CVE-2016-9554
Sophos Web Appliance 4.2.1.3 - DiagnosticTools Remote Command Injection
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
The Sophos Web Appliance Remote / Secure Web Gateway server (version 4.2.1.3) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface. These vulnerabilities occur in MgrDiagnosticTools.php (/controllers/MgrDiagnosticTools.php), in the component responsible for performing diagnostic tests with the UNIX wget utility. The application doesn't properly escape the information passed in the 'url' variable before calling the executeCommand class function ($this->dtObj->executeCommand). This function calls exec() with unsanitized user input allowing for remote command injection. The page that contains the vulnerabilities, /controllers/MgrDiagnosticTools.php, is accessed by a built-in command answered by the administrative interface. The command that calls to that vulnerable page (passed in the 'section' parameter) is: 'configuration'. Exploitation of this vulnerability yields shell access to the remote machine under the 'spiderman' user account.
La Sophos Web Appliance Remote / Secure Web Gateway server (versión 4.2.1.3) es vulnerable a una vulnerabilidad de inyección de comandos remotos en su interfaz web administrativa. Estas vulnerabilidades ocurren en MgrDiagnosticTools.php (/controllers/MgrDiagnosticTools.php), en el componente responsable de realizar test diagnósticos con la utilidad wget de UNIX. La aplicación no escapa adecuadamente la información pasada en la variable 'url' antes de llamar a la función de la clase executeCommand ($this->dtObj->executeCommand). Esta función llama a exec() con entrada de usuario no desinfectada permitiendo inyección remota de comandos. A la página que contiene las vulnerabilidades, /controllers/MgrDiagnosticTools.php, se accede mediante un comando incorporado que responde a la interfaz administrativa. El comando que llama a la página vulnerable (pasado en el parámetro 'section') es: 'configuration'. La explotación de esta vulnerabilidad da acceso shell a la máquina remota bajo la cuenta de usuario 'spiderman'.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2016-11-22 CVE Reserved
- 2016-12-12 First Exploit
- 2017-01-28 CVE Published
- 2024-06-06 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
http://www.securityfocus.com/bid/95858 | Third Party Advisory | |
https://community.sophos.com/products/web-appliance/b/blog/posts/release-of-swa-version-4-3-1 | Release Notes |
URL | Date | SRC |
---|---|---|
https://www.exploit-db.com/exploits/41414 | 2016-12-12 | |
http://pastebin.com/UB8Ye6ZU | 2024-08-06 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Sophos Search vendor "Sophos" | Web Appliance Search vendor "Sophos" for product "Web Appliance" | 4.2.1.3 Search vendor "Sophos" for product "Web Appliance" and version "4.2.1.3" | - |
Affected
|