Add in Exploit for CVE-2023-1671 - Pre-Auth RCE in Sophos Web Appliance < 4.3.10.4

gwillcox-r7 commented 1 year ago

Summary

Preauth RCE in Sophos Web Appliance prior to 4.3.10.4 allows attackers to easily gain control over vulnerable devices.

Basic example

POC: https://github.com/W01fh4cker/CVE-2023-1671-POC or https://github.com/ohnonoyesyes/CVE-2023-1671. Writeup: https://vulncheck.com/blog/cve-2023-1671-analysis

Motivation

Preauth RCE in a decently popular product. Caveats are as listed below:

End of Life date for Sophos Web Appliance is on July 20, 2023
Sophos recommends that Sophos Web Appliance is protected by a firewall and not accessible via the public Internet
There is no action required for Sophos Web Appliance customers, as updates are installed automatically by default

h00die commented 1 year ago

https://www.exploit-db.com/exploits/51396

errorxyz commented 10 months ago

Hi I would like to work on this issue, but I couldn't get to run the vulnerable software linked here, it'd be helpful if @wvu could provide the vulnerable software link

wvu commented 10 months ago

Pretty sure that's where I got it from.

errorxyz commented 10 months ago

How did you set it up? I downloaded all the swa proxy files into a directory and used VMware workstation player(website says we can use workstation for testing purposes instead of esx) to open the .ovf file but it raised a duplicate interfaceID error while loading it up. Searching for the error online didnt seem to help much.

rapid7 / metasploit-framework