[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Sonicwall GMS v7.x - Filter Bypass & Persistent Vulnerability (0Day)
- To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx
- Subject: Sonicwall GMS v7.x - Filter Bypass & Persistent Vulnerability (0Day)
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 05 Dec 2013 14:00:08 +0100
Document Title:
===============
Sonicwall GMS v7.x - Filter Bypass & Persistent Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1099
Bulletin: Dell SonicWALL GMS Service Bulletin for Cross-Site Scripting
Vulnerability
http://www.sonicwall.com/us/shared/download/Support_Bulletin_GMS_Vulnerability_Hotfix_134235.pdf
Release Date:
=============
2013-12-05
Vulnerability Laboratory ID (VL-ID):
====================================
1099
Common Vulnerability Scoring System:
====================================
4.1
Product & Service Introduction:
===============================
Dell SonicWALL`s management and reporting solutions provide a comprehensive
architecture for centrally creating and managing
security policies, providing real-time monitoring and alerts, and delivering
intuitive compliance and usage reports, all from
a single management interface. Whether your organization is a small- or
medium-sized business, a distributed enterprise or a
managed service provider, Dell™ SonicWALL™ offers software and appliance
solutions to meet its needs.
The award-winning Dell SonicWALL Global Management System (GMS®) provides
organizations, distributed enterprises and service
providers with a flexible, powerful and intuitive solution to centrally manage
and rapidly deploy SonicWALL firewall, anti-spam,
backup and recovery, and secure remote access solutions. Flexibly deployed as
software, hardware—in the form of the Universal
Management Appliance (UMA)—or a virtual appliance, SonicWALL GMS also provides
centralized real-time monitoring and comprehensive
policy and compliance reporting to drive down the cost of owning and managing
SonicWALL security appliances. Multiple GMS
software, hardware, and virtual appliance agents, when deployed in a cluster,
can scale to manage thousands of SonicWALL
security appliances. This makes GMS an ideal solution for small- to
medium-sized businesses, enterprises and managed service
providers that have either single-site or distributed multi-site environments.
(Copy of the Vendor Homepage:
http://www.sonicwall.com/emea/en/products/Centralized_Management_Reporting.html
)
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent validation
vulnerability in the DELL SonicWall GMS v7.1.x Appliance Web-Application.
Vulnerability Disclosure Timeline:
==================================
2013-09-26: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2013-09-27: Vendor Notification (DELL SonicWall Security Team)
2013-10-09: Vendor Response/Feedback (DELL SonicWall Security Team)
2013-12-04: Vendor Fix/Patch ( DELL SonicWall Developer Team)
2013-12-05: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
DELL SonicWall
Product: GMS Networks Appliance Application 7.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the
official DELL SonicWall GMS v7.1.x Appliance Web-Application.
The bug allows an attacker (remote) to implement/inject own malicious malicious
script codes on the application-side (persistent).
The persistent vulnerability is located in the `valfield_1` & `value_1` value
parameters of the `Alert Settings` module POST method request.
Remote attackers with low privileged application user account can inject own
script codes to the POST method request of the createNewThreshold.jsp
appliance application file. After the inject the attacker is able to update and
save the values to continue with the execute the main alert
settings module. The execute of the script code occurs in the
ematStaticAlertTypes.jsp file context by the earlier manipulated vulnerable
values.
To bypass the filter it is required to split the request by attaching a double
frame for the script code execute. The restricted application itself
disallows the POST request of guest by usage of the unrestricted context POST
method request attackers are able to bypass the filter & exception-handling.
The security risk of the persistent input validation web vulnerability is
estimated as high(-) with a cvss (common vulnerability scoring system)
count of 4.1(+). The coordinated disclosure procedure of the remote
vulnerability has been navigated by the product manager Wilson Lee (DELL).
The hotfix and information has been provided in cooperation with the
vulnerability-laboratory.
Exploitation of the persistent web vulnerability requires low user interaction
and a local low privileged (guest) web application user account.
Successful exploitation of the vulnerability can lead to persistent session
hijacking (customers), account steal via persistent web attacks,
persistent phishing or persistent manipulation of vulnerable module context.
Vulnerable Application(s):
[+] DELL - SonicWall GMS v7.1.x Appliance
Application
Vulnerable Module(s):
[+] Alert Settings > NewThreshold
Vulnerable File(s):
[+] createNewThreshold.jsp >
ematStaticAlertTypes.jsp
Vulnerable Parameter(s):
[+] valfield_1
[+] value_1
Affected Module(s):
[+] createNewThreshold
[+] ematStaticAlertTypes
[+] Alert Settings - Main Listing
Affected Product(s):
[+] Dell SonicWALL GMS
[+] Dell SonicWALL Analyzer
[+] Dell SonicWALL UMA E5000
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by remote
attackers with low privileged or restricted guest accounts and
low user interaction. For security demonstration or reproduce the vulnerability
follow the information and steps below.
Location: Alert Settings
http://gms.localhost:8080/sgms/panelManager?panelidz=1&level=1&typeOfUnits=0#
Inject via Add: Edit contents for alert type: Backed-Up Syslog Files
http://gms.localhost:8080/sgms/ematStaticAlertTypes.jsp?
Execute: Create New Threshold
http://gms.localhost:8080/sgms/createNewThreshold.jsp?
Affected:
http://gms.localhost:8080/sgms/auth
Manual steps to reproduce ...
1. Open the Sonicwall GMS appliance application and login with full
restrictions as guest
2. Switch to the vulnerable Console > Events > Alert Settings section
3. Click Add Alert and a new blank window of the application will be opened
4. Click in the upcomings window in the Alert Types section the Edit Content
link
5. Now, a new window opens "Edit contents for alert type: Backup Sys-Log Files
6. On top is a little plus button next to the Threshold value
9. A new window opens with Elements box ... Inject your payload (script code)
to the description eval in the operator fields
10. After the inject to the input fields the attacker only needs to click the
Add Element button on the buttom of the page
11. The code will be directly executed and is persistent saved as element in
the specific section
12. Save the input via update and go back to the alert settings main section
were the code execute occurs in the same connected value
13. Successful reproduced!
PoC: Alert Settings - Create New Threshold
Critical</option></select> </td><td class="tblData2" width="1">
<img src="Create%20New%20Threshold_files/1x1trans.gif"></td><td
class="tblData2" align="center"
nowrap="nowrap"><input class="controlFont" name="disabled" value="1"
type="checkbox"></td>
<td class="tblData2" width="1"><img
src="Create%20New%20Threshold_files/1x1trans.gif"></td>
<td class="tblData2" align="center" nowrap="nowrap"><a href="#"
onclick="deleteElement(1);">
<img src="Create%20New%20Threshold_files/trash.gif" alt="Delete this
destination" border="0"></a></td>
<td class="tblData2" width="1"><img
src="Create%20New%20Threshold_files/1x1trans.gif"></td></tr><tr><td></td>
<td class="tblData2" width="1"><img
src="Create%20New%20Threshold_files/1x1trans.gif"></td><td colspan="5"
class="tblData2" align="left" nowrap="nowrap"> <font
class="controlfont">Description: </font>
<input class="controlfont" size="64" name="description"
value="is equal to >" <[PERSISTENT INJECTED SCRIPT CODE!]" type="text">
>"<[PERSISTENT INJECTED SCRIPT CODE!]">"
onkeyup="enableAutoDesc(1,0);"></td><td class="tblData2"
width=1><img src="images/1x1trans.gif"></td>
Note: Please, feel free to read also the patch information provided in the
solution section of the advisory document.
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse, prevention filter mechanism
or clean encode of the vulnerable value_1 and valfield_1 parameters.
Also restrict and escape the affected input field and output listing in the
connected modules.
Resolution (DELL SonicWall):
We recommend existing users of Dell SonicWALL GMS/Analyzer/UMA 7.1 to apply SP1
(if they have not already done so), and then apply Hotfix 134235 to prevent
cross-site scripting by unauthorized users. 7.1 SP1 and the Hotfix are
available for download from www.mysonicwall.com. Users should log into
mySonicWALL and click on Downloads > Download Center in the navigation panel on
the left, then select “GMS/Analyzer” in the Software Type drop down menu.
Security Risk:
==============
The security risk of the persistent input validation web vulnerability with
filter bypass is estimated as medium(+).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(bkm@xxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have
been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential
or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor
licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx -
research@xxxxxxxxxxxxxxxxxxxxx - admin@xxxxxxxxxxxxxxxxx
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com
- magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is
granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All
pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or
research@xxxxxxxxxxxxxxxxxxxxx) to get a permission.
Copyright © 2013 | Vulnerability Laboratory
[Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx