SonicWALL Global VPN Client Format String Vulnerability

SEC Consult Security Advisory < 20071204-0 >


title: SonicWALL Global VPN Client Format String Vulnerability

program: SonicWALL Global VPN Client

vulnerable version: <


found: 06-12-2007

by: lofi42*



Vendor description:



The SonicWALL Global VPN Client provides mobile users with access to mission-critical network resources by establishing secure connections to their office network's IPSec-compliant SonicWALL VPN gateway.



Vulnerabilty overview:



SonicWALL Global VPN Client suffers from a format string vulnerability that can be triggered by supplying a specially crafted configuration file. This vulnerability could allow an attacker to execute arbitrary code in the context of the vulnerable client. For a successful attack, the attacker would have to entice his victim into importing the special configuration file.



Vulnerability details:



Format string errors occur when the client parses the "name" attribute of the "Connection" tag and the content of the "Hostname" Tags in the configuration file.



<Connection name=%s%s%s%s> 


The bugs has been verified in version 3.1.556 and With version 3.1.556 the client has to initiate a connection to trigger the vulnerability, whereas with version beta, the bug can be exploited by simply double-clicking the configuration file. This can be attributed to the 4.0 version trying to write the imported configuration to an extra debug log.






In, the bug can be beautifully demonstrated by supplying a crafted config file and then viewing the debug logfile. A configuration like this...

<Connection name=> AAAAAAAAAA%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x 
<HostName> BBBBBBBBBB%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x 


...yields the following logfile:

----------------------< Connection name >-----------------------------------
OnLogMessage(): 'The connection "AAAAAAAAAAe64d20.37327830.46413139.
6e6f6320.7463656e.206e6f69.41414122.41414141.25414141" has been enabled.' ''
----------------------</Connection name >-----------------------------------



vendor status:


vendor notified: 2007-08-16

vendor response: 2007-08-29

patch available: 2007-11-26


The issue has been fixed in SonicWall VPN client