Symantec Web Gateway Command Execution
Symantec Web Gateway offers web content filtering as well as protection against data loss and malware. It is also capable of SSL decryption, URL filtering and application control. The product exposes a web interface that allows users to administer it and manage further deployments. The interface is accessible via HTTP as well as HTTPS protocols.
The HTTP specification is a request/response scheme. Requests are sent by clients to a server, which then responds back to clients. Requests for resources may include optional arguments in the request URI. A simplified definition of a URI follows:
[? = [& = [..]]]
Symantec Web Gateway contains a resource /spywall/releasenotes.php which returns application release notes. It is exposed by default and accessible through the web interface by unauthenticated users. The request for the resource may be given an argument relfile to specify which release notes to provide.
A directory traversal vulnerability exists in Symantec Web Gateway Management Console. If a request to /spywall/releasenotes.php is made, the releasenotes.php script will use the relfile value without verification to construct an absolute path to a file on the server file system. If the relfile value ends up poiting to a file containing php code, then it will execute said code. The following code snippet of releasenotes.php shows the direct use of user supplied cgi variable in the include directive:
This vulnerability may be exploited by injecting php code through an HTTP request URI, which will get logged by the web server. Subsequently, a request for the log file, utilizing the directory traversal vulnerability will result in the execution of previously injected code.
Successful exploitation of this vulnerability could cause arbitrary command execution on the target machine. Injected code will be executed in the security context of the target service.
Dell SonicWALL has released an IPS signature to address this issue. The following signature was released:
- 7954 - Symantec Web Gateway Management Shell Command Execution Attempt
In addition to the signature specifically released to cover this vulnerability, Dell SonicWALL has multiple existing signatures, that detect and block exploit code, known to have proactively blocked exploitation attempts targeting this vulnerability.