What's worse than an annoying internet filter? How about one with a pre-auth remote-command execution hole and there's no patch?

Bug can be exploited to hijack server, meddle with block lists

Got Tips? 36 Reg comments

Netsweeper's internet filter has a nasty security vulnerability that can be exploited to hijack the host server and tamper with lists of blocked websites. There are no known fixes right now.

For those unfamiliar, Netsweeper makes software that monitors and blocks connections to undesirable websites and servers. It's aimed at parents, schools, government offices, and companies. It has a lot of customers in the Middle East, where it's used to prevent access to content not meant for the local populace, according to investigative Canadian non-profit Citizen Lab.

The flaw, yet to be given a CVE number, was discovered by an anonymous researcher, and documented this week by SecuriTeam Secure Disclosure team leader Noam Rathaus. The bug is present in the web-based Netsweeper administration tool versions 6.4.3 and earlier. It doesn't require any authentication to exploit: if you can reach the software over the local network or public internet, you can compromise it.

What Rathaus's source found was that the control panel's login script, /webadmin/tools/unixlogin.php, fails to fully sanitize user-supplied data, allowing miscreants to commandeer the machine. The login script accepts three parameters: timeout, login, and password. If you set the HTTP request referer header to a specific string, such as webadmin/admin/service_manager_data.php, the login script will execute a shell script that ultimately uses the password parameter unsafely in a Python invocation.

The second parameter, $2, below is derived from the original user-supplied password, in this line in the wonky shell script:

password=$($PYTHON -c "import crypt; print crypt.crypt('$2','\$$algo\$$salt\$')")

If you supply a password that causes $2 to contain, for example...

($P>YTHON -c "import crypt; print crypt.crypt('g','');import os;os.system('id >/tmp/pwnd')#','\$$algo\$$salt\$')")

...you inject and execute a command that stores the Netsweeper software's user ID to the file /tmp/pwnd. It's left as an exercise for the reader to turn this remote-code execution into something malicious.

Rathaus told The Register that, in the worst case scenario, a hacker could exploit the bug to not only take over the host server, but also manipulate how users have their content filtered and delivered by Netsweeper.

"[You can] control what data they receive when they access sites and download files," he said. "This is the worst part – as they can be made to unintentionally download malware and viruses."

Injecting a software patch into a computer

Dear Adobe, Trend Micro users: Please vaccinate your software – at least some of these security holes were exploited in the wild

READ MORE

Interestingly, Netsweeper doesn't seem too bothered by any of this. Neither Rathaus nor The Register were able to get any response from the vendor despite multiple attempts to contact the Canadian biz.

"We have decided after almost three weeks of trying and getting no response (via emails to support, sales and via Twitter) we decided that the best course of action at the moment is to release a full advisory," Rathaus said of the decision to go public despite no help from the vendor.

"Hopefully this can reach the right person that can get them to patch it."

In the meantime, Rathaus is advising admins to try as best they can to cut off any remote access to the administration tool: make sure it's behind a firewall, at least, and away from rogue internal users. ®

Sponsored: Webcast: Ransomware has gone nuclear

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020