// For flags

CVE-2015-5692

Symantec Web Gateway Arbitrary PHP File Upload Remote Code Execution Vulnerability

Severity Score

7.9
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

admin_messages.php in the management console on Symantec Web Gateway (SWG) appliances with software before 5.2.2 DB 5.0.0.1277 allows remote authenticated users to execute arbitrary code by uploading a file with a safe extension and content type, and then leveraging an improper Sudo configuration to make this a setuid-root file.

Vulnerabilidad en admin_messages.php en la consola de gestión en Symantec Web Gateway (SWG) en dispositivos con software en versiones anteriores a 5.2.2 DB 5.0.0.1277, permite a usuarios remotos autenticados ejecutar código arbitrario subiendo un archivo con una extensión segura y tipo de contenido, aprovechando entonces una configuración de Sudo incorrecta para hacer de esto un archivo setuid-root.

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Symantec Web Gateway. Authentication is required to exploit this vulnerability, however it can be bypassed via reflected cross-site scripting.
The specific flaw exists within the admin_messages.php file which relies on mimetypes and file extensions to block potentially dangerous file uploads. An attacker can exploit this condition to upload arbitrary files as the apache user. Due to loose sudo restrictions, an attacker can add the setuid attribute and execute arbitrary code under the context of root.

*Credits: Jos Wetzels - LeakFree Security
CVSS Scores
Attack Vector
Network
Attack Complexity
Medium
Authentication
Multiple
Confidentiality
Complete
Integrity
Complete
Availability
Complete
Attack Vector
Network
Attack Complexity
Medium
Authentication
Single
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2015-07-28 CVE Reserved
  • 2015-09-16 CVE Published
  • 2023-09-15 EPSS Updated
  • 2024-08-06 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-264: Permissions, Privileges, and Access Controls
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Symantec
Search vendor "Symantec"
Web Gateway
Search vendor "Symantec" for product "Web Gateway"
<= 5.2.2
Search vendor "Symantec" for product "Web Gateway" and version " <= 5.2.2"
-
Affected