SonicOS Format String Vulnerability

SEC Consult Security Advisory < 20090525-4 >


title: SonicOS Format String Vulnerability

program: SonicOS

vulnerable version: SonicOS 3.x and 4.x Standard and Enhanced

(see list in the 'patch' section)


found: October 2006

by: lofi42



Product description:



SonicOS Enhanced (SonicOSe) is the latest version of SonicWALL's powerful

SonicOS operating system, designed for the next generation of SonicWALL

firewall/VPN appliances.



Vulnerability overview:



A format string vulnerability exists in the logfile parsing function of

SonicOS. An attacker could crash the system or execute arbitrary code

by injecting format string metacharacters into the logfile, if an

administrator subsequently uses the SonicOS GUI to view the log.



Proof of concept:



There are multiple ways to inject format string characters into the logs.

The following methods can be used to test for the vulnerability:


1. CFS: Add to your "Forbidden Domains" and access



2. GroupVPN: Establish an GroupVPN Tunnel and enter at the

XAUTH Username %s%s%s%s%s.


3. Webfrontend: Enter at the Login Page of your SonicWALL as

Username %s%s%s%s%s.



SEC Consult will not release code execution exploits for this

vulnerability to the public.




Vendor contact timeline:



2006: Vulnerability found

2006.10.25: Vulnerability first reported to vendor

2009.02.17: Vulnerability reported to vendor again

2009.03.16: Request for status update

2009.04.21: Request for status update

2009.05.25: Public Release

2009.06.08: Advisory updated with patch information






Version 5 of SonicOS is not affected by the vulnerability.


Users of version 3 and 4 are advised to obtain the free firmware

updates available at the vendor's website:


SonicOS Standard:


SonicWALL TZ 150, TZ 150W, TZ 170, TZ 170W, PRO 1260, 2040, 3060: Fixed

in version Version


SonicWALL TZ 180, TZ 180W: Fixed in version


SonicOS Enhanced:


SonicWALL PRO 2040, 3060, 4060, 4100, 5060: Fixed in version

SonicWALL TZ 170, TZ 170SP, TZ 170W, PRO 1260: Fixed in version

SonicWALL TZ 180, TZ180W, TZ 190, TZ 190W: Fixed in version




Fixed in firmware v3.0.0.9 on the SSL-VPN 200 platform and v3.5.0.5 on

the SSL-VPN 2000/4000 platforms.





SEC Consult Unternehmensberatung GmbH


Office Vienna

Mooslackengasse 17

A-1190 Vienna



Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com


EOF SEC Consult Vulnerability Lab / @2009