SonicOS Format String Vulnerability

SEC Consult Security Advisory < 20090525-4 >

==========================================================================

title: SonicOS Format String Vulnerability

program: SonicOS

vulnerable version: SonicOS 3.x and 4.x Standard and Enhanced

(see list in the 'patch' section)

homepage: www.sonicwall.com

found: October 2006

by: lofi42

==========================================================================

 

Product description:

--------------------

 

SonicOS Enhanced (SonicOSe) is the latest version of SonicWALL's powerful

SonicOS operating system, designed for the next generation of SonicWALL

firewall/VPN appliances.

 

 

Vulnerability overview:

-----------------------

 

A format string vulnerability exists in the logfile parsing function of

SonicOS. An attacker could crash the system or execute arbitrary code

by injecting format string metacharacters into the logfile, if an

administrator subsequently uses the SonicOS GUI to view the log.

 

 

Proof of concept:

-----------------

 

There are multiple ways to inject format string characters into the logs.

The following methods can be used to test for the vulnerability:

 

1. CFS: Add ebay.com to your "Forbidden Domains" and access

http:// www.ebay.com/%s%s%s%s%s%s/.

 

2. GroupVPN: Establish an GroupVPN Tunnel and enter at the

XAUTH Username %s%s%s%s%s.

 

3. Webfrontend: Enter at the Login Page of your SonicWALL as

Username %s%s%s%s%s.

 

 

SEC Consult will not release code execution exploits for this

vulnerability to the public.

 

 

 

Vendor contact timeline:

------------------------

 

2006: Vulnerability found

2006.10.25: Vulnerability first reported to vendor

2009.02.17: Vulnerability reported to vendor again

2009.03.16: Request for status update

2009.04.21: Request for status update

2009.05.25: Public Release

2009.06.08: Advisory updated with patch information

 

 

Patch:

------

 

Version 5 of SonicOS is not affected by the vulnerability.

 

Users of version 3 and 4 are advised to obtain the free firmware

updates available at the vendor's website:

 

SonicOS Standard:

 

SonicWALL TZ 150, TZ 150W, TZ 170, TZ 170W, PRO 1260, 2040, 3060: Fixed

in version Version 3.1.6.3s

 

SonicWALL TZ 180, TZ 180W: Fixed in version 3.9.1.2

 

SonicOS Enhanced:

 

SonicWALL PRO 2040, 3060, 4060, 4100, 5060: Fixed in version 4.2.0.0.

SonicWALL TZ 170, TZ 170SP, TZ 170W, PRO 1260: Fixed in version 3.4.1.0

SonicWALL TZ 180, TZ180W, TZ 190, TZ 190W: Fixed in version 4.0.3.4

 

SonicWALL SSL-VPN:

 

Fixed in firmware v3.0.0.9 on the SSL-VPN 200 platform and v3.5.0.5 on

the SSL-VPN 2000/4000 platforms.

 

 

--

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

 

Office Vienna

Mooslackengasse 17

A-1190 Vienna

Austria

 

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com

www.sec-consult.com

 

EOF SEC Consult Vulnerability Lab / @2009