exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Sophos Web Appliance 4.2.1.3 Remote Command Injection

Sophos Web Appliance 4.2.1.3 Remote Command Injection
Posted Jan 31, 2017
Authored by Russell Sanford

Sophos Web Appliance version 4.2.1.3 is vulnerable to two remote command injection vulnerabilities.

tags | exploit, remote, web, vulnerability
advisories | CVE-2016-9553
SHA-256 | 545641ea8be8bc213ed17b9bb9c8d8511001c33b8803e8aeeba5626c4a9d867c

Sophos Web Appliance 4.2.1.3 Remote Command Injection

Change Mirror Download
Critical Start security expert Russell Sanford discovered and reported two critical zero-day vulnerabilities in the Sophos Web Appliance in December of 2016. The vulnerabilities, documented under CVE-2016-9553, allow the remote compromise of the appliance's underlining Linux subsystem. The vulnerabilities have now been patched in the January 2017 4.3.1 release of the appliance line.

Here is a summary of the two vulnerabilities documented under CVE-2016-9553.

CVE ID
CVE-2016-9553<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9553>
Vulnerability Details
The Sophos Web Appliance (version 4.2.1.3) is vulnerable to two Remote Command Injection vulnerabilities affecting its web administrative interface. These vulnerabilities occur in the MgrReport.php (/controllers/MgrReport.php) component responsible for blocking and unblocking IP addresses that are able to access appliance.
The device doesn't properly escape the information passed in the variables 'unblockip' and 'blockip' before calling the shell_exec() function which allows for system commands to be injected into the device.
The page that contains the vulnerabilities, /controllers/MgrReport.php, is accessed by a number of the machine's built in commands in administrative interface. The pages that call to the vulnerable page (passed in the '&c=' parameter) are: 'report', 'trend_volume', 'trend_suspect','top_app_ctrl', 'perf_latency', 'perf_throughput', 'users_browse_summary', 'traf_sites', 'traf_blocked', 'traf_users', 'users_virus_downloaders', 'users_pua_downloaders', 'users_highrisk', 'users_policy_violators', 'users_top_users_by_browse_time', 'users_quota', 'users_browse_time_by_user', 'users_top_users_by_category', 'users_site_visits_by_user', 'users_category_visits_by_user', 'users_monitored_search_queries', 'users_app_ctrl', 'traf_category', 'traf_download', and 'warned_sites'.
Exploitation of this vulnerability yields shell access to the remote machine under the system account 'spiderman'.
Vendor Response
Sophos has issued an update to correct this vulnerability. More details can be found at:

http://swa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.html

Credit
This vulnerability was discovered by Russell Sanford of Critical Start.
CVSS Score
CVSS Base Score: 8.5

CVSS v2 Vector: (AV:N/AC:M/Au:S/C:C/I:C/A:C/E:F/RL:OF/RC:C/CDP:ND/TD:ND/CR:H/IR:H/AR:ND)

Affected Vendors
Sophos

Affected Products
Web Appliance before version 4.3.1.3

Disclosure Timeline
2016-11-12 - Vulnerability discovered in audit
2016-11-13 - POC exploit created
2016-11-19 - Contacted MITRE for CVE
2016-11-22 - CVE-2016-9553 assigned
2016-11-29 - Sophos Contacted through Bugcrowd to coordinate fix
2017-01-20 - Sophos patched bug in Version 4.3.1 (Work Order# NSWA-1258)
2017-01-20 - Coordinated public release of advisory
2017-01-28 - CVE-2016-9553 publicly released.

About Critical Start
Critical Start is an employee owned cybersecurity company with the goal to improve the security capability of our clients using a strategy based methodology known as the Defendable Network. We provide security consulting services, PCI QSA services, product fulfillment, and Managed Security Services.

To schedule an appointment to discuss a cybersecurity assessment or penetration test with our team members, please call 214-810-6760 or email info@criticalstart.com<mailto:info@criticalstart.com>.




Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close