[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] SonicWall Email Security Appliance v7.4.1.7429 - Persistent Web Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2012-12-27 19:15:27
Message-ID: 50DC9E4F.4050004 () vulnerability-lab ! com
[Download RAW message or body]
Title:
======
SonicWall Email Security Appliance v7.4.1.7429 - Persistent Web Vulnerability
Date:
=====
2012-12-21
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=768
VL-ID:
=====
768
Common Vulnerability Scoring System:
====================================
4.1
Introduction:
=============
While most businesses now have some type of anti-spam protection, many must deal with \
cumbersome management, frustrated users, inflexible solutions, and a higher-than-expected \
total cost of ownership. SonicWALL ® Email Security can help. Elegantly simple to deploy, \
manage and use, award-winning SonicWALL Email Security solutions employ a variety of proven \
and patented technology designed to block spam and other threats effectively, easily and \
economically. With innovative protection techniques for both inbound and outbound email plus \
unique management tools, the Email Security platform delivers superior email protection \
today—while standing ready to stop the new attacks of tomorrow.
SonicWALL Email Security can be flexibly deployed as a SonicWALL Email Security Appliance, as a \
software application on a third party Windows ® server, or as a SonicWALL Email Security \
Virtual Appliance in a VMW ® environment. The SonicWALL Email Security Virtual Appliance \
provides the same powerful protection as a traditional SonicWALL Email Security appliance, \
only in a virtual form, to optimize utilization, ease migration and reduce capital costs.
(Copy of the Vendor Homepage: \
http://www.sonicwall.com/us/products/Anti-Spam_Email_Security.html)
Abstract:
=========
The Vulnerability Laboratory Research Team discovered a persistent web vulnerabilities in the \
official Dell SonicWall Email Security (7.4.1.7429) Application.
Report-Timeline:
================
2012-11-18: Researcher Notification & Coordination
2012-11-20: Vendor Notification
2012-11-21: Vendor Response/Feedback
2012-12-17: Vendor Fix/Patch (v7.4.2)
2012-12-21: Public Disclosure
Status:
========
Published
Affected Products:
==================
DELL
Product: SonicWall - Email Security v7.4.1.7429
Exploitation-Technique:
=======================
Remote
Severity:
=========
Medium
Details:
========
A persistent input validation vulnerability is detected in the official Dell SonicWall Email \
Security (7.4.1.7429) Application. The vulnerability typus allows an attacker to inject own \
malicious script code in the vulnerable module on application side (persistent).
The vulnerability is located in the Host Konfiguration > Einstellungen für \
CIFS-Bereitstellung > section when processing to request via the `Bereistellunge testen` module \
the bound vulnerable [Name des freigegebenen Laufwerks] [Benutzer-ID für Remoteanmeldung] \
[Kennwort für Remoteanmeldung] application parameters. The persistent injected script code \
will be executed directly out of the `system command failed` web application \
exception-handling.
The vulnerability can be exploited with a low (restricted) privileged application user account \
and low or medium required user interaction. Successful exploitation of the vulnerability \
result in persistent session hijacking, persistent phishing, external redirect, external \
malware loads and persistent vulnerable module context manipulation.
Vulnerable Section(s):
[+] System > Host Konfiguration > Einstellungen für CIFS-Bereitstellung
Vulnerable Module(s):
[+] [Bereitstellung testen] - Exception Handling
Vulnerable Parameter(s):
[+] [Name des freigegebenen Laufwerks] [Benutzer-ID für Remoteanmeldung] [Kennwort für \
Remoteanmeldung]
Proof of Concept:
=================
The persistent web vulnerabilities can be exploited by remote attackers with low privileged \
application user account & low required user inter action. For demonstration or reproduce ...
Review: [Bereitstellung testen] - Exception Handling [System Command Failed]
<div id="modalText" class="bubble_text">{ 127.0.0.1:337 \
→">​​​​​<[PERSISTENT INJECTED SCRIPT CODE!]")" <="" } \
<br=""><[PERSISTENT INJECTED SCRIPT CODE!]>System command failed.</div>
Review: settings_host_config.html
<div id="contentSection">
<div style="border-radius: 10px 10px 10px 10px; display: none;" id="modalBubble" \
class="warning_bubble_content"> <div id="modalTitle" class="bubble_title">Aktualisieren.</div>
<div id="modalText" class="bubble_text">{ 127.0.0.1 → "><[PERSISTENT INJECTED SCRIPT \
CODE!];)" <="" }<br=""> <[PERSISTENT INJECTED SCRIPT CODE!]>System command failed.</div>
</div>
Solution:
=========
To patch/fix the persistent web vulnerabilities parse the exception-handling output parameter \
listing. Restrict the input fields (parameters) and disallow special chars and obviously \
forbidden strings.
2012-12-17: Vendor Fix/Patch (v7.4.2)
Note: The vulnerability has been addressed by sonicwall in december 2012.
Sonicwall provids all the customers an upgrade/update to version 7.4.2.
Risk:
=====
The security risk of the persistent web vulnerabilities are estimated as medium(+).
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability-Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.vulnerability-lab.com/register
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - \
research@vulnerability-lab.com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - \
news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, sourcecode, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to \
get a permission.
Copyright © 2012 | Vulnerability Laboratory
--
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@vulnerability-lab.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic