Symantec Web Gateway Command Execution (June 8, 2012)


Symantec Web Gateway offers web content filtering as well as protection against data loss and malware. It is also capable of SSL decryption, URL filtering and application control. The product exposes a web interface that allows users to administer it and manage further deployments. The interface is accessible via HTTP as well as HTTPS protocols.

The HTTP specification is a request/response scheme. Requests are sent by clients to a server, which then responds back to clients. Requests for resources may include optional arguments in the request URI. A simplified definition of a URI follows:


Symantec Web Gateway contains a resource /spywall/releasenotes.php which returns application release notes. It is exposed by default and accessible through the web interface by unauthenticated users. The request for the resource may be given an argument relfile to specify which release notes to provide.

A directory traversal vulnerability exists in Symantec Web Gateway Management Console. If a request to /spywall/releasenotes.php is made, the releasenotes.php script will use the relfile value without verification to construct an absolute path to a file on the server file system. If the relfile value ends up poiting to a file containing php code, then it will execute said code. The following code snippet of releasenotes.php shows the direct use of user supplied cgi variable in the include directive:


This vulnerability may be exploited by injecting php code through an HTTP request URI, which will get logged by the web server. Subsequently, a request for the log file, utilizing the directory traversal vulnerability will result in the execution of previously injected code.

Successful exploitation of this vulnerability could cause arbitrary command execution on the target machine. Injected code will be executed in the security context of the target service.

Dell SonicWALL has released an IPS signature to address this issue. The following signature was released:

  • 7954 – Symantec Web Gateway Management Shell Command Execution Attempt

In addition to the signature specifically released to cover this vulnerability, Dell SonicWALL has multiple existing signatures, that detect and block exploit code, known to have proactively blocked exploitation attempts targeting this vulnerability.

This vulnerability has been assigned CVE-2012-0297 by mitre.
The vendor has released an advisory addressing this issue.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.