[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Dell SonicWall GMS v7.2.x - Persistent Web Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2014-10-23 11:39:39
Message-ID: 5448E8FB.2070206 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Dell SonicWall GMS v7.2.x - Persistent Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1222
Release Date:
=============
2014-10-21
Vulnerability Laboratory ID (VL-ID):
====================================
1222
Common Vulnerability Scoring System:
====================================
3
Product & Service Introduction:
===============================
Dell SonicWALL`s management and reporting solutions provide a comprehensive architecture for \
centrally creating and managing security policies, providing real-time monitoring and alerts, \
and delivering intuitive compliance and usage reports, all from a single management interface. \
Whether your organization is a small- or medium-sized business, a distributed enterprise or a \
managed service provider, Dellâ„¢ SonicWALLâ„¢ offers software and appliance solutions to meet \
its needs.
The award-winning Dell SonicWALL Global Management System (GMS) provides organizations, \
distributed enterprises and service providers with a flexible, powerful and intuitive solution \
to centrally manage and rapidly deploy SonicWALL firewall, anti-spam, backup and recovery, and \
secure remote access solutions. Flexibly deployed as software, hardware—in the form of the \
Universal Management Appliance (UMA)—or a virtual appliance, SonicWALL GMS also provides \
centralized real-time monitoring and comprehensive policy and compliance reporting to drive \
down the cost of owning and managing SonicWALL security appliances. Multiple GMS software, \
hardware, and virtual appliance agents, when deployed in a cluster, can scale to manage \
thousands of SonicWALL security appliances. This makes GMS an ideal solution for small- to \
medium-sized businesses, enterprises and managed service providers that have either \
single-site or distributed multi-site environments.
(Copy of the Vendor Homepage: \
http://www.sonicwall.com/emea/en/products/Centralized_Management_Reporting.html )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent validation vulnerability in \
the official DELL SonicWall GMS v7.2.x appliance web-application.
Vulnerability Disclosure Timeline:
==================================
2014-10-21: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
DELL
Product: SonicWall GMS Networks Appliance Application 7.2
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Technical Details & Description:
================================
A persistent mail encoding web vulnerability has been discovered in the official DELL SonicWall \
GMS v7.2.x appliance web-application. The security issue allows remote attackers with low \
privileged user account to inject own malicious script codes to the application-side of the \
vulnerable service module.
The vulnerability is located in the `Console > Management > Settings > GMS Settings` module. \
Remote attackers and low privileged web-application user accounts are able to inject own \
malicious script code context as notification value. The vulnerable user context with log files \
or information notification messages (input) will be send to the internal web-server through \
the firewall. The data of the POST method request in the input, executes without a secure \
encoding or a restriction on the input in the web-application appliance. The persistent \
execution of the script code occurs in the mail notification that gets send by the appliances \
directly to users or via the interval count. In case of the second provided scenario the \
application generated a pdf report with malicious script code in the mail body message.
The issue impact a risk to the full appliance web-application get compromised beause the send \
mail notifications is wrong encoded and the internal encode is broken too. Regular the stored \
values must be secure encoded and parsed to prevent persistent executions in the appliance \
mails. The attack vector is persistent on the application-side of the vulnerable service and \
the request method to inject the payload is POST.
The security risk of the persistent input validation web vulnerability is estimated as medium \
with a cvss (common vulnerability scoring system) count of 3.0. Exploitation of the \
vulnerability requires a low privileged application user account and low user interaction. \
Successful exploitation of the vulnerability results in session hijacking, persistent phishing \
attacks, persistent external redirect via mail and persistent manipulation of affected or \
connected module context.
Vulnerable Module(s):
[+] Console > Management > Settings > GMS Settings
Vulnerable Parameter(s):
[+] message body > table
Affected Service(s):
[+] admin@sonicwall.com (test > livedemo-admin@sonicwall.com)
Note: All other modules sending user values of non restricted input throught the appliance \
back. (logs, updates ...)
Proof of Concept (PoC):
=======================
The persistent mail encoding web vulnerability can be exploited by remote attackers with low \
privileged application user account and low user interaction. For security demonstration or to \
reproduce the vulnerability follow the provided information and steps below to continue.
Information of requirements:
- The template to send notification alerts needs to be send to the
Default html (example: http://gms.demo.sonicwall.com/sgms/auth > )
- The Console > Management > Settings section needs to be linked to the
appliance demo email address (example: livedemo-admin@sonicwall.com)
- The Alert of the notification with the pdf summery report of the
archiv needs to be redirected to the testmail like in our case
(bkm@evolution-sec.com)
PoC: message body > table
<html>
<head>
<title><iframe src=a>%20<iframe> <iframe src=a>%20<iframe></title>
<link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css">
</head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" \
class="header-part1"><tr><td><b>Betreff: </b><a>%20<x> <a>%20<x></td></tr><tr><td><b>Von: \
</b>x@sonicwall.com</td></tr><tr><td><b>Datum: </b>07.03.2014 00:15</td></tr></table> <table \
border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><b>An: \
</b>bkm@evolution-sec.com</td></tr></table><br> <[PERSISTENT INJECTED SCRIPT \
CODE!]>%20<iframe><br> <br>
<br>
<br>
Powered by Dell SonicWALL GMS</body>
</html>
Reference(s):
http://gms.localhost:4872/sgms/
http://gms.localhost:4872/sgms/panelManager
http://gms.localhost:4872/sgms/panelManager?panelidz=1
http://gms.localhost:4872/sgms/panelManager?panelidz=1&level=1&typeOfUnits=0#
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure encode and parse of the input values in the \
message body context Filter and restrict context of send mails through the application and the \
web-server of the sonicwall gms appliance. The issue has already been patched by the dell \
security team in cooperation with the vulnerability-lab during the year 2014.
Security Risk:
==============
The security risk of the persistent mail encoding and validation web vulnerability is estimated \
as medium. (CVSS 3.0)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) \
[www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - \
magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to \
get a permission.
Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic