CVE-2014-2849
published 2014-04-11CVE-2014-2849: The Change Password dialog box (change_password) in Sophos Web Appliance before 3.8.2 allows remote authenticated users to change the admin user password via a…
PriorityP265high8.5CVSS 2.0
AVNACLAuSCNICAC
EXPLOIT
EPSS
60.93%
99.0th percentile
The Change Password dialog box (change_password) in Sophos Web Appliance before 3.8.2 allows remote authenticated users to change the admin user password via a crafted request.
Affected
78 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sophos | web_appliance_firmware | <= 3.8.1.1 | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /index.php?c=change_password containing an 'admins' parameter with a JSON payload overriding the admin password hash — this is the mass assignment exploitation vector. ↗
- →Detect POST requests to /index.php?c=netinterface where the 'address' field contains backtick characters or shell metacharacters, indicating command injection in the static network interface configuration. ↗
- →Look for the static password 'notpassword' (salt used in exploit) appearing in authentication attempts to the admin account on the Sophos Web Appliance login endpoint. ↗
- →Detect the 'admins' POST parameter containing JSON with 'default_admin' id and a crafted password hash field — this is the specific payload used to overwrite the admin credentials. ↗
- →Alert on base64-encoded payloads piped to 'base64 --decode|sh' appearing in HTTP POST body fields (e.g., 'address') on the Sophos Web Appliance management interface. ↗
- ·The exploit targets Sophos Web Protection Appliance version 3.8.1.1 specifically; the vulnerability affects versions before 3.8.2. ↗
- ·Exploitation requires an initial valid (non-admin) authenticated session; the attacker must supply a working USERNAME and PASSWORD to begin the attack chain. ↗
- ·A side effect of the exploit is deletion of all non-admin user accounts on the appliance, which may serve as a forensic indicator of compromise. ↗
- ·The exploit uses SSL (HTTPS on port 443) by default; detection rules must inspect TLS-decrypted traffic to catch the attack. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Sophos Web Protection Appliance Interface - (Authenticated) Arbitrary Command Execution (Metasploit)
exploitdb·2014-04-10
CVE-2014-2850 Sophos Web Protection Appliance Interface - (Authenticated) Arbitrary Command Execution (Metasploit)
Sophos Web Protection Appliance Interface - (Authenticated) Arbitrary Command Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Sophos Web Protection Appliance Interface Authenticated Arbitrary Command Execution',
'Description' => %q{
This module takes advantage of two vulnerabilities in order to gain remote code execution as root
as an otherwise non-privileged authorized user. By taking advantage of a mass assignment
vulnerability that allows an unprivileged authenticated user to change the admininistrator's
password hash, the module updates the password to login as the admin to reach the second vulnerability.
No server-side sanitizatio
Metasploit
Sophos Web Protection Appliance Interface Authenticated Arbitrary Command Execution
metasploit
Sophos Web Protection Appliance Interface Authenticated Arbitrary Command Execution
Sophos Web Protection Appliance Interface Authenticated Arbitrary Command Execution
This module takes advantage of two vulnerabilities in order to gain remote code execution as root as an otherwise non-privileged authorized user. By taking advantage of a mass assignment vulnerability that allows an unprivileged authenticated user to change the administrator's password hash, the module updates the password to login as the admin to reach the second vulnerability. No server-side sanitization is done on values passed when configuring a static network interface. This allows an administrator user to run arbitrary commands in the context of the web application, which is root when configuring the network interface. This module will inadvertently delete any other users that may have been present a
No writeups or analysis indexed.
http://secunia.com/advisories/57706http://www.exploit-db.com/exploits/32789http://www.securityfocus.com/bid/66734http://www.sophos.com/en-us/support/knowledgebase/120230.aspxhttp://www.zerodayinitiative.com/advisories/ZDI-14-069/http://secunia.com/advisories/57706http://www.exploit-db.com/exploits/32789http://www.securityfocus.com/bid/66734http://www.sophos.com/en-us/support/knowledgebase/120230.aspxhttp://www.zerodayinitiative.com/advisories/ZDI-14-069/
2014-04-11
Published