Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27129
HistoryOct 04, 2011 - 12:00 a.m.

Multiple vulnerabilities in SonicWall

2011-10-0400:00:00
vulners.com
10
JSON

While pentesting a a WIFI network on a customer, we found some vulnerabilities in the SonicWall NSA 4500. You can find details here:

http://www.pentest.es/vulns_sonicpoint.txt

Title:

SonicWall products with incompatible MAC spoofing protection

Date:

2011-09-29

Introduction:

The SonicWall NSA 4500 product has a MAC spoofing protection option that can be activated in wireless networks per ESSID basis. This protection will not work if the acces point is a Sonicpoint. No warning or notice is presented to the administrator, wich means that protection will be active but not working. This vulnerability has been detected while pentesting a customer WIFI deployment with that configuration: SonicWall NSA 4500 + SonicWall Sonicpoints.

Report-Timeline:

2011-09-26: Vendor Notification
2011-09-28: Vendor Final Response

The vendor has confirmed the bug via customer support response.

Affected Products:

SonicWall NSA 4500 + SonicWall Sonicpoints

Exploitation-Technique:

Common ARP spoofing attacks.

Severity:

High. Customers don't know they are unprotected even if they have the MAC spoofing activated.

Details:

Title:

SonicWall web admin interface mъltiple code injection vulnerabilities

Date:

2011-09-29

Introduction:

The SonicWall NSA 4500 web admin interface offers the option of customize some web pages directly from the admin interface. For this, the web interface has some forms where the admin can put the code and test it via a preview feature. This preview feature will show the page and execute all the javascript code inside it in the web admin security context, wich leads to many traditional attacks, like XSS, session hijacking…

Report-Timeline:

Not reported.

Affected Products:

SonicWall NSA 4500

Exploitation-Technique:

Common code injection techniques (XSS)

Severity:

Medium.

Details:

To reproduce the flaw, just go to main.html, Users->Settings and in the "Login page content" put whatever code you want and it will be executed in the admin context. This behaviour is a dangerous feature of the web admin interface, because it can be exploited and triggered in several ways by an attacker. There are other fields other than "Login page content" that can be exploited in the same way.

Title:

SonicWall weak HTTP session ID's

Date:

2011-09-29

Introduction:

The SonicWall NSA 4500 web admin interface generates session ID's that are stored in the "SessId" cookie variable. The ID's are guessable via brute force, wich leads to admin session hijacking.

Report-Timeline:

Not reported.

Affected Products:

SonicWall NSA 4500

Exploitation-Technique:

To brute force, just make requests like this:

GET /log.wri HTTP/1.0
Host: 123.123.123.123
Connection: close
User-Agent: brute-forcing
Cookie: SessId=111111111

Where SessId is the variable that we are bruteforcing -it should change in every request- and Host is the SonicWall IP.

If you fail you get a 404 HTTP response. If you succeed, you will get a 200 HTTP response, and will see the SonicWall logs.

Severity:

Medium.

Details:

HTTP "SessId" bruteforce. From a LAN, 10% of all ID's can be bruteforced in 1 day. The more administrator are logged the more dangerous is the scenario, and easier is the brute force attack.

[email protected]
Hugo Vбzquez Caramйs
PENTEST Consultores

JSON