file) and also includes script code (Persistent XSS). If the blocked URL contains the parameter "history=-2" (which has been added by the attacker) the URL/script (Persistent XSS) is automatically stored as a "Blocking Feedback" entry in the admin interface 3) When the administrator visits the "Blocking Feedback" page, the injected script is executed. Using the OS command injection flaw, the script now automatically downloads and executes a shell script. 4) As the user "apache" has permission to execute "chmod" and "chown" as root, the shell script can now create a SUID binary and run a reverse shell as root. 5) The attacker can now access the system with highest (root) privileges Note: This attack only requires a user (protected by the Symantec Web Gateway) to visit a "malicious" page. This can be achieved by sending phishing mails to employees, or embedding images, URLs or IFrames in websites employees would likely visit. If the attacker has already access to the target network, this is of course not necessary - the persistent XSS vulnerability can be exploited directly. Note: No prior knowledge about hostnames or internal IP addresses in the target network is needed! A detailed proof of concept exploit has been created but will not be published. Vendor contact timeline: ------------------------ 2013-02-22: Sending advisory and proof of concept exploit via encrypted channel. 2013-02-22: Vendor acknowledges receipt of advisory. 2013-03-05: Requesting status update. 2013-03-05: Vendor confirms vulnerabilities, is working on solutions. 2013-03-22: Requesting status update. 2013-03-22: Vendor is still working on solutions. 2013-04-19: Requesting status update and release schedule. 2013-04-19: Vendor is in the "final phases" of releasing an update. 2013-06-05: Sending reminder regarding deadlindes defined in disclosure policy. 2013-06-05: Vendor will release an update in "Mid-July". 2013-07-16: Vendor postpones update to timeframe beween July 22 and 25. 2013-07-25: Vendor releases advisory and product update (version 5.1.1). 2013-07-26: SEC Consult releases coordinated security advisory. More information can be found at: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20130725_00 Workaround: ----------- No workaround available. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Wolfgang Ettlinger / @2013

The management console on the Symantec Web Gateway (SWG) appliance before 5.1.1 does not properly implement RADIUS authentication, which allows remote attackers to execute arbitrary code by leveraging access to the login prompt. Successful exploits will result in the execution of arbitrary commands in the context of the affected appliance. Versions prior to Symantec Web Gateway 5.1.1 are vulnerable. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more. There is a vulnerability in the management console of SWG Appliance versions earlier than 5.1. The vulnerability is caused by the program not implementing RADIUS authentication correctly

Cisco Intrusion Prevention System (IPS) Software in ASA 5500-X IPS-SSP software modules before 7.1(7)sp1E4 allows remote attackers to cause a denial of service (Analysis Engine process hang or device reload) via fragmented (1) IPv4 or (2) IPv6 packets, aka Bug ID CSCue51272. Cisco IPS Software is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause an affected device to reload, denying service to legitimate users. This issue is being tracked by Cisco Bug ID CSCue51272. Cisco Intrusion Prevention System (IPS) is an intrusion prevention system of Cisco (Cisco). The system can immediately interrupt, adjust or isolate some abnormal or harmful network data transmission behaviors. A buffer overflow vulnerability exists in the IPS software in versions prior to 7.1(7)sp1E4 of the ASA 5500-X IPS-SSP software module

The IP stack in Cisco Intrusion Prevention System (IPS) Software in ASA 5500-X IPS-SSP software and hardware modules before 7.1(5)E4, IPS 4500 sensors before 7.1(6)E4, and IPS 4300 sensors before 7.1(5)E4 allows remote attackers to cause a denial of service (MainApp process hang) via malformed IPv4 packets, aka Bug ID CSCtx18596. Vendors have confirmed this vulnerability Bug ID CSCtx18596 It is released as.Malformed by a third party IPv4 Service disruption via packets (MainApp Process hang ) There is a possibility of being put into a state. Cisco IPS Software is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to cause denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCtx18596. Cisco Intrusion Prevention System (IPS) is an intrusion prevention system of Cisco (Cisco). The system can immediately interrupt, adjust or isolate some abnormal or harmful network data transmission behaviors. A remote attacker can send malformed IP packets to exploit this vulnerability to cause denial of service (MainApp process hangs)

An unspecified function in Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(2) allows remote authenticated users to execute arbitrary commands via unknown vectors, aka Bug ID CSCuh73440. Vendors have confirmed this vulnerability Bug ID CSCuh73440 It is released as.An arbitrary command may be executed by a remotely authenticated user. Successfully exploiting this issue may allow an attacker to execute arbitrary OS commands with the privileges of the database user in context of the affected application. This issue is being tracked by Cisco bug ID CSCuh73440. Versions prior to Unified Communications Manager 9.1(2) are affected. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

Multiple untrusted search path vulnerabilities in Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(1a) allow local users to gain privileges by leveraging unspecified file-permission and environment-variable issues for privileged programs, aka Bug ID CSCuh73454. Vendors have confirmed this vulnerability Bug ID CSCuh73454 It is released as. Supplementary information : CWE Vulnerability type by CWE-426: Untrusted Search Path ( Unreliable search path ) Has been identified. Local attackers can exploit these issues to gain elevated privileges. Successful exploits will result in the complete compromise of affected computers. This issue is being tracked by Cisco Bug IDs CSCuh73454 and CSCuh87042. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

SQL injection vulnerability in Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(1a) allows remote attackers to execute arbitrary SQL commands via unspecified vectors, leading to discovery of encrypted credentials by leveraging metadata, aka Bug ID CSCuh01051. Vendors have confirmed this vulnerability Bug ID CSCuh01051 It is released as.An authentication information encrypted using metadata by a third party can be broken. SQL The command may be executed. Exploiting this issue could allow an authenticated attacker to compromise the affected application, access or modify data, or exploit latent vulnerabilities in the underlying database. This issue is tracked by Cisco Bug ID CSCuh01051. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

Cisco Intrusion Prevention System (IPS) Software on IPS NME devices before 7.0(9)E4 allows remote attackers to cause a denial of service (device reload) via malformed IPv4 packets that trigger incorrect memory allocation, aka Bug ID CSCua61977. Cisco IPS Software is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to cause the system to reload, which leads to denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCua61977. Cisco Intrusion Prevention System (IPS) is an intrusion prevention system of Cisco (Cisco). The system can immediately interrupt, adjust or isolate some abnormal or harmful network data transmission behaviors

The IDSM-2 drivers in Cisco Intrusion Prevention System (IPS) Software on Cisco Catalyst 6500 devices with an IDSM-2 module allow remote attackers to cause a denial of service (device hang) via malformed IPv4 TCP packets, aka Bug ID CSCuh27460. Cisco IPS Software is prone to a remote denial-of-service vulnerability. Attackers can exploit this issue to cause the system kernel to become unresponsive, which leads to denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCuh27460. Cisco Intrusion Prevention System (IPS) is an intrusion prevention system of Cisco (Cisco). The system can immediately interrupt, adjust or isolate some abnormal or harmful network data transmission behaviors

SQL injection vulnerability in Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(2) allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCuh81766. Exploiting this issue could allow an authenticated attacker to compromise the affected application, access or modify data, or exploit latent vulnerabilities in the underlying database. This issue is tracked by Cisco Bug ID CSCuh81766. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

Untrusted search path vulnerability in Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(1a) allows local users to gain privileges by leveraging unspecified file-permission and environment-variable issues for privileged programs, aka Bug ID CSCui02276. Vendors have confirmed this vulnerability Bug ID CSCui02276 It is released as. Supplementary information : CWE Vulnerability type by CWE-426: Untrusted Search Path ( Unreliable search path ) Has been identified. Local attackers can exploit this issue to gain elevated privileges. Successful exploits will result in the complete compromise of affected computers. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

Untrusted search path vulnerability in Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(1a) allows local users to gain privileges by leveraging unspecified file-permission and environment-variable issues for privileged programs, aka Bug ID CSCui02242. Vendors have confirmed this vulnerability Bug ID CSCui02242 It is released as. Supplementary information : CWE Vulnerability type by CWE-426: Untrusted Search Path ( Unreliable search path ) Has been identified. Local attackers can exploit this issue to gain elevated privileges. Successful exploits will result in the complete compromise of affected computers. This component provides a scalable, distributed and highly available enterprise IP telephony call processing solution

The management console on the Symantec Web Gateway (SWG) appliance before 5.1.1 has an incorrect sudoers file, which allows local users to bypass intended access restrictions via a command. Symantec Web Gateway is prone to a vulnerability that can allow an attacker to execute arbitrary commands. Successful exploits will result in the execution of arbitrary commands with elevated privileges. Versions prior to Symantec Web Gateway 5.1.1 are vulnerable. Symantec Web Gateway (SWG) is a set of network content filtering software developed by Symantec Corporation of the United States. The software provides web content filtering, data loss prevention, and more. SEC Consult Vulnerability Lab Security Advisory < 20130726-0 > ======================================================================= title: Multiple vulnerabilities - Surveillance via Symantec Web Gateway product: Symantec Web Gateway vulnerable version: <= 5.1.0.* fixed version: 5.1.1 CVE number: CVE-2013-1616, CVE-2013-1617, CVE-2013-4670, CVE-2013-4671, CVE-2013-4672 impact: Critical homepage: https://www.symantec.com/ found: 2012-12-18 by: Wolfgang Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: ----------------------------- "Symantec Web Gateway protects organizations against multiple types of Web-borne malware and gives organizations the flexibility of deploying it as either a virtual appliance or on physical hardware. Powered by Insight, Symantec’s innovative reputation based malware filtering technology, Web Gateway relies on a global network of greater than 210 million systems to identify new threats before they cause disruption in organizations." URL: https://www.symantec.com/web-gateway Business recommendation: ------------------------ SEC Consult has identified several vulnerabilities within the components of Symantec Web Gateway in the course of a short crash test. Some components have been spot-checked, while others have not been tested at all. Several of the discovered vulnerabilities below can be chained together in order to run arbitrary commands with the privileges of the "root" user on the appliance. An attacker can get unauthorized access to the appliance and plant backdoors or access configuration files containing credentials for other systems (eg. Active Directory/LDAP credentials) which can be used in further attacks. Since all web traffic passes through the appliance, interception of HTTP as well as the plaintext form of HTTPS traffic (if SSL Deep Inspection feature in use), including sensitive information like passwords and session cookies is possible. If SSL Deep Inspection is enabled, the appliance holds a private key for a Certificate Authority (CA) certificate that is installed/trusted on all workstations in the company. If this private key is compromised by an attacker, arbitrary certificates can be signed. These certificates will then pass validation on the client machines, enabling in various attacks targeting clients (further MITM attacks, phishing, evilgrade, ...). The recommendation of SEC Consult is to switch off the product until a comprehensive security audit based on a security source code review has been performed and all identified security deficiencies have been resolved by the vendor. Vulnerability overview/description: ----------------------------------- 1) Reflected Cross Site Scripting (XSS) (CVE-2013-4670) A reflected cross site scripting vulnerability was found. This allows effective session hijacking attacks of administrator session cookies. 2) Persistent Cross Site Scripting (XSS) (CVE-2013-4670) Moreover a persistent cross site scripting vulnerability allows an unauthenticated user to inject script code into the administration interface. This script code will be executed once an administrator visits the administration interface. 3) OS Command Injection (CVE-2013-1616) Multiple OS command injection vulnerabilities were discovered. Authenticated users can execute arbitrary commands on the underlying operating system with the privileges of the "apache" operating system user. This can be used to get persistent access to the affected system (eg. by planting backdoors), accessing all kinds of locally stored information or interception of web traffic that passes through the appliance. 4) Security Misconfiguration (CVE-2013-4672) Unprivileged operating system users (eg. apache) can gain root privileges due to a misconfiguration of the sudo program. 5) SQL Injection (CVE-2013-1617) Several SQL injection vulnerabilities were identified that allow an authenticated administrator to issue manipulated SQL commands. 6) Cross Site Request Forgery (CVE-2013-4671) The cross site request forgery protection implemented can be bypassed easily. Using this vulnerability, an attacker can issue requests in the context of administrative user sessions. Several of the vulnerabilities above can be chained together by an unauthenticated attacker in order to run arbitrary commands with the privileges of the "root" operating system user on the appliance. Proof of concept: ----------------- 1) Reflected Cross Site Scripting (XSS) (CVE-2013-4670) The following URL demonstrates a reflected cross site scripting vulnerability: https://<host>/spywall/feedback_report.php?rpp=0%27%20onfocus=%22alert%28%27xss%27%29%22%20autofocus/%3E 2) Persistent Cross Site Scripting (XSS) (CVE-2013-4670) The "blocked.php" page which is accessible without authentication allows to inject script code to the "Blocking Feedback" functionality on the administration interface. The following URL demonstrates this issue. The payload of the parameter "u" will be stored permanently: https://<host>/spywall/blocked.php?id=1&history=-2&u=%27/%3E%3Cscript%3Ealert%28%27xss%27%29;%3C/script%3E 3) OS Command Injection (CVE-2013-1616) The functionality to change the hostname as well as the "Test Ping" functionality allow to inject commands enclosed in backticks (`). These commands are run as the system user "apache". Affected scripts: /spywall/nameConfig.php /spywall/networkConfig.php Detailed proof of concept exploits have beem removed for this vulnerability. 4) Security Misconfiguration (CVE-2013-4672) The /etc/sudoers file allows the users "apache" and "admin" to run several critical commands with root privileges. As the user "apache" is able to run commands like "chmod", "chown" and "insmod" without the need of a password, an attacker that is able to issue commands as this user (see 3) can effectively gain root privileges. 5) SQL Injection (CVE-2013-1617) The following URLs demonstrate the SQL injection flaws found by printing the username and password hash of all users: https://<host>/spywall/feedback_report.php?variable[]=1) UNION SELECT 1,2,3,4,username,6,7,8,9,password FROM users -- &operator[]=notequal&operand[]=x https://<host>/spywall/edit_alert.php?alertid=11%20UNION%20SELECT%201,2,username,password,5,6,7,8,9,10,111,12,13,14,15,16,17,18%20FROM%20users%20--%20 6) Cross Site Request Forgery (CVE-2013-4671) As an example, the following request configures a LDAP server to authenticate administrative users: POST /spywall/ldapConfig.php HTTP/1.1 Host: <host> Cookie: PHPSESSID=<valid-cookie> Content-Type: application/x-www-form-urlencoded Content-Length: 247 posttime=9999999999&saveForm=Save&useldap=1&ldap_host=0.0.0.0&ldap_port=389&auth_method=Simple&search_base=dc%3Dtest%2Cdc%3Dlocal&ldap_user=test&ldap_password=test&dept_type=dept&user_attribute=sAMAccountName&user_attribute_other=&ldap_timeout=168 The sole CSRF protection is the "posttime" parameter that contains a unix timestamp that has to be greater than the one in the last request. Using the value of eg. "9999999999" would always succeed. Attack scenario: ---------------- Using the vulnerabilities mentioned above, the following attack has been implemented (the exploit code will not be published): 1) A user protected by Symantec Web Gateway visits a website that embeds an image (possible in most web forums), a URL or an IFrame. The URL of the resource points to a blocked page (eg. the EICAR test file) and also includes script code (Persistent XSS). If the blocked URL contains the parameter "history=-2" (which has been added by the attacker) the URL/script (Persistent XSS) is automatically stored as a "Blocking Feedback" entry in the admin interface 3) When the administrator visits the "Blocking Feedback" page, the injected script is executed. Using the OS command injection flaw, the script now automatically downloads and executes a shell script. 4) As the user "apache" has permission to execute "chmod" and "chown" as root, the shell script can now create a SUID binary and run a reverse shell as root. 5) The attacker can now access the system with highest (root) privileges Note: This attack only requires a user (protected by the Symantec Web Gateway) to visit a "malicious" page. This can be achieved by sending phishing mails to employees, or embedding images, URLs or IFrames in websites employees would likely visit. If the attacker has already access to the target network, this is of course not necessary - the persistent XSS vulnerability can be exploited directly. Note: No prior knowledge about hostnames or internal IP addresses in the target network is needed! A detailed proof of concept exploit has been created but will not be published. Vendor contact timeline: ------------------------ 2013-02-22: Sending advisory and proof of concept exploit via encrypted channel. 2013-02-22: Vendor acknowledges receipt of advisory. 2013-03-05: Requesting status update. 2013-03-05: Vendor confirms vulnerabilities, is working on solutions. 2013-03-22: Requesting status update. 2013-03-22: Vendor is still working on solutions. 2013-04-19: Requesting status update and release schedule. 2013-04-19: Vendor is in the "final phases" of releasing an update. 2013-06-05: Sending reminder regarding deadlindes defined in disclosure policy. 2013-06-05: Vendor will release an update in "Mid-July". 2013-07-16: Vendor postpones update to timeframe beween July 22 and 25. 2013-07-25: Vendor releases advisory and product update (version 5.1.1). 2013-07-26: SEC Consult releases coordinated security advisory. More information can be found at: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20130725_00 Workaround: ----------- No workaround available. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius Headquarter: Mooslackengasse 17, 1190 Vienna, Austria Phone: +43 1 8903043 0 Fax: +43 1 8903043 15 Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Wolfgang Ettlinger / @2013

Cross-site request forgery (CSRF) vulnerability in the web framework on the Cisco Identity Services Engine (ISE) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuh25506. Vendors have confirmed this vulnerability Bug ID CSCuh25506 It is released as.A third party may be able to hijack the authentication of any user. Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible. This issue is being tracked by Cisco Bug ID CSCuh25506. The platform monitors the network by collecting real-time information on the network, users and devices, and formulating and implementing corresponding policies

The Serviceability servlet on Cisco 9900 IP phones does not properly restrict paths, which allows remote attackers to read arbitrary files by specifying a pathname in a file request, aka Bug ID CSCuh52810. The Cisco Unified IP Phones 9900 is an IP telephony device developed by Cisco. Any file in the IP phone can be obtained because the incomplete filtering path value allows the attacker to submit a file request containing the legal path. An attacker can exploit this issue to download arbitrary files within the context of the device. Information obtained may aid in further attacks. This issue being tracked by Cisco Bug ID CSCuh52810. This product provides voice and video functions

Schneider Electric Vijeo Citect 7.20 and earlier, CitectSCADA 7.20 and earlier, and PowerLogic SCADA 7.20 and earlier allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. Schneider Electric provides total solutions for the energy and infrastructure, industrial, data center and network, building and residential markets in more than 100 countries. Multiple Schneider Electric products have security vulnerabilities that allow attackers to exploit vulnerabilities to obtain sensitive information or to perform denial of service attacks. Vulnerability-related errors with XML external entity references allow an attacker to submit specially crafted XML data that specifically references external resources, obtain sensitive information from local resources, or perform denial of service attacks. A remote attacker can exploit a vulnerability to gain sensitive information or perform a denial of service attack. Multiple Schneider Electric products are prone to an information-disclosure vulnerability. The following products are affected: Vijeo Citect 7.20 and prior CitectSCADA 7.20 and prior PowerLogic SCADA 7.20 and prior. Schneider Electric Vijeo Citect, CitectSCADA, and PowerLogic SCADA are software from Schneider Electric, France, that provide monitoring and control functions in supervisory control and data acquisition systems (SCADA)

The Uboot bootloader on the Verizon Wireless Network Extender SCS-26UC4 allows physically proximate attackers to obtain root access by connecting a crafted HDMI cable and using a sys session to modify the ramboot environment variable. iSEC Partners has reported that the Verizon Wireless Network Extender models SCS-26UC4 and SCS-2U01 made by Samsung are susceptible to a local compromise using a custom HDMI cable. Once compromised the device can be used to eavesdrop on voice, text and data communication for mobile devices that connect to the Network Extender. The Verizon Wireless Network Extender is a low-power cellular base station that provides Internet services using an Internet connection. The Verizon Wireless Network Extender has multiple security vulnerabilities to increase permissions or clone other user phones. Use a special console cable to connect to the device and submit a special command sequence to get the root shell. Use the SysReq (System Request) interrupt to gain access to the console and obtain the root shell. In addition, Network Extender does not use Cellular Authentication and Voice Encryption (CAVE) authentication. For mobile phone authentication, the device only uses ESN and MIN. These numbers can physically access the phone or sniff the registration message sent to Network Extender for acquisition. Defects and incorrect validation can be done by running custom code on the Network Extender and going to any phone's ESN and MIN, using these numbers to clone the phone without physical access. A local attacker exploits the vulnerability to escalate permissions and clones the phone. Attackers can use these vulnerabilities to execute arbitrary code with elevated privileges and take complete control of the device. This BID is being retired