Symantec Endpoint Protection Manager 12.1 – Multiple Vulnerabilities

Vendor:
================
www.symantec.com
Product:
===========
SEPM
Symantec Endpoint Protection Manager and client v12.1
SEPM provides a centrally managed solution. It handles security policy
enforcement, host integrity checking (Symantec Network Access Control only),
and automated remediation over all clients. The policies functionality is
the heart of the Symantec software. Clients connect to the server to get the
latest policies, security settings, and software updates.
Vulnerability Type(s):
======================
Multiple Cross Site Scripting (XSS)
Cross Site Request Forgeries (CSRF)
Open Redirect
CVE Reference(s):
=================
CVE-2016-3652 / XSS
CVE-2016-3653 / CSRF
CVE-2016-5304 / Open Redirect
Vulnerability Details:
=====================
The management console for SEPM contains a number of security
vulnerabilities that could be used by a lower-privileged user or by
an unauthorized user to elevate privilege or gain access to unauthorized
information on the management server. Exploitation attempts of
these vulnerabilities requires access to the SEP Management console.
References:
============
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_01
Exploit code(s):
===============
In this case XSS can bypass the "http-only" cookie protection because the
SEPM application writes and stores the session ID within various
javascript functions used by the application within the DOM thereby
exposing them directly to the XSS attack.
1) createModalDialogFromURL
2) createWindowFromURL
3) createWindowFromForm
4) createIEWindowFromForm
So all we need to do is alert(createModalDialogFromURL) anyone one of them
(functions) an it will leak the session ID essentially throwing the
HttpOnly secure cookie protection flag into the garbage.
e.g.
XSS POC Defeat http-only flag and access PHPSESSID:
https://localhost:8445/Reporting/Admin/notificationpopup.php?New=1&Type=CR&height=alert%28createModalDialogFromURL%29#