cbcvebase.
CVE-2016-9554
published 2017-01-28

CVE-2016-9554: The Sophos Web Appliance Remote / Secure Web Gateway server (version 4.2.1.3) is vulnerable to a Remote Command Injection vulnerability in its web…

PriorityP260high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
24.45%
97.6th percentile
The Sophos Web Appliance Remote / Secure Web Gateway server (version 4.2.1.3) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface. These vulnerabilities occur in MgrDiagnosticTools.php (/controllers/MgrDiagnosticTools.php), in the component responsible for performing diagnostic tests with the UNIX wget utility. The application doesn't properly escape the information passed in the 'url' variable before calling the executeCommand class function ($this->dtObj->executeCommand). This function calls exec() with unsanitized user input allowing for remote command injection. The page that contains the vulnerabilities, /controllers/MgrDiagnosticTools.php, is accessed by a built-in command answered by the administrative interface. The command that calls to that vulnerable page (passed in the 'section' parameter) is: 'configuration'. Exploitation of this vulnerability yields shell access to the remote machine under the 'spiderman' user account.

Affected

1 ranges
VendorProductVersion rangeFixed in
sophosweb_appliance

Detection & IOCsextracted from sources · hover to see the quote

path/controllers/MgrDiagnosticTools.php
url/index.php?c=login
url?c=diagnostic_tools
path/tmp/m
path/tmp/n
commandsudo /bin/rm -f /tmp/n ;printf "<encoded_cmd>" > /tmp/n; chmod +rx /tmp/n;/tmp/n
  • Look for POST requests to /index.php?c=diagnostic_tools containing the parameters 'action=wget', 'section=configuration', and a 'url' field with backtick-enclosed command injection payloads (e.g., url=htt%3a%2f%2f...`<cmd>`).
  • Monitor for creation and execution of ELF binaries dropped to /tmp/m or /tmp/n on Sophos Web Appliance hosts, particularly following web server process activity.
  • Alert on processes spawned under the 'spiderman' user account on Sophos Web Appliance systems, as successful exploitation yields a shell under this account.
  • Detect POST requests to /index.php?c=login followed shortly by POST requests to ?c=diagnostic_tools from the same source IP, indicating the two-stage exploit authentication + command injection flow.
  • Inspect the 'url' POST parameter in requests to the diagnostic_tools controller for URL-encoded backtick characters (%60) or shell metacharacters indicating command injection attempts.
  • ·The exploit requires prior authentication to the administrative interface (post-auth vulnerability); unauthenticated exploitation is not possible. Detection should account for the login step preceding the injection.

CVSS provenance

nvdv3.07.2HIGHCVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.