Vulnerabilities > CVE-2015-1492 - Improper Input Validation vulnerability in Symantec Endpoint Protection Manager 12.1.0
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
SINGLE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Untrusted search path vulnerability in the client in Symantec Endpoint Protection 12.1 before 12.1-RU6-MP1 allows local users to gain privileges via a Trojan horse DLL in a client install package.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Server Side Include (SSI) Injection An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
- Cross Zone Scripting An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
Nessus
NASL family Windows NASL id SYMANTEC_ENDPOINT_PROT_MGR_SYM15-007.NASL description The version of Symantec Endpoint Protection Manager (SEPM) installed on the remote host is prior to 12.1 RU6 MP1. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the password reset functionality that allows a remote attacker, using a crafted password reset action, to generate a new administrative session, thus bypassing authentication. (CVE-2015-1486) - A flaw exists related to filename validation in a console session that allows an authenticated, remote attacker to write arbitrary files. (CVE-2015-1487) - A flaw exists in an unspecified action handler that allows an authenticated, remote attacker to read arbitrary files. (CVE-2015-1488) - An unspecified flaw exists that allows an authenticated, remote attacker to manipulate SEPM services and gain elevated privileges. (CVE-2015-1489) - A flaw exists that allows traversing outside of a restricted path, due to a failure to properly sanitize user-supplied input. An authenticated, remote attacker, using a specially crafted installation package, can exploit this to access files outside of the restricted path. (CVE-2015-1490) - A SQL injection vulnerability exists due to a failure to properly sanitize user-supplied input before building SQL queries. An authenticated, remote attacker can exploit this to disclose or manipulate data in the back-end database. (CVE-2015-1491) - A flaw in how Symantec Endpoint Protection clients load dynamic-link libraries allows an authenticated attacker to replace legitimate client libraries with malicious ones, thus injecting executable code. (CVE-2015-1492) - A flaw exists in the /servlet/AgentServlet script due to improper sanitization of user-supplied input before using it in SQL queries. An unauthenticated, remote attacker can exploit this to inject or manipulate SQL queries against the back-end database, resulting in the disclosure or manipulation of arbitrary data. - A flaw exists in the SecurityAlertNotifyTask class due to improper sanitization of user-supplied input. An authenticated, remote attacker can exploit this to execute arbitrary commands. - A flaw exists in Rtvscan.exe related to searching and loading dynamic-link library (DLL) files due to using an insecure search path which may include directories that are not trusted or under the user last seen 2020-06-01 modified 2020-06-02 plugin id 85256 published 2015-08-06 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85256 title Symantec Endpoint Protection Manager 11.x / 12.x < 12.1 RU6 MP1 Multiple Vulnerabilities (SYM15-007) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(85256); script_version("1.14"); script_cvs_date("Date: 2019/11/22"); script_cve_id( "CVE-2015-1486", "CVE-2015-1487", "CVE-2015-1488", "CVE-2015-1489", "CVE-2015-1490", "CVE-2015-1491", "CVE-2015-1492" ); script_bugtraq_id( 76074, 76077, 76078, 76079, 76081, 76083, 76094 ); script_xref(name:"EDB-ID", value:"37812"); script_name(english:"Symantec Endpoint Protection Manager 11.x / 12.x < 12.1 RU6 MP1 Multiple Vulnerabilities (SYM15-007)"); script_summary(english:"Checks the SEPM version."); script_set_attribute(attribute:"synopsis", value: "The version of Symantec Endpoint Protection Manager installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Symantec Endpoint Protection Manager (SEPM) installed on the remote host is prior to 12.1 RU6 MP1. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the password reset functionality that allows a remote attacker, using a crafted password reset action, to generate a new administrative session, thus bypassing authentication. (CVE-2015-1486) - A flaw exists related to filename validation in a console session that allows an authenticated, remote attacker to write arbitrary files. (CVE-2015-1487) - A flaw exists in an unspecified action handler that allows an authenticated, remote attacker to read arbitrary files. (CVE-2015-1488) - An unspecified flaw exists that allows an authenticated, remote attacker to manipulate SEPM services and gain elevated privileges. (CVE-2015-1489) - A flaw exists that allows traversing outside of a restricted path, due to a failure to properly sanitize user-supplied input. An authenticated, remote attacker, using a specially crafted installation package, can exploit this to access files outside of the restricted path. (CVE-2015-1490) - A SQL injection vulnerability exists due to a failure to properly sanitize user-supplied input before building SQL queries. An authenticated, remote attacker can exploit this to disclose or manipulate data in the back-end database. (CVE-2015-1491) - A flaw in how Symantec Endpoint Protection clients load dynamic-link libraries allows an authenticated attacker to replace legitimate client libraries with malicious ones, thus injecting executable code. (CVE-2015-1492) - A flaw exists in the /servlet/AgentServlet script due to improper sanitization of user-supplied input before using it in SQL queries. An unauthenticated, remote attacker can exploit this to inject or manipulate SQL queries against the back-end database, resulting in the disclosure or manipulation of arbitrary data. - A flaw exists in the SecurityAlertNotifyTask class due to improper sanitization of user-supplied input. An authenticated, remote attacker can exploit this to execute arbitrary commands. - A flaw exists in Rtvscan.exe related to searching and loading dynamic-link library (DLL) files due to using an insecure search path which may include directories that are not trusted or under the user's control. An attacker can exploit this, by injecting a crafted DLL file into path, to execute arbitrary code with the privileges of the user."); # https://support.symantec.com/en_US/article.SYMSA1330.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?647383e8"); # https://codewhitesec.blogspot.com/2016/02/symantec-endpoint-protection-legacy-edition.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?74c04e62"); # https://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?135bc3c2"); script_set_attribute(attribute:"solution", value: "Upgrade to Symantec Endpoint Protection Manager version 12.1 RU6 MP1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-1492"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"d2_elliot_name", value:"Symantec Endpoint Protection Manager File Upload"); script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Symantec Endpoint Protection Manager Authentication Bypass and Code Execution'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/07/30"); script_set_attribute(attribute:"patch_publication_date", value:"2015/07/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/06"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:symantec:endpoint_protection_manager"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("symantec_endpoint_prot_mgr_installed.nasl"); script_require_keys("installed_sw/Symantec Endpoint Protection Manager"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("install_func.inc"); app = 'Symantec Endpoint Protection Manager'; install = get_single_install(app_name:app, exit_if_unknown_ver:TRUE); version = install['version']; path = install['path' ]; fixed_ver = '12.1.6306.6100'; if (version =~ "^(12\.1|11\.0)(\.|$)" && ver_compare(ver:version, fix:fixed_ver, strict:FALSE) == -1) { port = get_kb_item("SMB/transport"); if (!port) port = 445; items = make_array("Path", path, "Installed version", version, "Fixed version", fixed_ver); order = make_list("Path", "Installed version", "Fixed version"); report = report_items_str(report_items:items, ordered_fields:order); security_report_v4(port:port, extra:report, sqli:TRUE, severity:SECURITY_HOLE); exit(0); } else audit(AUDIT_INST_PATH_NOT_VULN, app, version, path);NASL family Windows NASL id SYMANTEC_ENDPOINT_PROT_MGR_SYM15-011.NASL description The version of Symantec Endpoint Protection Manager (SEPM) installed on the remote host is prior to 12.1 RU6 MP3. It is, therefore, affected by the following vulnerabilities : - A local privilege escalation vulnerability exists due to an untrusted search path flaw. A local attacker can exploit this, via a trojan DLL in a client install package, to gain privileges. (CVE-2015-1492, CVE-2015-8113) - A remote command execution vulnerability exists due to an unspecified flaw in the management console. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary Java commands. (CVE-2015-6554) - An arbitrary code execution vulnerability exists due to an unspecified flaw in the management console. An authenticated, remote attacker can exploit this by connecting to the console Java port, to execute arbitrary code with administrator privileges. (CVE-2015-6555) last seen 2020-06-01 modified 2020-06-02 plugin id 86873 published 2015-11-13 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/86873 title Symantec Endpoint Protection Manager < 12.1 RU6 MP3 Multiple Vulnerabilities (SYM15-011) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(86873); script_version("1.11"); script_cvs_date("Date: 2018/11/15 20:50:29"); script_cve_id( "CVE-2015-1492", "CVE-2015-6554", "CVE-2015-6555", "CVE-2015-8113" ); script_bugtraq_id( 76083, 77494, 77495 ); script_name(english:"Symantec Endpoint Protection Manager < 12.1 RU6 MP3 Multiple Vulnerabilities (SYM15-011)"); script_summary(english:"Checks the SEPM version."); script_set_attribute(attribute:"synopsis", value: "The version of Symantec Endpoint Protection Manager installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Symantec Endpoint Protection Manager (SEPM) installed on the remote host is prior to 12.1 RU6 MP3. It is, therefore, affected by the following vulnerabilities : - A local privilege escalation vulnerability exists due to an untrusted search path flaw. A local attacker can exploit this, via a trojan DLL in a client install package, to gain privileges. (CVE-2015-1492, CVE-2015-8113) - A remote command execution vulnerability exists due to an unspecified flaw in the management console. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary Java commands. (CVE-2015-6554) - An arbitrary code execution vulnerability exists due to an unspecified flaw in the management console. An authenticated, remote attacker can exploit this by connecting to the console Java port, to execute arbitrary code with administrator privileges. (CVE-2015-6555)"); # https://support.symantec.com/en_US/article.SYMSA1334.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?41466b33"); script_set_attribute(attribute:"solution", value: "Upgrade to Symantec Endpoint Protection Manager 12.1 RU6 MP3 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/11/09"); script_set_attribute(attribute:"patch_publication_date", value:"2015/11/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/11/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:symantec:endpoint_protection_manager"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc."); script_dependencies("symantec_endpoint_prot_mgr_installed.nasl"); script_require_keys("installed_sw/Symantec Endpoint Protection Manager"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("install_func.inc"); app = 'Symantec Endpoint Protection Manager'; install = get_single_install(app_name:app, exit_if_unknown_ver:TRUE); version = install['version']; path = install['path' ]; fixed_ver = '12.1.6306.6300'; if (version =~ "^12\.1\." && ver_compare(ver:version, fix:fixed_ver, strict:FALSE) == -1) { port = get_kb_item("SMB/transport"); if (!port) port = 445; set_kb_item(name:'www/'+port+'/SQLInjection', value:TRUE); if (report_verbosity > 0) { report = '\n Path : '+ path + '\n Installed version : '+ version + '\n Fixed version : '+ fixed_ver + '\n'; security_hole(port:port, extra:report); } else security_hole(port); } else audit(AUDIT_INST_PATH_NOT_VULN, app, version, path);