For example, if we replace ' PasswordHash=' by ' PasswordHash="" OldPasswordHash=', we can set our own PasswordHash value while being able to reverse the operation by replacing ' PasswordHash="" OldPasswordHash=' by ' PasswordHash=': However, we know other parts of the SemAdministrator element that we can use. So replacing that attribute value with a new one would allow us to login with that password.īut we neither know the current PasswordHash value (obviously!) nor any other attribute value that we can use as an anchor point for the string manipulate. The stored PasswordHash is simply the MD5 of the password in hexadecimal representation. So how can we modify that document to our advantages? That’s why it’s important that any change results in a valid document as well. Any changes resulting in an invalid XML document result in a denial of service. The complicated part is that this configuration document is crucial for the whole SEPM. An administrator entry might look like this: The administrative users are stored in the SemConfigRoot document in the basic_metadata table with the hard-coded ID B655E64D0A320801000000E164041B79. For example, changing a SEPM administrator user’s password requires the manipulation of a configuration stored as an XML document in the database. To reach that point, we need to provide a valid DomainID, which can be retrieved from a SEP client installation from the SyLink.xml file located in C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Config.Įxploiting this vulnerability is a little more complicated. The AgentRegister operation of the AgentServlet is vulnerable to SQL injections within the HardwareKey attribute: SEP Client Binary Planting Allows the execution of arbitrary code with 'NT Authority\SYSTEM' privileges on SEP clients running Windows by local users.Īs SEP 11.x is out of support since early 2015 and Symantec won’t provide a patch, you are highly advised to upgrade to 12.1. g., via the before-mentioned SQL injection.
Command Injection Allows the execution of arbitrary commands with 'NT Authority\SYSTEM' privileges by users with write acceess to the database, e. The following vulnerabilities have been discovered in Symantec Endpoint Protection 11.x: SEP Manager SQL Injection Allows the execution of arbitrary SQL on the SQL Server by unauthenticated users. Vulnerabilities in Symantec Endpoint Protection 11.x However, SEP 11.x has other vulnerabilities that can have in the same impact. Unfortunately, in older versions of SEP, namely the versions 11.x, some of the flawed features of 12.x weren’t even implemented, e.
The previous disclosure of the vulnerabilities in Symantec Endpoint Protection (SEP) 12.x showed that a compromise of both the SEP Manager as well as the managed clients is possible and can have a severe impact on a whole corporate environment.
0 kommentar(er)
