Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
CVE-2022-3236: Sophos Firewall User Portal and Web Admin Code Injection
Zero Day Initiative Posted 3 Years Ago- Sophos Firewall is a network security solution that can be deployed essentially anywhere. The application exposes a web admin console on port 4444 and a user portal on port 443.
- The application uses Jetty as a web server, sits behind Apache and is written in Java. There is an additional local server that does a fair amount of the work downstream. When this service validates JSON, it is done via a Perl script.
- Each field name is associated with a JSON object describing the mapping between field values and object names in Perl. In order to do this, in some cases, the
eval()function is used to turn the JSON data into Perl objects. - Overall, the bug is a fun code injection attack with a weird flow. The article is incredibly verbose, explaining the inter-working of JSON and HTTP along the way. Additionally, the path for attack in the code is described in excruciating detail without much context. I wish the report was less verbose as it makes it hard to find the code stuff.
