The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
None
I
There is no impact on the integrity of the system; the attacker does not gain the ability to modify any files or information on the target system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
_______________________________________________________________________
Rapid7, LLC Security Advisory
_______________________________________________________________________
Rapid7 Advisory R7-0023
Symantec Scan Engine File Disclosure Vulnerability
Published: April 21, 2006
Revision: 1.0
http://www.rapid7.com/advisories/R7-0023.html
CVE: CVE-2006-0232
1. Affected system(s):
KNOWN VULNERABLE:
o Symantec Scan Engine v5.0.0.24
KNOWN FIXED:
o Symantec Scan Engine v5.1.0.7
UNKNOWN (PROBABLY VULNERABLE):
o All v5.0.x.x
o Earlier versions
2. Summary
There is a vulnerability in Symantec Scan Engine which allows
unauthenticated remote users to download any file located under the
Symantec Scan Engine installation directory. For instance the
configuration file, the scanning logs, as well as the current virus
definitions can all be accessed by any remote user using regular or
specially crafted HTTP requests.
NeXpose, Rapid7's award-winning vulnerability assessment platform,
checks for this vulnerability and other vulnerabilities we have
discovered in Symantec Scan Engine. Visit http://www.rapid7.com
to register for a free demo of NeXpose.
3. Vendor status and information
Symantec Corporation
http://www.symantec.com
Symantec was notified of this vulnerability on January 17, 2006.
They acknowledged the vulnerability, then provided us with a
fixed version. Rapid7's advisory was publicly released on April 21,
2006.
4. Solution
Upgrade to Symantec Scan Engine v5.1.0.7 or later. Another option is
to disable the web interface of the scan engine by logging in,
setting the TCP port from 8004 to 0, and then restarting the Scan
Engine.
5. Detailed analysis
Symantec Scan Engine stores multiple files inside its web root (the
default directory is "C:Program FilesSymantecScan Engine"). Most
of the files are accessible by any unauthenticated user via regular
URLs. For example the following URLs will download the log and
corresponding data file for October 17th, 2005:
http://x.x.x.x:8004/log/SSE20051017.log
http://x.x.x.x:8004/log/SSE20051017.dat
In the same way, virus definitions can be accessed from:
http://x.x.x.x:8004/Definitions/AntiVirus/VirusDefs/VIRSCAN1.DAT
http://x.x.x.x:8004/Definitions/AntiVirus/VirusDefs/VIRSCAN2.DAT
Such sensitive knowledge of installed virus definitions will allow
an attacker to determine what viruses can be used to infect the
network without detection.
Files ending with the '.xml' extension are protected by the HTTP
daemon. However, the protection can be easily defeated by appending
a trailing backslash to the filename. For example the configuration
file configuration.xml, which contains the administrator's password
hash, can be accessed by the following HTTP request:
GET /configuration.xml HTTP/1.0
The above request will yield the following configuration snippet:
<system>
<TempDir value="C:Program FilesSymantecScan Enginetemp"/>
[...]
<InstallDir value="C:Program FilesSymantecScan Engine"/>
<LoadMaximumQueuedClients value="100"/>
<admin>
<port value="8004"/>
<sslport value="8005"/>
<ip value=""/>
<timeout value="300"/>
<password value=
"8369951FB31356D389FBEE4B52F6A7BB51AAE8FBE4B8DB29D249F347C3426D19"/>
</admin>
</system>
6. Credit
This vulnerability was discovered by Joe Testa of Rapid7.
7. Contact Information
Rapid7, LLC
Email: advisory (at) rapid7 (dot) com [email concealed]
Web: http://www.rapid7.com
Phone: +1 (617) 247-1717
8. Disclaimer and Copyright
Rapid7, LLC is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES with
regard to this information. Any application or distribution of this
information constitutes acceptance AS IS, at the user's own risk.
This information is subject to change without notice.
This advisory Copyright (C) 2006 Rapid7, LLC. Permission is hereby
granted to redistribute this advisory, providing that no changes are
made and that the copyright notices and disclaimers remain intact.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum