And at its worst, can introduce at scale risks to customers' endusers via the very product that is meant to improve their security posture. This could turn into a #poison well #attack and #compromise. The WORST thing is to implement and not document, especially on a web image here that is getting delivered to every client, every time they visit the customer's VIP instance. Implementing "call-home" type features are always fraught with risks. #ProductSecurity decisions like how to handle the desire for ongoing info about a customer's use must be weighed against the risks. Imagine the impact on endusers with a malicious image substitution on that VIP login page. So what's a security researcher to do? Well, why not make a nice pretty collage of all the Symantech VIP customer's logos, old and new, in a single website and then do a screenshot? You can see the modification times in the above screenshot, and the VIP upload process appears to keep the old logo in storage as well. DohĪnd this is not some tired dated old archive. But of course the googleapi hosting all of the various Symantec VIP customers' logos is in a directory for the full view of all. The funny thing about web servers is that even in 2023, Directory Traversal can still work if the server is not configured to not simply list directory contents. Symantec VIP server and Googleapi-hosted customer uploaded logo served over HTTP Interesting attack vectors emerge here with unencrypted stuff.isn't that why all these security companies are pushing SSL? And this cruft is on the enduser login page for two-factor authentication? D00ds. Oh look! To make it easy, the googleapis server hosting the image will kindly serve that image over unencrypted HTTP as well as HTTP. Another is to replace that image in-flight as the client requests it and an attacker has some means of #MITM. What if a malicious logo was somehow able to get in place of the legitimate one? Replacing on the googleapis is one method. ![]() Second is the control of that image a question, as is the security of the googleapis server logs. First the risk of not knowing how the VIP is actually functioning regarding that logo. Of course, being the security dweeb I am, I can help but think of the risks. All the clients connecting will send useful info back to the googleapis server, which can then be analyzed. ![]() This I'm sure was a point of contention in #softwaredevelopement at Symantec regarding the VIP product hosting a customer uploaded log on 3rd party site and not documenting it, and then hosting it on a 3rd party googleapis server.įrom Symantec's view, think of the real-time information you can gather from your customers' VIP deployments by having a hosted image on their VIP landing page. From my read the docs say nothing of this logo hosting on googleapis. I don't know about you all.but when i run a security appliance, I want to have knowledge of and control over all content that's loaded onto that login page, especially one my organization's people are logging into. I find this "feature" execution more than a bit underhanded. ![]() Please look for yourselves and comment below if I missed something! Dude.Ī quick check of the VIP docs at Symantec lead me to believe this "feature" was not documented to the VIP admin customer. WHAT!?! The logo link was to, and was not hosted locally on the VIP server. I pulled up the html source code of the VIP source page with the logo in my browser. At that point I assumed that as part of the VIP setup, the admin configuring the device was able to upload an image to the device webserver, and it would be displayed to all endusers visiting the page to handle 2FA. The custom logo for each VIP deployment to "cobrand" as Symantec docs call it. Trying another angle, I started looking more closely at the VIP portals themselves for some kind of #html string I could use in the very useful Shodan #html search.īut then I noticed it. The title of the device is pretty static, and favicon search is not very different from title results, with ~60 coming up. So the Symantec VIP (Validation & Information Protection) Self Service Portal comes on my radar, and I'm not discovering very many hits using typical #shodan searches. So I've been Shodanning deployments of products supporting #2fa for the #enduser and researching what the #enduserexperience is like because.reasons. ![]() Two-Factor Authentication is huge, you just gotta have it. Today's twenty-second #Shodan #casestudy 2023-22 is about how Shodan helped me to discover a questionable and undocumented "feature" in the Symantec VIP (Validation & Information Protection) Self Service Portal. UPDATE: HT to Ramesh Manickavel with Broadcom PSIRT for a timely and solid response to address key risks of this issue.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |