CVE-2012-0289

Symantec Endpoint Protection SemSvc.exe AgentServlet Remote Code Execution Vulnerability

Severity Score

7.2

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Buffer overflow in Symantec Endpoint Protection (SEP) 11.0.600x through 11.0.710x and Symantec Network Access Control (SNAC) 11.0.600x through 11.0.710x allows local users to gain privileges, and modify data or cause a denial of service, via a crafted script.

Desbordamiento de búfer en Symantec Endpoint Protection (SEP) v11.0.600x hasta v11.0.710x y Symantec Network Access Control (SNAC) v11.0.600x hasta v11.0.710x, permite a usuarios locales obtener privilegios, y modificar los datos o causar una denegación de servicio, a través de un script malicioso.

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Symantec Endpoint Protection. Authentication is not required to exploit this vulnerability.
The specific flaw exists within SemSvc.exe which listens by default on TCP port 8443 (https). The SemSvc service exposes a servlet called 'AgentServlet" which allows remote users to activate certain tasks without prior authentication. In doing so, it is vulnerable to directory traversal attacks and arbitrary file deletion. When certain files are deleted, the eval() method will allow for executing user supplied commands. An attacker can leverage these vulnerabilities to execute code under the context of the SYSTEM.

*Credits: Andrea Micalizzi aka rgod

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2012-01-04 CVE Reserved
2012-05-23 CVE Published
2012-05-23 First Exploit
2024-08-05 EPSS Updated
2024-08-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CAPEC

References (4)

URL	Tag	Source
http://www.securitytracker.com/id?1027093	Vdb Entry

URL	Date	SRC
https://www.exploit-db.com/exploits/18916	2012-05-23
http://www.securityfocus.com/bid/51795	2024-08-06

URL	Date	SRC

URL	Date	SRC
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120522_01	2012-10-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Symantec Search vendor "Symantec"		Endpoint Protection Search vendor "Symantec" for product "Endpoint Protection"				11.0.6000 Search vendor "Symantec" for product "Endpoint Protection" and version "11.0.6000"		-		Affected
Symantec Search vendor "Symantec"		Endpoint Protection Search vendor "Symantec" for product "Endpoint Protection"				11.0.6100 Search vendor "Symantec" for product "Endpoint Protection" and version "11.0.6100"		-		Affected
Symantec Search vendor "Symantec"		Endpoint Protection Search vendor "Symantec" for product "Endpoint Protection"				11.0.6200 Search vendor "Symantec" for product "Endpoint Protection" and version "11.0.6200"		-		Affected
Symantec Search vendor "Symantec"		Endpoint Protection Search vendor "Symantec" for product "Endpoint Protection"				11.0.6200.754 Search vendor "Symantec" for product "Endpoint Protection" and version "11.0.6200.754"		-		Affected
Symantec Search vendor "Symantec"		Endpoint Protection Search vendor "Symantec" for product "Endpoint Protection"				11.0.6300 Search vendor "Symantec" for product "Endpoint Protection" and version "11.0.6300"		-		Affected
Symantec Search vendor "Symantec"		Endpoint Protection Search vendor "Symantec" for product "Endpoint Protection"				11.0.7000 Search vendor "Symantec" for product "Endpoint Protection" and version "11.0.7000"		-		Affected
Symantec Search vendor "Symantec"		Endpoint Protection Search vendor "Symantec" for product "Endpoint Protection"				11.0.7100 Search vendor "Symantec" for product "Endpoint Protection" and version "11.0.7100"		-		Affected
Symantec Search vendor "Symantec"		Network Access Control Search vendor "Symantec" for product "Network Access Control"				11.0.6000 Search vendor "Symantec" for product "Network Access Control" and version "11.0.6000"		-		Affected
Symantec Search vendor "Symantec"		Network Access Control Search vendor "Symantec" for product "Network Access Control"				11.0.6100 Search vendor "Symantec" for product "Network Access Control" and version "11.0.6100"		-		Affected
Symantec Search vendor "Symantec"		Network Access Control Search vendor "Symantec" for product "Network Access Control"				11.0.6200 Search vendor "Symantec" for product "Network Access Control" and version "11.0.6200"		-		Affected
Symantec Search vendor "Symantec"		Network Access Control Search vendor "Symantec" for product "Network Access Control"				11.0.6300 Search vendor "Symantec" for product "Network Access Control" and version "11.0.6300"		-		Affected
Symantec Search vendor "Symantec"		Network Access Control Search vendor "Symantec" for product "Network Access Control"				11.0.7000 Search vendor "Symantec" for product "Network Access Control" and version "11.0.7000"		-		Affected
Symantec Search vendor "Symantec"		Network Access Control Search vendor "Symantec" for product "Network Access Control"				11.0.7100 Search vendor "Symantec" for product "Network Access Control" and version "11.0.7100"		-		Affected