[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Web Login Bruteforce in Symantec Endpoint Protection Manager 12.1.4023.4080

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Web Login Bruteforce in Symantec Endpoint Protection Manager 12.1.4023.4080
From: audit1@xxxxxxxxxxxx
Date: Tue, 22 Jul 2014 11:39:47 GMT

We discovered a vulnerability in the Symantec Endpoint Protection Manager web 
application.

Vulnerability Type: Login Bruteforce

Original Release: June 20, 2014

Discovered by: 
        Security Team - A2SECURE
        Artëm Tsvetkov  atsvetkov@xxxxxxxxxxxx 
        Sisco Barrera   sbarrera@xxxxxxxxxxxx 
        Andrea Bodei    abodei@xxxxxxxxxxxx     

Products and affected versions:
        SYMANTEC ENDPOINT PROTECTION MANAGER 12.1.4023.4080

Company: A2SECURE - España
A2Secure Website: http://www.a2secure.com
Vendor Website: http://www.symantec.com 
Application Website: http://www.symantec.com/endpoint-protection 


===========================
Background
===========================

Symantec Endpoint Protection is an endpoint security solution created through a 
layered approach to defense. With unique, layered technology, it detects and 
removes malware. Derived from Symantec?s global intelligence network, it 
enables faster scan, more accurate detection, and higher performance while 
utilizing fewer resources. With single management console, Symantec Endpoint 
Protection provides advance protection across multiple platforms both physical 
and virtual.


===========================
Vulnerability Details
===========================

Bruteforce attacks consist in an attacker configuring predetermined values, 
making requests to a server using those values, and then analyzing the 
response. For the sake of efficiency, an attacker may use a dictionary attack 
(with or without mutations) or a traditional brute-force attack (with given 
classes of characters e.g.: alphanumerical, special, case (in)sensitive). 
Considering a given method, number of tries, efficiency of the system which 
conducts the attack, and estimated efficiency of the system which is attacked 
the attacker is able to calculate approximately how long it will take to submit 
all chosen predetermined values. 

Symantec Endpoint Protection Manager web login should implement bruteforce 
protection, such as one-time tokens, account lockout, IP blacklist, or similar.
 

===========================
Proof of Concept
===========================

The user login form does not prevent automated login attempts using a CAPTCHA, 
and is therefore vulnerable to bruteforce attacks.


Domain:         https://localhost:8443
Method:         POST
Path:           /console/apps/sepm
Parameter:      SEPMPasswordField_5454179
Payload:        wordlist of passwords



===========================
Credits / Author
===========================

Artëm Tsvetkov
www.a2secure.com 



===========================
Disclaimer
===========================

All information is provided without warranty. The intent is to provide 
information to secure infrastructure and/or systems, not to be able to attack 
or damage. Therefore A2Secure shall not be liable for any direct or indirect 
damages that might be caused by using this information.

Prev by Date: Cross-site Scripting in EventLog Analyzer 9.0 build #9000
Next by Date: Barracuda Networks Spam&Virus Firewall v6.0.2 (600 & Vx) - Client Side Cross Site Vulnerability
Previous by thread: Cross-site Scripting in EventLog Analyzer 9.0 build #9000
Next by thread: Barracuda Networks Spam&Virus Firewall v6.0.2 (600 & Vx) - Client Side Cross Site Vulnerability
Index(es):
- Date
- Thread