SSD Advisory – Trustwave SWG Unauthorized Access

Credit to Author: SSD / Maor Schwartz| Date: Tue, 26 Dec 2017 07:07:13 +0000

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerability Summary
The following advisory describes an unauthorized access vulnerability that allows an unauthenticated user to add their own SSH key to a remote Trustwave SWG version 11.8.0.27.

Trustwave Secure Web Gateway (SWG) “provides distributed enterprises effective real-time protection against dynamic new malware, strong policy enforcement, and a unique Zero-Malware Guarantee when managed for you by our experts.”

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
Trustwave was informed of the vulnerability, and released the following advisory: https://www.trustwave.com/Resources/Trustwave-Software-Updates/Important-Security-Update-for-Trustwave-Secure-Web-Gateway/

Vulnerability details
Trustwave SWG allows remote attackers to send to the SWG product a SSH key that will be used by the SWG product as the SSH key to logon to the device.

This allows unauthenticated user to send a POST request to /sendKey

Which will add the supplied ssh key to Trustwave SWG, which we can use it to login to the device:

If we will run the id command via ssh we will get the following response:

Once we connected to Trustwave SWG via SSH we can run commands as root by accessing /opt/finjan/msh/run_inside.py

Print Friendly, PDF & Email

https://blogs.securiteam.com/index.php/feed