Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to analyze 0day vulnerabilities in Sophos firewall. the article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

The attacker uses an unknown SQL injection vulnerability to attack the Sophos firewall, which can be executed remotely through the firewall. A series of Linux Shell scripts were used to download malware compiled for the firewall operating system. This vulnerability analysis is aimed at Sophos products and is designed to steal sensitive information from firewalls.

Loophole analysis

Attackers have discovered and exploited a zero-day SQL injection remote code execution vulnerability that allows attackers to insert single-line commands into database tables.

The injection command triggers a vulnerability on the affected device to download a Linux Shell script named Install.sh from the malicious domain sophosfirewallupdate.com. The command also writes the Shell script to the / tmp directory, specifies it as an executable using chmod, and executes it. The script (written to the device as x.sh) runs a series of SQL commands and populates other files into the virtual file system.

Initially, the Install.sh script runs a number of Postgres SQL commands to modify or zero some table values in the database, one of which records the administrative IP address, thus masking the attack. However, on some devices, the activity of the shell script causes the attacker's SQL command to appear on the firewall administration panel.

The script also places other Shell scripts in the / tmp directory and modifies the Shell script of the firewall operating system, adding a set of commands at the end of the script to ensure that it runs every time the firewall starts.

Technical analysis

The installer script x.sh populates two new Shell scripts and modifies the operating system script. One of the implant scripts is .lp.sh, whose main function is to connect to a malicious sophosfirewallupdate and download the Linux ELF executable running on the firewall operating system. The script writes the downloaded file to / tmp, named b.

The B program removes itself from the device's file system at run time, and it exists only in memory. It appears in the list of processes, and the name of the process is cssconf.bin, which is one character different from the legitimate process of cscconf.bin running on the firewall. It lists its parent process ID as 1, which is not what a legitimate cscconf.bin would do.

When b is in memory, it repeats the task every 3 to 6 hours, randomly selecting a delay interval the first time it runs. First, b checks whether a connection can be established with 43.229.55.44. If a connection cannot be established with the IP address, it attempts to resolve the IP address of the malicious domain sophosproductupdate.com.

If it parses the IP of the domain and the DNS result does not return a value of 127.0.0.1, it downloads another Linux ELF executable named Sophos.dat.

The second Shell script populated by the Install.sh/x.sh script is written to the / tmp directory with the file name of .pg.sh. Its main purpose is to download the ELF executable, which is called bk on the Web server and written to the file system with the .post _ MI name.

The first phase of dropper Install.sh runs a number of Postgres SQL commands. These commands modify specific service values, execute .post _ MI whenever the service is executed, and start malware each time it is restarted. The executable has limited functionality and checks whether a file named .a.PGSQL has been written to the / tmp directory, and if it cannot be found, it downloads the patch.sh script hosted on ragnarokfromasgard.com. The server did not respond when analyzing the attack.

The third script is used to modify the firewall internal operating system, named generate_curl_ca_bundle.sh. Before modifying the original script, the Install.sh/x.sh script backs up the original file (adding a dot before the filename .generate _ curl_ca_bundle.sh). This code will be populated with another shell script / tmp/I.

Script I has two main functions: first, it creates a new / tmp/.a.PGSQL file. Then a script file named lc is retrieved from the sophosfirewallupdate field, written to the / tmp directory as .n.sh and executed. This script copies the and .lp.sh script and attempts to download and execute the b ELF executable from a malicious sophosfirewallupdate website.

Data leakage

The malware downloads and executes a file named Sophos.dat on the remote server and saves it to the file system as 2own.

The main task of the malware is data theft, which retrieves the contents of various database tables stored in the firewall and runs operating system commands. At each step, the malware collects information and temporarily stores it in the firewall's Info.xg file.

First, it will try to search for the IP address outside the firewall, first through the website ifconfig.me, and if the website is not accessible, it will try to query through checkip.dyndns.org. Next, query the firewall data storage area and retrieve the information of the firewall and its users. The following figure shows the malware intrusion capability.

The malware collects firewall information including:

1. License and serial number of the firewall

2. User mailing list stored on the device, administrator account email

3. Firewall user name, user name, password and administrator account password. Passwords are not stored in plain text format.

4. Use the firewall for the user ID of SSL VPN and the list of accounts connected using "clientless" VPN.

The malware also queries the firewall's internal database, retrieves the firewall user's IP address assignment permission list, as well as information about the device itself: operating system version, CPU type and memory, how long it has been running since the last restart, ifconfig and ARP tables.

The malware writes all the information to Info.xg, compresses it using the tar compression tool, and then encrypts the file using OpenSSL. The attacker uses the Triple-DES algorithm to encrypt the file, uses the word "GUCCI" as the password, uploads it to the server with IP of 38.27.99.69, and then deletes the file that was temporarily created when the information was collected.

IOCsNetwork indicators

URLs

Hxxps://sophosfirewallupdate.com/sp/Install.sh

Hxxp://sophosfirewallupdate.com/sh_guard/lc

Hxxps://sophosfirewallupdate.com/bk

Hxxps://sophosfirewallupdate.com/sp/lp

Hxxps://ragnarokfromasgard.com/sp/patch.sh

Hxxps://sophosfirewallupdate.com/sp/sophos.dat

Hxxps://sophosfirewallupdate.com/in_exit

Hxxps://sophosfirewallupdate.com/sp/lpin

Hxxp://sophosfirewallupdate.com/bkin

Hxxp://filedownloaderservers.com/bkin

Hxxps://sophosfirewallupdate.com/sp/p.sh

Hxxps://sophosfirewallupdate.com/sp/ae.sh

Domains

Sophosfirewallupdate.com

Filedownloaderservers.com

Ragnarokfromasgard.com

Sophosenterprisecenter.com

Sophoswarehouse.com

Sophosproductupdate.com

Sophostraining.org

Additional suspicious domains

Filedownloaderserverx.com

Filedownloaderserver.com

Updatefileservercross.com

IPs

43.229.55.44

38.27.99.69

Filesystem paths

/ tmp/x.sh

/ var/newdb/global/.post_MI

/ scripts/vpn/ipsec/generate_curl_ca_bundle.sh (modified)

/ scripts/vpn/ipsec/.generate_curl_ca_bundle.sh (original)

/ tmp/I

/ tmp/.a.PGSQL

/ tmp/.n.sh

/ tmp/.pg.sh

/ tmp/.lp.sh

/ tmp/b

/ tmp/2own

/ tmp/Info.xg

/ tmp/%s_.xg.rel

/ tmp/%s_.xg.salt

/ tmp/ip (result of http://checkip.dyndns.org/ip_dyn)

/ tmp/ip_dyn (result of https://ifconfig.me/ip)

The above is the editor for you to share how to carry out Sophos firewall 0day vulnerability analysis, if there happen to be similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.