What’s worse than a boring Internet filter? How about one with a remote command execution hole before authentication and there is no fix?

[ad_1]

Netsweeper's Internet filter has an unpleasant security hole that can be exploited to hijack the host server and falsify lists of blocked websites. There are no known fixes at this time.

For those who are unfamiliar, Netsweeper creates software that monitors and blocks connections to unwanted websites and servers. It is aimed at parents, schools, government offices and businesses. It has many customers in the Middle East, where it is used to prevent access to content not intended for the local population, according to Investigative Canadian non-profit Citizen Lab.

The flaw, which has not yet received a CVE number, was discovered by an anonymous researcher, and documented this week by Noam Rathaus, team leader of SecuriTeam Secure Disclosure. The bug is present in versions 6.4.3 and earlier of the web-based Netsweeper administration tool. It requires no authentication to exploit: if you can access the software via the local network or the public Internet, you can compromise it.

The Rathaus source revealed that the control panel login script, /webadmin/tools/unixlogin.php, fails to completely purify the data provided by the user, allowing criminals to requisition the machine. The login script accepts three parameters: timeout, login, and password. If you set the header of the HTTP request referrer to a specific string, such as webadmin/admin/service_manager_data.php, the login script will execute a shell script which ultimately uses the password parameter safely in a Python invocation.

The second parameter, $2, below is derived from the original supplied by the user password, in this line in the woky shell script:

password=$($PYTHON -c "import crypt; print crypt.crypt('$2','$algo$salt

If you provide a password that causes $2 contain, for example ...

($P>YTHON -c "import crypt; print crypt.crypt('g','');import os;os.system('id >/tmp/pwnd')#','$algo$salt

... you inject and execute a command which stores the user ID of the Netsweeper software in the file /tmp/pwnd. This is an exercise for the reader to turn this remote code execution into something malicious.

Rathaus said The register that, in the worst-case scenario, a hacker could exploit the bug not only to take control of the host server, but also to manipulate the way users filtered and delivered their content through Netsweeper.

"[You can] control the data they receive when they access sites and download files, "he said." This is the worst part - because they can be made to unintentionally download malware and viruses. "

Injecting a software patch into a computer

Dear Adobe users, Trend Micro: please vaccinate your software - at least some of these security vulnerabilities have been exploited in the wild

READ MORE
Interestingly, Netsweeper doesn't seem too bothered by all of this. Neither Rotem nor The register were able to get any response from the seller despite several attempts to contact the Canadian biz. "We decided, after almost three weeks of testing and getting no response (via support emails, sales and via Twitter), we decided that the best solution for the moment was to post a review full", Rathaus said of the decision to make public despite no assistance from the seller. "I hope this can reach the right person who can get them to fix it." In the meantime, Rathaus advises administrators to try as best they can to cut off any remote access to the administration tool: make sure it is behind a firewall, at least, and away from rogue internal users. ® Sponsored: Webcast: Build the Next Generation of Your Business in the Public Cloud

[ad_2]

)”)If you provide a password that causes $2 contain, for example …

… you inject and execute a command which stores the user ID of the Netsweeper software in the file /tmp/pwnd. This is an exercise for the reader to turn this remote code execution into something malicious.

Rathaus said The register that, in the worst-case scenario, a hacker could exploit the bug not only to take control of the host server, but also to manipulate the way users filtered and delivered their content through Netsweeper.

“[You can] control the data they receive when they access sites and download files, “he said.” This is the worst part – because they can be made to unintentionally download malware and viruses. ”

Injecting a software patch into a computer

Dear Adobe users, Trend Micro: please vaccinate your software – at least some of these security vulnerabilities have been exploited in the wild

READ MORE

Interestingly, Netsweeper doesn't seem too bothered by all of this. Neither Rotem nor The register were able to get any response from the seller despite several attempts to contact the Canadian biz.

“We decided, after almost three weeks of testing and getting no response (via support emails, sales and via Twitter), we decided that the best solution for the moment was to post a review full”, Rathaus said of the decision to make public despite no assistance from the seller.

“I hope this can reach the right person who can get them to fix it.”

In the meantime, Rathaus advises administrators to try as best they can to cut off any remote access to the administration tool: make sure it is behind a firewall, at least, and away from rogue internal users. ®

Sponsored:
Webcast: Build the Next Generation of Your Business in the Public Cloud

[ad_2]
)”)

… you inject and execute a command which stores the user ID of the Netsweeper software in the file /tmp/pwnd. This is an exercise for the reader to turn this remote code execution into something malicious.

Rathaus said The register that, in the worst-case scenario, a hacker could exploit the bug not only to take control of the host server, but also to manipulate the way users filtered and delivered their content through Netsweeper.

“[You can] control the data they receive when they access sites and download files, “he said.” This is the worst part – because they can be made to unintentionally download malware and viruses. ”

Injecting a software patch into a computer

Dear Adobe users, Trend Micro: please vaccinate your software – at least some of these security vulnerabilities have been exploited in the wild

READ MORE

Interestingly, Netsweeper doesn't seem too bothered by all of this. Neither Rotem nor The register were able to get any response from the seller despite several attempts to contact the Canadian biz.

“We decided, after almost three weeks of testing and getting no response (via support emails, sales and via Twitter), we decided that the best solution for the moment was to post a review full”, Rathaus said of the decision to make public despite no assistance from the seller.

“I hope this can reach the right person who can get them to fix it.”

In the meantime, Rathaus advises administrators to try as best they can to cut off any remote access to the administration tool: make sure it is behind a firewall, at least, and away from rogue internal users. ®

Sponsored:
Webcast: Build the Next Generation of Your Business in the Public Cloud

[ad_2]
)”)

If you provide a password that causes $2 contain, for example …

… you inject and execute a command which stores the user ID of the Netsweeper software in the file /tmp/pwnd. This is an exercise for the reader to turn this remote code execution into something malicious.

Rathaus said The register that, in the worst-case scenario, a hacker could exploit the bug not only to take control of the host server, but also to manipulate the way users filtered and delivered their content through Netsweeper.

“[You can] control the data they receive when they access sites and download files, “he said.” This is the worst part – because they can be made to unintentionally download malware and viruses. ”

Injecting a software patch into a computer

Dear Adobe users, Trend Micro: please vaccinate your software – at least some of these security vulnerabilities have been exploited in the wild

READ MORE

Interestingly, Netsweeper doesn't seem too bothered by all of this. Neither Rotem nor The register were able to get any response from the seller despite several attempts to contact the Canadian biz.

“We decided, after almost three weeks of testing and getting no response (via support emails, sales and via Twitter), we decided that the best solution for the moment was to post a review full”, Rathaus said of the decision to make public despite no assistance from the seller.

“I hope this can reach the right person who can get them to fix it.”

In the meantime, Rathaus advises administrators to try as best they can to cut off any remote access to the administration tool: make sure it is behind a firewall, at least, and away from rogue internal users. ®

Sponsored:
Webcast: Build the Next Generation of Your Business in the Public Cloud

[ad_2]

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments