what you don't know can hurt you

Symantec Web Gateway 5.2.1 OS Command Injection

Symantec Web Gateway 5.2.1 OS Command Injection
Posted Dec 31, 2014
Authored by EgiX

Symantec Web Gateway versions 5.2.1 and below suffer from a remote OS command injection vulnerability.

tags | exploit, remote, web
advisories | CVE-2014-7285
MD5 | 273c532a1992d8c9055fb637dae33ffc

Symantec Web Gateway 5.2.1 OS Command Injection

Change Mirror Download
------------------------------------------------------------------------------
Symantec Web Gateway <= 5.2.1 (restore.php) OS Command Injection Vulnerability
------------------------------------------------------------------------------


[-] Software Link:

http://www.symantec.com/web-gateway/


[-] Affected Versions:

Version 5.2.1 and prior versions.


[-] Vulnerability Description:

The vulnerable code is located in the /spywall/restore.php script:

79. $temp_file_name = trim($restore_file["tmp_name"]);
80. $upload_orig_name = basename($restore_file['name']);
81. //do this in case user change .des3 extnsion to .bak which is idential to backup file ...
82. $temp_orig_name = str_replace(".bak", ".des3",$upload_orig_name);
83.
84. $filePath = "/tmp/$temp_orig_name";
85.
86. syscall ("sudo rm -f $filePath"); //make sure this file not exists.

User input passed via the filename of uploaded files is not properly sanitised before being used in a
call to the "syscall()" function at line 86. This can be exploited to inject and execute arbitrary OS
commands with the privileges of the "root" user on the appliance.

NOTE: version 5.1.1 suffers from an access restriction issue as well, meaning that the vulnerability can
be exploited by any kind of user (even the ones with the lowest access privileges). In version 5.2.1 the
vulnerability has been fixed and proper authorization checks are in place, however the vulnerability has
been reintroduced in a different line of code and can be exploited only by administrator users.

[-] Solution:

Update to version 5.2.2.


[-] Disclosure Timeline:

[08/10/2014] - Vendor notified with vulnerability details
[05/11/2014] - Vendor reply this will be fixed in the next release
[16/12/2014] - Version 5.2.2 released
[16/12/2014] - Vendor publishes security bulletin
[31/12/2014] - Publication of this advisory


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2014-7285 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano, Secunia Research.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2014-19


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    11 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    2 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    19 Files
  • 21
    Aug 21st
    17 Files
  • 22
    Aug 22nd
    9 Files
  • 23
    Aug 23rd
    3 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close