cbcvebase.
CVE-2012-4347
published 2012-12-05

CVE-2012-4347: Multiple directory traversal vulnerabilities in the management console in Symantec Messaging Gateway (SMG) 9.5.x allow remote authenticated users to read…

PriorityP349medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
58.83%
99.0th percentile
Multiple directory traversal vulnerabilities in the management console in Symantec Messaging Gateway (SMG) 9.5.x allow remote authenticated users to read arbitrary files via a .. (dot dot) in the (1) logFile parameter in a logs action to brightmail/export or (2) localBackupFileSelection parameter in an APPLIANCE restoreSource action to brightmail/admin/restore/download.do.

Affected

5 ranges
VendorProductVersion rangeFixed in
symantecmessaging_gateway
symantecmessaging_gateway
symantecmessaging_gateway
symantecmessaging_gateway
symantecmessaging_gateway

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://192.168.1.59:41080/brightmail/export?type=logs&logFile=../../../etc/passwd&logType=1&browserType=1
urlhttp://192.168.1.59:41080/brightmail/admin/restore/download.do?no-cache=false&displayTab=restore&restoreSource=APPLIANCE&localBackupFileSelection=../../etc/passwd
path/brightmail/export
path/brightmail/admin/restore/download.do
  • Detect directory traversal attempts via the 'logFile' parameter in GET/POST requests to /brightmail/export — look for '../' sequences in the logFile query parameter value.
  • The exploit requires prior authentication to the SMG web interface; correlate suspicious file download activity with authenticated sessions on the management console.
  • Monitor for HTTP responses from /brightmail/export or /brightmail/admin/restore/download.do that deliver file attachments containing Unix passwd-style content (colon-delimited fields), indicating successful arbitrary file read.
  • The Metasploit auxiliary module targets this vulnerability; detect scanner/exploit tool activity by monitoring for the module's characteristic request pattern against /brightmail/export with traversal sequences in logFile.
  • ·Exploitation requires valid authenticated credentials to the SMG management web interface; unauthenticated access alone is insufficient to trigger the vulnerability.
  • ·Files are read with the permissions of the web server user, not root; access to root-owned files may be limited depending on web server privilege configuration.
  • ·The vulnerability affects SMG 9.5.x; versions patched after 27 August 2012 are not affected. Confirm the running version before applying detection rules to avoid false positives on patched systems.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat4.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.