[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
NGS000268 Technical Advisory: Symantec Messaging Gateway - Out-of-band stored-XSS delivered by email
- To: "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: NGS000268 Technical Advisory: Symantec Messaging Gateway - Out-of-band stored-XSS delivered by email
- From: NCC Group Research <research@xxxxxxxxxxxx>
- Date: Fri, 30 Nov 2012 11:39:42 +0000
=======
Summary
=======
Name: Symantec Messaging Gateway - Out-of-band stored-XSS delivered by email
Release Date: 30 November 2012
Reference: NGS00268
Discoverer: Ben Williams <ben.williams@xxxxxxxxxxxxx>
Vendor: Symantec
Vendor Reference:
Systems Affected: Symantec Messaging Gateway 9.5.3-3
Risk: Critical
Status: Published
========
TimeLine
========
Discovered: 17 April 2012
Released: 17 April 2012
Approved: 29 April 2012
Reported: 30 April 2012
Fixed: 27 August 2012
Published: 30 November 2012
===========
Description
===========
I. VULNERABILITY
-------------------------
Symantec Messaging Gateway 9.5.3-3 - Out-of-band stored-XSS - delivered by email
II. BACKGROUND
-------------------------
Symantec Messaging Gateway 9.5.3-3 is the latest version, of their Email
Security Appliance
III. DESCRIPTION
-------------------------
This issue means that an attacker can construct a malicious email message,
containing arbitrary javascript in the subject line. When the message audit log
is viewed (by an administrator) the script will execute in the context of the
logged in admin.
This is a very serious issue, because the attack vector is a spam email, and
the admin only has to view the messages in the audit log for the payload to
execute. (Payloads could include any management or reconfiguration actions
within the UI, or redirecting the user to other malicious content)
Additionally, the spam email containing the script can easily be made invisible
within the UI, and/or damage the rendering of the UI to prevent itself from
being noticed.
=================
Technical Details
=================
IV. PROOF OF CONCEPT
-------------------------
There are several ways to exploit this issue, here is an example using a script
in the subject line, to produce a pop-up:
For example a message can be sent with the following subject line:
Something boring here..."><script>alert('Something nasty')</script>
Which could be sent with an automated script for example:
./sendEmail -s 192.168.1.59:25 -u "Something boring
here...\"><script>alert('Something nasty')</script>" -f c@xxxxx -t
bob@xxxxxxxxxxxxxxx -o message-file=spam1.txt
(the body can contain any content)
Many thousands of messages can be sent in this way, until one is viewed by an
administrator.
The message audit viewer affected is here:
http://192.168.1.59:41080/brightmail/status/message-audit/MessageAuditFlow$show.flo
This produces a test example pop-up when the message audit log is viewed
(Obviously, a "pop-up" is not the issue, this is just a proof of concept).
The issue is that the attacker can send an email message with any arbitrary
javascript (or pull in javascript from another server) to perform actions
within the UI, manage or reconfigure the device (with request forgery), disable
protections or shutdown the appliance for example, perform session-hijacking or
redirect the administrator to other malicious content.
===============
Fix Information
===============
An updated version of the software has been released to address the
vulnerability:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120827_00
NCC Group Research
http://www.nccgroup.com/research
For more information please visit <a
href="http://www.mimecast.com";>http://www.mimecast.com<br>
This email message has been delivered safely and archived online by Mimecast.
</a>