CVE-2012-4347
published 2012-12-05CVE-2012-4347: Multiple directory traversal vulnerabilities in the management console in Symantec Messaging Gateway (SMG) 9.5.x allow remote authenticated users to read…
PriorityP349medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
58.83%
99.0th percentile
Multiple directory traversal vulnerabilities in the management console in Symantec Messaging Gateway (SMG) 9.5.x allow remote authenticated users to read arbitrary files via a .. (dot dot) in the (1) logFile parameter in a logs action to brightmail/export or (2) localBackupFileSelection parameter in an APPLIANCE restoreSource action to brightmail/admin/restore/download.do.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| symantec | messaging_gateway | — | — |
| symantec | messaging_gateway | — | — |
| symantec | messaging_gateway | — | — |
| symantec | messaging_gateway | — | — |
| symantec | messaging_gateway | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://192.168.1.59:41080/brightmail/export?type=logs&logFile=../../../etc/passwd&logType=1&browserType=1↗
urlhttp://192.168.1.59:41080/brightmail/admin/restore/download.do?no-cache=false&displayTab=restore&restoreSource=APPLIANCE&localBackupFileSelection=../../etc/passwd↗
- →Detect directory traversal attempts via the 'logFile' parameter in GET/POST requests to /brightmail/export — look for '../' sequences in the logFile query parameter value. ↗
- →The exploit requires prior authentication to the SMG web interface; correlate suspicious file download activity with authenticated sessions on the management console. ↗
- →Monitor for HTTP responses from /brightmail/export or /brightmail/admin/restore/download.do that deliver file attachments containing Unix passwd-style content (colon-delimited fields), indicating successful arbitrary file read. ↗
- →The Metasploit auxiliary module targets this vulnerability; detect scanner/exploit tool activity by monitoring for the module's characteristic request pattern against /brightmail/export with traversal sequences in logFile. ↗
- ·Exploitation requires valid authenticated credentials to the SMG management web interface; unauthenticated access alone is insufficient to trigger the vulnerability. ↗
- ·Files are read with the permissions of the web server user, not root; access to root-owned files may be limited depending on web server privilege configuration. ↗
- ·The vulnerability affects SMG 9.5.x; versions patched after 27 August 2012 are not affected. Confirm the running version before applying detection rules to avoid false positives on patched systems. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat4.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pxcw-hx23-fx3r: Multiple directory traversal vulnerabilities in the management console in Symantec Messaging Gateway (SMG) 9
ghsa_unreviewed·2022-05-17
CVE-2012-4347 [MEDIUM] CWE-22 GHSA-pxcw-hx23-fx3r: Multiple directory traversal vulnerabilities in the management console in Symantec Messaging Gateway (SMG) 9
Multiple directory traversal vulnerabilities in the management console in Symantec Messaging Gateway (SMG) 9.5.x allow remote authenticated users to read arbitrary files via a .. (dot dot) in the (1) logFile parameter in a logs action to brightmail/export or (2) localBackupFileSelection parameter in an APPLIANCE restoreSource action to brightmail/admin/restore/download.do.
Red Hat
kernel: kvm: device assignment DoS
vendor_redhat·2011-11-20·CVSS 4.0
CVE-2011-4347 [MEDIUM] kernel: kvm: device assignment DoS
kernel: kvm: device assignment DoS
The kvm_vm_ioctl_assign_device function in virt/kvm/assigned-dev.c in the KVM subsystem in the Linux kernel before 3.1.10 does not verify permission to access PCI configuration space and BAR resources, which allows host OS users to assign PCI devices and cause a denial of service (host OS crash) via a KVM_ASSIGN_PCI_DEVICE operation.
Statement: This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 4 and Red Hat Enterprise MRG as they did not provide support for the KVM subsystem. This has been addressed in Red Hat Enterprise Linux 6 via https://rhn.redhat.com/errata/RHSA-2012-0350.html. A future kvm update in Red Hat Enterprise 5 may address this flaw.
Package: kernel (Red Hat Enterprise Linux 4) - Not affected
No detection rules found.
Exploit-DB
Symantec Messaging Gateway 9.5.3-3 - Arbitrary File Download
exploitdb·2012-12-03
CVE-2012-4347 Symantec Messaging Gateway 9.5.3-3 - Arbitrary File Download
Symantec Messaging Gateway 9.5.3-3 - Arbitrary File Download
---
Summary
Name: Symantec Messaging Gateway - Arbitrary file download is possible with a crafted URL (authenticated)
Release Date: 30 November 2012
Reference: NGS00266
Discoverer: Ben Williams
Vendor: Symantec
Vendor Reference:
Systems Affected: Symantec Messaging Gateway 9.5.3-3
Risk: Medium
Status: Published
TimeLine
Discovered: 17 April 2012
Released: 17 April 2012
Approved: 29 April 2012
Reported: 30 April 2012
Fixed: 27 August 2012
Published: 30 November 2012
Description
I. VULNERABILITY
Symantec Messaging Gateway 9.5.3-3 - Arbitrary file download is possible with a crafted URL (authenticated)
II. BACKGROUND
Symantec Messaging Gateway 9.5.3-3 is the latest version, of their Email Security Appliance
III. DESCRIPTION
Th
Metasploit
Symantec Messaging Gateway 9.5 Log File Download Vulnerability
metasploit
Symantec Messaging Gateway 9.5 Log File Download Vulnerability
Symantec Messaging Gateway 9.5 Log File Download Vulnerability
This module will download a file of your choice against Symantec Messaging Gateway. This is possible by exploiting a directory traversal vulnerability when handling the 'logFile' parameter, which will load an arbitrary file as an attachment. Note that authentication is required in order to successfully download your file.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/56789http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120827_00http://www.securityfocus.com/bid/56789http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120827_00
2012-12-05
Published