Symantec Messaging Gateway Remote Command Execution Vulnerability

September 1, 2017

Symantec Messaging Gateway, formerly known as Brightmail, is a linux-based anti-spam/security product for e-mail servers. It is deployed as a physical device or with ESX in close proximity to the servers it is designed to protect.

A remote command vulnerability has been reported in the Symantec Messaging Gateway. This vulnerability is caused by lacking of proper check on the user inputs in the performRestore method, plus a Web authentication bypass bug in the notificationLogin() method in the LoginAction.notificationLogin. A remote attacker can exploit this vulnerability by sending certain crafted HTTP requests to the target server. A successful attack could execute arbitrary commands as the administrative user.

The authentication bypass vulnerability:

This vulnerability is due to the insufficient privilege check when calling the notificationLogin method in the LoginAction.class.

The public methods in LoginAction class can be reached via unauthenticated web requests. For example, a GET request to `/brightmail/` will trigger LoginAction.method_name.

When the method `LoginAction.notificationLogin` is called from such a request, the following logic will be executed:

  1. Decrypt the `notify` parameter using `BrightmailDecrypt.decrypt`
  2. Creates a new `UserTO` object using the decrypted `notify` parameter as an email value
  3. Creates a new session, invalidating the old one if necessary
  4. Sets the `user` attribute of the newly created session to ourconstructed UserTO object

In step 4, a new sesion with "user" atribute will be set. And such a session will be considered authenticated by the application, causing an authentication bypass vulnerability.

The remote command execution vulnerability:

The previous vulnerability allows us to call a method that requires an authenticated session. The RestoreAction.performRestore method is one of them. It takes 2 parameters: restoreSource and localBackupFilename.

In this method, the localBackupFilename parameter will be eventually passed to a command call in the "bmagent" service listening on port 41002:

/opt/Symantec/Brightmail/cli/sbin/db-restore -F

By sending a filename with ";" in it, the part after the semicolon will be executed as a shell command.

To successfully exploit this vulnerability, a CSRF token will be needed. The vulnerability reporter found the /brightmail/common.jsp file will set this token that valid for all the requests.

SonicWall Threat Research Team has the following signature to protect their customers from this type of attack:

  • IPS 12960: Symantec Messaging Gateway Remote Code Execution