SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

Symantec Scan Engine File Disclosure Vulnerability


Arrow  SecurityAlert : 758
Arrow  CVE : CVE-2006-0232
Arrow  SecurityRisk : Low  Security Risk Low  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : Yes
Arrow  Exploit Available : Yes
Arrow  Credit : advisory rapid7 com
Arrow  Published : 23.04.2006

Arrow  Affected Software : Symantec Scan Engine



Arrow  Advisory Content :  

_______________________________________________________________________
Rapid7, LLC Security Advisory
_______________________________________________________________________

Rapid7 Advisory R7-0023
Symantec Scan Engine File Disclosure Vulnerability

Published: April 21, 2006
Revision: 1.0
http://www.rapid7.com/advisories/R7-0023.html

CVE: CVE-2006-0232

1. Affected system(s):

KNOWN VULNERABLE:
o Symantec Scan Engine v5.0.0.24

KNOWN FIXED:
o Symantec Scan Engine v5.1.0.7

UNKNOWN (PROBABLY VULNERABLE):
o All v5.0.x.x
o Earlier versions

2. Summary

There is a vulnerability in Symantec Scan Engine which allows
unauthenticated remote users to download any file located under the
Symantec Scan Engine installation directory. For instance the
configuration file, the scanning logs, as well as the current virus
definitions can all be accessed by any remote user using regular or
specially crafted HTTP requests.

NeXpose, Rapid7's award-winning vulnerability assessment platform,
checks for this vulnerability and other vulnerabilities we have
discovered in Symantec Scan Engine. Visit http://www.rapid7.com
to register for a free demo of NeXpose.

3. Vendor status and information

Symantec Corporation
http://www.symantec.com

Symantec was notified of this vulnerability on January 17, 2006.
They acknowledged the vulnerability, then provided us with a
fixed version. Rapid7's advisory was publicly released on April 21,
2006.

4. Solution

Upgrade to Symantec Scan Engine v5.1.0.7 or later. Another option is
to disable the web interface of the scan engine by logging in,
setting the TCP port from 8004 to 0, and then restarting the Scan
Engine.

5. Detailed analysis

Symantec Scan Engine stores multiple files inside its web root (the
default directory is "C:Program FilesSymantecScan Engine"). Most
of the files are accessible by any unauthenticated user via regular
URLs. For example the following URLs will download the log and
corresponding data file for October 17th, 2005:

http://x.x.x.x:8004/log/SSE20051017.log
http://x.x.x.x:8004/log/SSE20051017.dat

In the same way, virus definitions can be accessed from:

http://x.x.x.x:8004/Definitions/AntiVirus/VirusDefs/VIRSCAN1.DAT
http://x.x.x.x:8004/Definitions/AntiVirus/VirusDefs/VIRSCAN2.DAT

Such sensitive knowledge of installed virus definitions will allow
an attacker to determine what viruses can be used to infect the
network without detection.

Files ending with the '.xml' extension are protected by the HTTP
daemon. However, the protection can be easily defeated by appending
a trailing backslash to the filename. For example the configuration
file configuration.xml, which contains the administrator's password
hash, can be accessed by the following HTTP request:

GET /configuration.xml HTTP/1.0

The above request will yield the following configuration snippet:

<system>
<TempDir value="C:Program FilesSymantecScan Enginetemp"/>
[...]
<InstallDir value="C:Program FilesSymantecScan Engine"/>
<LoadMaximumQueuedClients value="100"/>
<admin>
<port value="8004"/>
<sslport value="8005"/>
<ip value=""/>
<timeout value="300"/>
<password value=
"8369951FB31356D389FBEE4B52F6A7BB51AAE8FBE4B8DB29D249F347C3426D19"/>
</admin>
</system>

6. Credit

This vulnerability was discovered by Joe Testa of Rapid7.

7. Contact Information

Rapid7, LLC
Email: advisory (at) rapid7 (dot) com [email concealed]
Web: http://www.rapid7.com
Phone: +1 (617) 247-1717

8. Disclaimer and Copyright

Rapid7, LLC is not responsible for the misuse of the information
provided in our security advisories. These advisories are a service
to the professional security community. There are NO WARRANTIES with
regard to this information. Any application or distribution of this
information constitutes acceptance AS IS, at the user's own risk.
This information is subject to change without notice.

This advisory Copyright (C) 2006 Rapid7, LLC. Permission is hereby
granted to redistribute this advisory, providing that no changes are
made and that the copyright notices and disclaimers remain intact.




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc:fts_*() Multiple Denial of Service

Security Risk Medium- 2009-10-02

The fts functions are provided for traversing UNIX file hierarchies...
Apache RSS Apache Alert

» Apache 1.3.41 mod_proxy
   Integer overflow (code
   execution)

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion in work
   directory

» Apache Tomcat 6.0.20 and
   5.5.28 insecure partial
   deploy after failed
   undeploy

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion and/or
   alteration
PHP RSS PHP Alert

» PHP 5.2.12/5.3.1
   session.save_path
   safe_mode and
   open_basedir bypass

» PHP 5.2.12/5.3.1 Multiple
   Vulnerabilities

» PHP 5.2.11 libgd multiple
   vulnerabilities

» PHP 5.2.11 tempnam()
   safe_mode bypass
Copyright © SecurityReason.com. All Rights Reserved.