annoying Netsweeper internet filter comes with a pre-auth remote-command execution hole and there’s no patch

Netsweeper’s internet filter has a nasty security vulnerability that can be exploited to hijack the host server and tamper with lists of blocked websites. There are no known fixes right now.

For those unfamiliar, Netsweeper makes software that monitors and blocks connections to undesirable websites and servers. It’s aimed at parents, schools, government offices, and companies. It has a lot of customers in the Middle East, where it’s used to prevent access to content not meant for the local populace, according to investigative Canadian non-profit Citizen Lab.

The flaw, yet to be given a CVE number, was discovered by an anonymous researcher, and documented this week by SecuriTeam Secure Disclosure team leader Noam Rathaus. The bug is present in the web-based Netsweeper administration tool versions 6.4.3 and earlier. It doesn’t require any authentication to exploit: if you can reach the software over the local network or public internet, you can compromise it.

What Rathaus’s source found was that the control panel’s login script, /webadmin/tools/unixlogin.php, fails to fully sanitize user-supplied data, allowing miscreants to commandeer the machine. The login script accepts three parameters: timeout, login, and password. If you set the HTTP request referer header to a specific string, such as webadmin/admin/service_manager_data.php, the login script will execute a shell script that ultimately uses the password parameter unsafely in a Python invocation.

The second parameter, $2, below is derived from the original user-supplied password, in this line in the wonky shell script:

password=$($PYTHON -c "import crypt; print crypt.crypt('$2','\$$algo\$$salt\$')")

If you supply a password that causes $2 to contain, for example…

($P>YTHON -c "import crypt; print crypt.crypt('g','');import os;os.system('id >/tmp/pwnd')#','\$$algo\$$salt\$')")

…you inject and execute a command that stores the Netsweeper software’s user ID to the file /tmp/pwnd. It’s left as an exercise for the reader to turn this remote-code execution into something malicious.

Rathaus told The Register that, in the worst case scenario, a hacker could exploit the bug to not only take over the host server, but also manipulate how users have their content filtered and delivered by Netsweeper.

“[You can] control what data they receive when they access sites and download files,” he said. “This is the worst part – as they can be made to unintentionally download malware and viruses.”

Source: What’s worse than an annoying internet filter? How about one with a pre-auth remote-command execution hole and there’s no patch?