Trustwave Secure Web Gateway (SWG) through 11.8.0.27 allows remote attackers to append an arbitrary public key to the device's SSH Authorized Keys data, and consequently obtain remote root access, via the publicKey parameter to the /sendKey URI.
Trustwave Secure Web Gateway (SWG) devices are vulnerable to a critical flaw allowing remote attackers to gain root access by injecting their SSH public key. This vulnerability, exploitable via a simple HTTP request, grants complete control over the device, enabling data exfiltration and further compromise of the network.
Step 1: Target Identification: Identify a vulnerable Trustwave SWG device. This can be done through network scanning or information gathering.
Step 2: Payload Preparation: Craft an SSH public key. This key will be used for remote access.
Step 3: Payload Delivery: Send a specially crafted HTTP POST request to the /sendKey URI. The request includes the attacker's SSH public key in the publicKey parameter.
Step 4: Key Injection: The Trustwave SWG device appends the attacker's public key to the authorized_keys file.
Step 5: Remote Access: The attacker uses their private key to establish an SSH connection to the device, gaining remote root access.
The vulnerability stems from insufficient input validation on the /sendKey URI, specifically the publicKey parameter. The application fails to properly sanitize or restrict the input before appending it to the authorized_keys file. This allows an attacker to inject a malicious SSH public key, granting them unauthorized access. The root cause is a lack of proper access control and input validation, leading to a direct path for attackers to modify a critical system file. The flaw is likely due to a missing or inadequate security check on the publicKey parameter, allowing arbitrary data to be written to a sensitive file. This is a classic example of an authentication bypass vulnerability.