Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] Rapid7 Advisory R7-0023: Symantec Scan Engine File Disclosur

from [advisory] Network Security [Permanent Link]
Subject: [VulnWatch] Rapid7 Advisory R7-0023: Symantec Scan Engine File Disclosure Vulnerability
Date: Fri, 21 Apr 2006 12:18:08 -0700 
_______________________________________________________________________
                     Rapid7, LLC Security Advisory
_______________________________________________________________________

Rapid7 Advisory R7-0023
Symantec Scan Engine File Disclosure Vulnerability

   Published:  April 21, 2006
   Revision:   1.0
   http://www.rapid7.com/advisories/R7-0023.html

   CVE: CVE-2006-0232

1. Affected system(s):

   KNOWN VULNERABLE:
    o Symantec Scan Engine v5.0.0.24

   KNOWN FIXED:
    o Symantec Scan Engine v5.1.0.7

   UNKNOWN (PROBABLY VULNERABLE):
    o All v5.0.x.x
    o Earlier versions

2. Summary

   There is a vulnerability in Symantec Scan Engine which allows
   unauthenticated remote users to download any file located under the
   Symantec Scan Engine installation directory. For instance the
   configuration file, the scanning logs, as well as the current virus
   definitions can all be accessed by any remote user using regular or
   specially crafted HTTP requests.

   NeXpose, Rapid7's award-winning vulnerability assessment platform,
   checks for this vulnerability and other vulnerabilities we have
   discovered in Symantec Scan Engine. Visit http://www.rapid7.com
   to register for a free demo of NeXpose.

3. Vendor status and information

   Symantec Corporation
   http://www.symantec.com

   Symantec was notified of this vulnerability on January 17, 2006.
   They acknowledged the vulnerability, then provided us with a
   fixed version. Rapid7's advisory was publicly released on April 21,
   2006.

4. Solution

   Upgrade to Symantec Scan Engine v5.1.0.7 or later. Another option is
   to disable the web interface of the scan engine by logging in,
   setting the TCP port from 8004 to 0, and then restarting the Scan
   Engine.

5. Detailed analysis

   Symantec Scan Engine stores multiple files inside its web root (the
   default directory is "C:\Program Files\Symantec\Scan Engine"). Most
   of the files are accessible by any unauthenticated user via regular
   URLs. For example the following URLs will download the log and
   corresponding data file for October 17th, 2005:

      http://x.x.x.x:8004/log/SSE20051017.log
      http://x.x.x.x:8004/log/SSE20051017.dat

   In the same way, virus definitions can be accessed from:

      http://x.x.x.x:8004/Definitions/AntiVirus/VirusDefs/VIRSCAN1.DAT
      http://x.x.x.x:8004/Definitions/AntiVirus/VirusDefs/VIRSCAN2.DAT

   Such sensitive knowledge of installed virus definitions will allow
   an attacker to determine what viruses can be used to infect the
   network without detection.

   Files ending with the '.xml' extension are protected by the HTTP
   daemon. However, the protection can be easily defeated by appending
   a trailing backslash to the filename. For example the configuration
   file configuration.xml, which contains the administrator's password
   hash, can be accessed by the following HTTP request:

      GET /configuration.xml\ HTTP/1.0

   The above request will yield the following configuration snippet:

   <system>
    <TempDir value="C:\Program Files\Symantec\Scan Engine\temp\"/>
    [...]
    <InstallDir value="C:\Program Files\Symantec\Scan Engine\"/>
    <LoadMaximumQueuedClients value="100"/>
    <admin>
    <port value="8004"/>
    <sslport value="8005"/>
    <ip value=""/>
    <timeout value="300"/>
    <password value=
     "8369951FB31356D389FBEE4B52F6A7BB51AAE8FBE4B8DB29D249F347C3426D19"/>
    </admin>
   </system>

6. Credit

   This vulnerability was discovered by Joe Testa of Rapid7.

7. Contact Information

   Rapid7, LLC
   Email: advisory@rapid7.com
   Web: http://www.rapid7.com
   Phone: +1 (617) 247-1717

8. Disclaimer and Copyright

   Rapid7, LLC is not responsible for the misuse of the information
   provided in our security advisories. These advisories are a service
   to the professional security community. There are NO WARRANTIES with
   regard to this information. Any application or distribution of this
   information constitutes acceptance AS IS, at the user's own risk.
   This information is subject to change without notice.

   This advisory Copyright (C) 2006 Rapid7, LLC. Permission is hereby
   granted to redistribute this advisory, providing that no changes are
   made and that the copyright notices and disclaimers remain intact.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] Rapid7 Advisory R7-0023: Symantec Scan Engine File Disclosure Vulnerability, advisory <=
Previous by Date:  [VulnWatch] Rapid7 Advisory R7-0022: Symantec Scan Engine Known Immutable DSA Private Key, advisory
Next by Date:  [Full-disclosure] MSIE (mshtml.dll) OBJECT tag vulnerability, Michal Zalewski
Previous by Thread:  [VulnWatch] Rapid7 Advisory R7-0022: Symantec Scan Engine Known Immutable DSA Private Key, advisory
Next by Thread:  [Full-disclosure] MSIE (mshtml.dll) OBJECT tag vulnerability, Michal Zalewski
Indexes:  [Date] [Thread] [Top] [All Lists]