2009
12.29

True shell access on Symantec Brightmail

7 people like this post.
Share

By connecting (SSH, “admin” user) to a Symantec Brightmail Gateway appliance 1, you are left in a restricted shell where only a limited set of commands is available. The undocumented “set-support” command may come in handy: it assigns a temporary password to the “support” user, a normal unix account with a standard shell.

giuliano@balrog ~ $ ssh admin@192.1.2.3
admin@192.1.2.3's password:

bmail> set-support
Warning: Do NOT execute this script without explicit direction from a Symantec
Customer Support person.
Changing password for user support.
New password:
BAD PASSWORD: it is based on a dictionary word
Retype new password:
passwd: all authentication tokens updated successfully.
User support enabled until 01/04/2010.
bmail> logout
Connection to 192.1.2.3 closed.

giuliano@balrog ~ $ ssh support@192.1.2.3
support@192.1.2.3's password:

[support@bmail support]$ echo $SHELL
/bin/bash

What’s nice about the “support” user is that he can run tcpdump and access useful logfiles, e.g.:

support@bmail support]$ tail -f /data/logs/stats.maillog
2007 Mar 30 11:36:17 (info) delivery-mta/smtp[2008]: 45A689A9: to=, relay=192.1.2.3[192.1.2.3], delay=0, status=sent (250 OK)

A note about the restricted shell command “watch maillog” and the “/data/logs/stats.maillog” file.
The latter is the truly useful MTA log file (holding a realtime record of which messages are relayed through the appliance), while the “watch maillog” command shows entirely different stuff. There used to be a proper “watch stats.maillog” command, but at some point Symantec decided to remove it, can’t really tell why.

I originally learnt about the “set-support” command here (Symantec Support Forums).

If you need full root access, you can restart the appliance, break into GRUB’s command line interface, append a “1” to the kernel parameters in order to boot to runlevel 1 (single user mode). There you can change the root password to whatever you like and make Symantec’s Tech Support upset. :) I had to do it a couple of times to replace a failed disk, though…

  1. Or Symantec Mail Security, like it was previously called. It’s an antispam device, coming in either hardware or virtual (VMware) appliance versions. Models I’ve seen: 8240, 8260. Almost “install and forget”, if you ask me. That means it works quite well! 😉
Share

13 comments so far

Add Your Comment
  1. […] connecting (SSH, “admin” user) to a Symantec Brightmail Gateway appliance 1, you are left in a restricted shell where only a limited set of commands is available. The […]

  2. Hi, i managed to get into brightmail with a root account, what i want is to open port 3306 to access the mysql database from out side the controller.

    Do you know how to manage this?

    • Hi Firehawk,

      You could try something like this:
      1) Discover where MySQL config is stored and where its UNIX socket file resides.

      [support@mailsrv-fw support]$ ps axo pid,command | grep -i mysql
      2047 /bin/sh /opt/Symantec/Brightmail/mysql/bin/mysqld_safe –defaults-file=/data/mysql/data/my.cnf –datadir=/data/mysql/data –pid-file=/data/mysql/data/mailsrv-fw.boero.it.pid
      2079 /opt/Symantec/Brightmail/mysql/bin/mysqld –defaults-file=/data/mysql/data/my.cnf –basedir=/opt/Symantec/Brightmail/mysql –datadir=/data/mysql/data –user=mysql –pid-file=/data/mysql/data/mailsrv-fw.boero.it.pid –skip-locking –port=3306 –socket=/data/mysql/data/mysql.sock

      2) Use the “mysql” command to connect to the database, using the right socket. I get an access denied since I’m using the “support” user. Hopefully you won’t, as “root”.

      support@mailsrv-fw support]$ mysql -S /data/mysql/data/mysql.sock
      ERROR 1045 (28000): Access denied for user ‘support’@’localhost’ (using password: NO)

      3) Use “show databases”, create an additional MySQL user, grant him the privileges you need (“CREATE USER”, “GRANT ALL ON”).

      4) I guess Symantec is blocking incoming TCP connections on port 3306 with iptables. Remove the block with “iptables -D”.

      Please note that I haven’t tried the procedure myself (right now I can’t reboot and gain root access on any machine).

      ciao,

      Giuliano

      • Mysql found, configure rights no problem, but firewall change is

        Don’t think do are using iptables:

        [root@mx-control root]# iptables -n -L
        FATAL: Module ip_tables not found.
        iptables v1.2.7a: can’t initialize iptables table `filter': iptables who? (do you need to insmod?)
        Perhaps iptables or your kernel needs to be upgraded.
        [root@mx-control root]#

        Can’t found out how to open 3306, and what kind of firewall BM9.0 is using.

        • Looks like MySQL is listening only on localhost address:

          [support@mail support]$ netstat -an | grep :3306 | grep LISTE
          tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN

          You should modify the “bind-address” parameter and reboot the appliance:

          [support@mail support]$ grep -i bind /data/mysql/data/my.cnf
          bind-address = 127.0.0.1

          Either comment the line, or use “0.0.0.0” as address. See:

          http://dev.mysql.com/doc/refman/5.1/en/server-options.html#option_mysqld_bind-address

          Just out of curiosity: what are you expecting to read, in SMS’ internal DB?

          ciao,

          Giuliano

  3. Could one of you please tell me how can I connect directly to the mysql database at Brightmail? I’m logged on as “support” user with full shell access. I’m sure that I have the right password for the brightmailuser account, as I’ve got it from the server.xml file in Tomcat folder but I’m getting access denied for every user I try to connect to the mysql database. Am I missing anything? Thanks in advance for any help.

    • Hi Raiv,

      I see no reason why, if you copied the right username/password from Tomcat, you shouldn’t be able to access the DB. Did you try to connect locally, from the box itself, right? (something like “mysql -p -u brightmailuser “, while logged into support@bmailbox)
      If it still doesn’t work, I’d probably reboot into single user mode and change the root password (or enable sudo for the “support” user). Then use the “mysql-init” trick to create the needed user.

      Hope this helps,

      Giuliano

      • Thanks for the reply.
        Yes, I’ve been trying to connect using “mysql -s -u brightmailuser -p
        “. So far, no success: access denied.
        I also tried to edit the my.cnf file to skip the grant tables, but the support user has no access to edit the file.
        I’m off this week, so when I’m back to the office next week I’ll try your suggestion of
        rebooting into single user mode and change the root password. Hopefully, I can get it.
        Please let me know if you have any other idea. Thanks!!!

  4. Hello!

    For connecting to mysql you need to do

    /opt/Symantec/Brightmail/mysql/bin/mysql -h 127.0.0.1 -P 3306 -u brightmailuser -p

    and then paste the password found in /data/bcc/conf/server.xml.

    • Ehi Andreas, thanks for the pointer!

      Giuliano

      • Thanks for your efforts, but no success so far.
        Following Andreas’ suggestion, logged on as support user in a SSH connection, I’ve entered:
        /opt/Symantec/Brightmail/mysql/mysql -h 127.0.0.1 -P 3306 -u brightmailuser -pOUDXc6zYLTefrSw7aXRwiJwd. I’ve caught this password from /data/bcc/conf/server.xml file.
        I’m getting ERROR 1045 (28000): Access denied for user ‘brightmailuser’@’localhost’
        (using password: YES)
        Any ideas?
        I’m keeping the root’s password change as the last resource.
        Thanks once more.

  5. [support@bmg ~]$ sudo -ll

    [support@smtp ~]$ ls -l /opt/Symantec/Brightmail/cli/bin/
    [support@smtp ~]$ man telnet | grep -C 5 subshell
    [support@smtp ~]$ sudo telnet
    telnet> !
    [root@smtp ~]# id
    uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
    [root@smtp ~]#

    • Awesome, thanks for sharing. :)
      Why would they ever need to run telnet as root?!