![]() ![]() UpdateReportingVersion function which shoves it directly into a SQL query unfiltered. ![]() There is absolutely no attempt made to validate what input comes in to the Since it was always going to be controlled by them. They just assumed that there was never going to be a way to send untrusted input to it Restricted to only handle requests that come from localhost. Symantec has an http request handler called ConfigServerHandler that is programmatically ![]() ThisĪppears to be a blind XXE, so a better use of the vulnerability is use it for SSRF. Since Symantec did notĭisallow declared DTD processing, it is vulnerable to the XXE injection. The Java DocumentBuilder class is used to parse the xml. When a body is encountered that uses a Content-Type of text/xml, The servlet will use a custom MultipartParser class to handle the individual That can be triggered in the ConsoleServlet. So basically what you are looking for with the XXE injection is a vulnerability With the default embedded database, thereby making this a pretty reliable exploit. I suspect the majority of SEPM users will have it configured Injection to force SEPM to exploit itself through a separate SQL injection flaw was Tested On: Windows Server 2003, default SEPM install using embedded databaseįirst off, this was a fantastic discovery by Stefan Viehbock. Exploit Title: Symantec Endpoint Protection Manager Remote Command ExecutionĮxploit Author: Chris Graham CVE-2013-5014, CVE-2013-5015 ![]()
0 Comments
Leave a Reply. |