SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Encryption/VPN)  >   Dell SonicWALL Vendors:   SonicWALL
SonicWALL Global Security Client System Tray Icon Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1022283
SecurityTracker URL:  http://securitytracker.com/id/1022283
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 27 2009
Impact:   Execution of arbitrary code via local system, Root access via local system
Exploit Included:  Yes  
Version(s): SonicWALL Global Security Client version 1.0.0.15
Description:   A vulnerability was reported in SonicWALL Global Security Client. A local user can obtain elevated privileges on the target system.

A local user can right-click on the System Tray applet and open a command shell (via the "log", "Event Viewer", "Open Log File ..." menus) with System privileges.

The vendor was notified on October 25, 2006.

The original advisory is available at:

https://www.sec-consult.com/advisories_e.html#a56

lofi42 of SEC Consult reported this vulnerability.

Impact:   A local user can obtain System level privileges on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.sonicwall.com/ (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] SEC Consult SA-20090525-2 :: SonicWALL Global

SEC Consult Security Advisory < 20090525-2 >
==========================================================================
              title: SonicWALL Global Security Client Local Privilege 
                     Escalation Vulnerability        
            program: SonicWALL Global Security Client
 vulnerable version: 1.0.0.15 and possibly other versions
           homepage: http://www.sonicwall.com
              found: October 2006
                 by: lofi42
     permanent link: https://www.sec-consult.com/advisories_e.html#a56
==========================================================================

Vendor description:
-------------------

The SonicWALL Global Security Client offers IT professionals the
capability to manage a mobile user’s online access, based upon corporate
policies, in order to ensure optimal security of the network and
maximize network resources. Instant messaging, high-risk Web sites and
network file access can all be allowed or disallowed as security and
productivity concerns dictate. 

[source:
http://www.sonicwall.com/downloads/DS_GlobalSecurityClient_A4.pdf]


Vulnerability overview:
-----------------------

Local exploitation of a design error in SonicWALLs Global Security
Client could allow attackers to obtain increased privileges.


Vulnerability description:
--------------------------

The problem specifically exists because SYSTEM privileges are not
dropped when accessing the GSC properties from the System Tray applet.
The vulnerability can be exploited by right-clicking the System Tray
icon, choosing "Log", right click "Event Viewer", "Open Log File...".
The opened file selected can be abused by navigating to C:\WINDOWS
\SYSTEM32\, right-clicking cmd.exe, then selecting "Open"; doing so
spawns a command shell with SYSTEM privileges.


Proof of concept:
-----------------

This vulnerability can be exploited without any special exploit code.


Vendor contact timeline:
------------------------

2006:       Vulnerability found
2006.10.25: Vulnerability first reported to vendor
2009.02.17: Vulnerability reported to vendor again
2009.03.16: Request for status update
2009.04.21: Request for status update
2009.05.25: Public Release


Patch:
------

SEC Consult was not able to get any vendor feedback on this issue. We
are currently not aware of a patch or workaround.


--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

EOF SEC Consult Vulnerability Lab / @2009

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC