CVE-2014-2850
published 2014-04-11CVE-2014-2850: The network interface configuration page (netinterface) in Sophos Web Appliance before 3.8.2 allows remote administrators to execute arbitrary commands via…
PriorityP270high8.5CVSS 2.0
AVNACMAuSCCICAC
EXPLOIT
EPSS
57.57%
99.0th percentile
The network interface configuration page (netinterface) in Sophos Web Appliance before 3.8.2 allows remote administrators to execute arbitrary commands via shell metacharacters in the address parameter.
Affected
78 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sophos | web_appliance_firmware | <= 3.8.1.1 | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
| sophos | web_appliance_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /index.php?c=netinterface containing shell metacharacters (backticks, pipes, semicolons) in the 'address' parameter, which is the injection point for command execution. ↗
- →Detect the mass assignment abuse pattern: a POST to /index.php?c=change_password that includes an 'admins' JSON field containing 'default_admin' — this is used to overwrite the admin password hash as a non-privileged user. ↗
- →Alert on the exploit's characteristic payload delivery pattern in the 'address' field: a base64-encoded payload decoded and piped to sh via backtick shell injection (e.g., `echo <base64>|base64 --decode|sh`). ↗
- →Look for sequential authentication flows targeting the Sophos WPA: initial GET /index.php to harvest STYLE key, followed by POST to /index.php?c=login, then POST to /index.php?c=change_password with an 'admins' parameter, then re-login as 'admin' with password 'notpassword', then POST to /index.php?c=netinterface. ↗
- →Flag login attempts to the Sophos WPA using the static credential 'admin'/'notpassword', which is the hardcoded password set by the Metasploit exploit module during the privilege escalation chain. ↗
- ·The exploit targets Sophos Web Protection Appliance version 3.8.1.1 and earlier (fixed in 3.8.2). The vulnerable endpoint is only reachable over HTTPS (port 443) and requires prior authentication, meaning exploitation requires valid credentials or successful chaining with the mass assignment vulnerability. ↗
- ·The exploit's mass assignment step (changing admin password hash) will delete all other user accounts on the appliance as a side effect, which may be a detectable artifact of exploitation. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Sophos Web Protection Appliance Interface - (Authenticated) Arbitrary Command Execution (Metasploit)
exploitdb·2014-04-10
CVE-2014-2850 Sophos Web Protection Appliance Interface - (Authenticated) Arbitrary Command Execution (Metasploit)
Sophos Web Protection Appliance Interface - (Authenticated) Arbitrary Command Execution (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Sophos Web Protection Appliance Interface Authenticated Arbitrary Command Execution',
'Description' => %q{
This module takes advantage of two vulnerabilities in order to gain remote code execution as root
as an otherwise non-privileged authorized user. By taking advantage of a mass assignment
vulnerability that allows an unprivileged authenticated user to change the admininistrator's
password hash, the module updates the password to login as the admin to reach the second vulnerability.
No server-side sanitizatio
Metasploit
Sophos Web Protection Appliance Interface Authenticated Arbitrary Command Execution
metasploit
Sophos Web Protection Appliance Interface Authenticated Arbitrary Command Execution
Sophos Web Protection Appliance Interface Authenticated Arbitrary Command Execution
This module takes advantage of two vulnerabilities in order to gain remote code execution as root as an otherwise non-privileged authorized user. By taking advantage of a mass assignment vulnerability that allows an unprivileged authenticated user to change the administrator's password hash, the module updates the password to login as the admin to reach the second vulnerability. No server-side sanitization is done on values passed when configuring a static network interface. This allows an administrator user to run arbitrary commands in the context of the web application, which is root when configuring the network interface. This module will inadvertently delete any other users that may have been present a
No writeups or analysis indexed.
http://secunia.com/advisories/57706http://www.exploit-db.com/exploits/32789http://www.securityfocus.com/bid/66734http://www.sophos.com/en-us/support/knowledgebase/120230.aspxhttp://www.zerodayinitiative.com/advisories/ZDI-14-069/http://secunia.com/advisories/57706http://www.exploit-db.com/exploits/32789http://www.securityfocus.com/bid/66734http://www.sophos.com/en-us/support/knowledgebase/120230.aspxhttp://www.zerodayinitiative.com/advisories/ZDI-14-069/
2014-04-11
Published