Document Title: =============== SonicWall UTM ES WAF - Input Filter Bypass Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=545 Release Date: ============= 2012-08-12 Vulnerability Laboratory ID (VL-ID): ==================================== 545 Common Vulnerability Scoring System: ==================================== 3.2 Product & Service Introduction: =============================== SonicWALL is a private company headquartered in San Jose, CA. It sells a range of internet appliances primarily directed at content control and network security. These include devices providing services for network firewalls, UTMs (Unified Threat Management), VPNs (Virtual Private Network), backup and recovery, and anti-spam for email. The company also markets information subscription services related to their products. The company solutions also serve to solve issues surrounding HIPAA and PCI compliance issues. On March 13, 2012, USA Today said that Dell announced its intent to acquire SonicWall, a company with 130 patents and 950 employees. The transaction is expected to close in May 2012. (Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/SonicWALL ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a input filter restrictions bypass in Sonicwalls UTM, ES & WAF applications. Vulnerability Disclosure Timeline: ================================== 2012-05-02: Researcher Notification & Coordination 2012-05-03: Vendor Notification 2012-05-12: Vendor Response/Feedback 2012-08-14: Public Disclosure 2012-09-01: Vendor Fix/Patch Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Local Severity Level: =============== Low Technical Details & Description: ================================ A filter weakness & bypass vulnerability is detected in Sonicwalls UTM, ES & WAF applications. & security appliance products. The vulnerability allows an remote attacker to bypass the input validation on input fields for configuration settings. The filter bypass vulnerability is located in the exception handling of the input filter validation when processing to parse malicious script code context. Successful exploitation can lead to persistent script code injection & persistent code exection out of the appliance context. The result is session hijacking, persistent context manipulation or phishing & account steal. Vulnerable Module(s): [+] Input Validation - Exception Filter Restriction Proof of Concept (PoC): ======================= The restriction bypass vulnerability can be exploited by privileged user accounts to execute persistent context. For demonstration or reproduce ... To explain how we detected the problem we are using the example of the discovered vulnerabilities with the issue. URL: http://www.vulnerability-lab.com/get_content.php?id=543 1. Login & switch over to the Virenschutzverfahren module of the appliance 2. Go to the vulnerable Input Field value > `floodMsgThreshold` Note: The floodMsgThreshold value & requests with listing are restricted [save function parse] (tags like double quote & standard script alerts/frames) 3. Include a obfuscated script code string without double quote via onload to bypass the restricted function 4. Result: Persistent web context will be executed out of listing module. PoC: >>>