In September, Sophos addressed a remote code execution vulnerability (CVE-2020-25223) in the WebAdmin of SG UTM that was reported via the company bug bounty program. At the time, the security vendor said that there was no evidence that the vulnerability was exploited in attacks in the wild.
Now researcher Justin Kennedy from security consultancy Atredis Partners disclosed technical details about the RCE. The expert analyzed vulnerable UTM devices used by one of its customers and studied the differences between the patched and unpatched versions of the software to determine how it was fixed and how to exploit the issue.
“When looking for the details on a known patched bug, I started off the same way any sane person would, comparing the differences between an unpatched version and a patched version.” explained the expert in a blog post. “I grabbed ISOs for versions
9.511-2 of the Sophos UTM platform and spun them up in a lab environment. Truth be told I ended up spinning up six different versions, but the two I mentioned were what I ended up comparing in the end.”
The expert discovered that it was quite easy to trigger this vulnerability, an attacker could exploit the flaw by sending an HTTP request to vulnerable devices.
If the WebAdmin of Sophos SG UTM was exposed only a remote authenticated attacker could easily exploit it.
“After spending some time attempting to bypass the regex and try different payloads, I had a thought… This input filter only triggers when the location matches webadmin.plx.” explained the expert. “And then I saw it and it was beautiful:
RewriteRule ^/var /webadmin.plx
Making an HTTP request to the
/var endpoint is the same as making a request to the
/webadmin.plx endpoint, but without the filter. Making the request again, but to the new endpoint:
And here’s our file:
# ls -l /tmp/pwned -rw-r--r-- 1 root root 0 Aug 17 17:07 /tmp/pwned
We now have unauthenticated RCE on the Sophos UTM appliance as the root user.“
Organizations using vulnerable versions of the Sophos UTM appliance have to update them immediately.
(SecurityAffairs – hacking, Sophos UTM appliance )