LEAKFREE-2015-013/017/020

Symantec Web Gateway Arbitrary PHP File Upload Remote Code Execution and Multiple XSS Vulnerabilities

[+] LF-ID: LEAKFREE-2015-013/017/020
[+] CVE: CVE-2015-5691, CVE-2015-5692
[+] ZDI: ZDI-15-443
[+] BID: 76728, 76726
[+] CVSS: 8.5
[+] Vendor: Symantec
[+] Product: Symantec Web Gateway
[+] Versions affected: software before 5.2.2 DB 5.0.0.1277

Vulnerability

Symantec Web Gateway (SWG) appliances with software before 5.2.2 DB 5.0.0.1277 allow remote authenticated users to execute arbitrary code by uploading a file with a safe extension and content type in the management console, and then leveraging an improper Sudo configuration to make this a setuid-root file to escalate privileges. In addition, multiple cross-site scripting (XSS) vulnerabilities exist in PHP scripts in the management console which allow remote attackers to inject arbitrary web script or HTML. Attackers can chain these vulnerabilities to craft a pre-auth XSS-to-root exploit with minimal user interaction. The results of successful exploitation could potentially range from a user with authorized but lower-privileged access to the management console gaining unauthorized access to sensitive data or another user’s account to unauthorized manipulation of the console and underlying operating system.

Mitigation

Upgrade to the latest Symantec Web Gateway release

Contact

Voor meer informatie of een vrijblijvende offerte kunt u contact met ons opnemen via contact@leakfree.nl (PGP)