// For flags

CVE-2016-9554

Sophos Web Appliance 4.2.1.3 - DiagnosticTools Remote Command Injection

Severity Score

7.2
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The Sophos Web Appliance Remote / Secure Web Gateway server (version 4.2.1.3) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface. These vulnerabilities occur in MgrDiagnosticTools.php (/controllers/MgrDiagnosticTools.php), in the component responsible for performing diagnostic tests with the UNIX wget utility. The application doesn't properly escape the information passed in the 'url' variable before calling the executeCommand class function ($this->dtObj->executeCommand). This function calls exec() with unsanitized user input allowing for remote command injection. The page that contains the vulnerabilities, /controllers/MgrDiagnosticTools.php, is accessed by a built-in command answered by the administrative interface. The command that calls to that vulnerable page (passed in the 'section' parameter) is: 'configuration'. Exploitation of this vulnerability yields shell access to the remote machine under the 'spiderman' user account.

La Sophos Web Appliance Remote / Secure Web Gateway server (versión 4.2.1.3) es vulnerable a una vulnerabilidad de inyección de comandos remotos en su interfaz web administrativa. Estas vulnerabilidades ocurren en MgrDiagnosticTools.php (/controllers/MgrDiagnosticTools.php), en el componente responsable de realizar test diagnósticos con la utilidad wget de UNIX. La aplicación no escapa adecuadamente la información pasada en la variable 'url' antes de llamar a la función de la clase executeCommand ($this->dtObj->executeCommand). Esta función llama a exec() con entrada de usuario no desinfectada permitiendo inyección remota de comandos. A la página que contiene las vulnerabilidades, /controllers/MgrDiagnosticTools.php, se accede mediante un comando incorporado que responde a la interfaz administrativa. El comando que llama a la página vulnerable (pasado en el parámetro 'section') es: 'configuration'. La explotación de esta vulnerabilidad da acceso shell a la máquina remota bajo la cuenta de usuario 'spiderman'.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2016-11-22 CVE Reserved
  • 2016-12-12 First Exploit
  • 2017-01-28 CVE Published
  • 2024-06-06 EPSS Updated
  • 2024-08-06 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Sophos
Search vendor "Sophos"
Web Appliance
Search vendor "Sophos" for product "Web Appliance"
4.2.1.3
Search vendor "Sophos" for product "Web Appliance" and version "4.2.1.3"
-
Affected