PoC for Pre-Auth RCE in Sophos Web Appliance (CVE-2023-1671) Published

CVE-2023-1671 PoC

The cybersecurity community is buzzing with the recent publication of a Proof-of-Concept (PoC) for CVE-2023-1671, a critical code execution vulnerability in Sophos Web Appliance with a CVSS score of 9.8. This high-risk vulnerability, caused by a pre-auth command injection flaw in the warn-proceed handler, poses significant risks to users.

CVE-2023-1671: Sophos Web Appliance Code Execution Vulnerability

CVE-2023-1671 enables remote attackers to execute arbitrary code on a system affected by a pre-auth command injection flaw in the warn-proceed handler. Attackers can exploit this vulnerability by sending a specially crafted request, granting them the power to execute arbitrary code on the system. With the PoC now publicly available on Github, it’s more important than ever for users to understand the vulnerability and take appropriate measures to safeguard their systems.

Dissecting the Patch: A Closer Look at the Code

The patch provided by Sophos addresses the vulnerability in the /opt/ws/bin/ftsblistpack Perl script. The patch alters the invocation of the system function, preventing the shell from being invoked. This change effectively stops attackers from exploiting the vulnerability, as seen in the comparison between the unpatched and patched code.

--- unpatched/opt/ws/bin/ftsblistpack   2022-04-08 20:38:49.000000000 -0500

+++ patched/opt/ws/bin/ftsblistpack 2023-03-24 17:08:26.000000000 -0500
@@ -25,7 +25,7 @@
open my $flag, ">", "$flag_file_dir/$proceeded_flag_file" or die "Open file [$flag_file_dir/$proceeded_flag_file] failed" and $rc++;
close($flag);

- $rc += system("$sblistpack '$uri' '$user' '$filetype' '$filein' '$fileout'");
+ $rc += system($sblistpack, $uri, $user, $filetype, $filein, $fileout);
}

exit $rc;

Tracing the Vulnerability: From Sink to Source

The unpatched code reveals that /opt/ui/apache/htdocs/controllers/UsrBlocked.php shells out to ftsblistpack with user-supplied parameters. Notably, user-controlled input still goes through PHP’s escapeshellarg function in the unpatched code. This function escapes and adds single quotes to a shell argument, which plays a vital role in the vulnerability’s exploitation.

 if($_GET['action'] == 'continue') {


if(strlen(trim($_POST['user'])) > 0)
$user = base64_decode($_POST['user_encoded']);
else
$user = $_POST['client-ip'];
if($user == '-') $user = $_POST['client-ip'];
$user = escapeshellarg($user);
//snip
// use sblistpack to allow access
if($_POST['args_reason'] == 'filetypewarn') {
$key = $_POST['url'];
$packer = '/opt/ws/bin/ftsblistpack';
$value = $_POST['filetype'];
}
else {
$key = $_POST['domain'];
$packer = '/opt/ws/bin/sblistpack';
$catParts = explode("|",$_POST['raw_category_id']);
$value = $catParts[0];
}

$key = escapeshellarg($key);
$value = escapeshellarg($value);
$this->log->write("DEBUG","cmd = '$packer $key $user $value'");
$result = shell_exec("$packer $key $user $value 2>&1");

Understanding the Proof-of-Concept

The PoC for CVE-2023-1671, now available on Github, demonstrates how the vulnerability can be exploited, providing valuable insight for both security researchers and potential attackers. The publication of this PoC emphasizes the need for affected users to apply the patch as soon as possible to protect their systems.