Netsweeper 4.0.8 - Arbitrary File Upload Execution

2015-08-21T00:00:00
ID EXPLOITPACK:E33678A15976BC74CE3B200A8AAC6A82
Type exploitpack
Reporter Anastasios Monachos
Modified 2015-08-21T00:00:00

Description

Netsweeper 4.0.8 - Arbitrary File Upload Execution

                                        
                                            +--------------------------------------------------------+
+ Netsweeper 4.0.8 - Arbitrary File Upload and Execution +
+--------------------------------------------------------+
Affected Product: Netsweeper
Vendor Homepage : www.netsweeper.com
Version 	: 4.0.8 (and probably other versions)
Discovered by  	: Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
Patched      	: Yes
CVE		: CVE-2014-9619

+---------------------+
+ Product Description +
+---------------------+
Netsweeper is a software solution specialized in content filtering.

+----------------------+
+ Exploitation Details +
+----------------------+
Netsweeeper 4.0.8 (and probably other versions) allows an authenticated user with admin privileges on the Cloud Manager web console, to upload arbitrary PHP code (eg PHP shell) and further execute it.

To replicate the bug, pipe the following request while being authenticated using admin privileges: http://netsweeper/webadmin/ajaxfilemanager/ajaxfilemanager.php

From the response page you can upload any GIF-lookalike php shell (remember to use basic evasion technique for file to upload successfully, hint: filename="secuid0.php.gif" with gif like header and php shell following)

Then, access your shell from: https://netsweeper/webadmin/deny/images/secuid0.php.gif and profit.

+----------+
+ Solution +
+----------+
Upgrade to latest version.

+---------------------+
+ Disclosure Timeline +
+---------------------+
24-Nov-2014: Initial Communication
03-Dec-2014: Netsweeper responded
03-Dec-2014: Shared full details to replicate the issue
10-Dec-2014: Netsweeper fixed the issue in releases 3.1.10, 4.0.9, 4.1.2
17-Dec-2014: New releases 3.1.10, 4.0.9, 4.1.2 made available to the public
18-Dec-2014: Confirm fix
17-Jan-2015: CVE assigned CVE-2014-9619
11-Aug-2015: Public disclosure