SEC Consult Security Advisory < 20090525-4 > ========================================================================== title: SonicOS Format String Vulnerability program: SonicOS vulnerable version: SonicOS 3.x and 4.x Standard and Enhanced (see list in the 'patch' section) homepage: http://www.sonicwall.com found: October 2006 by: lofi42 ========================================================================== Product description: -------------------- SonicOS Enhanced (SonicOSe) is the latest version of SonicWALL's powerful SonicOS operating system, designed for the next generation of SonicWALL firewall/VPN appliances. Vulnerability overview: ----------------------- A format string vulnerability exists in the logfile parsing function of SonicOS. An attacker could crash the system or execute arbitrary code by injecting format string metacharacters into the logfile, if an administrator subsequently uses the SonicOS GUI to view the log. Proof of concept: ----------------- There are multiple ways to inject format string characters into the logs. The following methods can be used to test for the vulnerability: 1. CFS: Add ebay.com to your "Forbidden Domains" and access http://www.ebay.com/%s%s%s%s%s%s/. 2. GroupVPN: Establish an GroupVPN Tunnel and enter at the XAUTH Username %s%s%s%s%s. 3. Webfrontend: Enter at the Login Page of your SonicWALL as Username %s%s%s%s%s. SEC Consult will not release code execution exploits for this vulnerability to the public. Vendor contact timeline: ------------------------ 2006: Vulnerability found 2006.10.25: Vulnerability first reported to vendor 2009.02.17: Vulnerability reported to vendor again 2009.03.16: Request for status update 2009.04.21: Request for status update 2009.05.25: Public Release 2009.06.08: Advisory updated with patch information Patch: ------ Version 5 of SonicOS is not affected by the vulnerability. Users of version 3 and 4 are advised to obtain the free firmware updates available at the vendor's website: SonicOS Standard: SonicWALL TZ 150, TZ 150W, TZ 170, TZ 170W, PRO 1260, 2040, 3060: Fixed in version Version 3.1.6.3s SonicWALL TZ 180, TZ 180W: Fixed in version 3.9.1.2 SonicOS Enhanced: SonicWALL PRO 2040, 3060, 4060, 4100, 5060: Fixed in version 4.2.0.0. SonicWALL TZ 170, TZ 170SP, TZ 170W, PRO 1260: Fixed in version 3.4.1.0 SonicWALL TZ 180, TZ180W, TZ 190, TZ 190W: Fixed in version 4.0.3.4 SonicWALL SSL-VPN: Fixed in firmware v3.0.0.9 on the SSL-VPN 200 platform and v3.5.0.5 on the SSL-VPN 2000/4000 platforms. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF SEC Consult Vulnerability Lab / @2009