SonicWALL Global Security Client Local Privilege

SEC Consult Security Advisory < 20090525-2 >

==========================================================================

title: SonicWALL Global Security Client Local Privilege

Escalation Vulnerability

program: SonicWALL Global Security Client

vulnerable version: 1.0.0.15 and possibly other versions

homepage: www.sonicwall.com

found: October 2006

by: lofi42

==========================================================================

 

Vendor description:

-------------------

 

The SonicWALL Global Security Client offers IT professionals the capability

to manage a mobile user's online access, based upon corporate policies,

in order to ensure optimal security of the network and maximize network

resources. Instant messaging, high-risk Web sites and network file access

can all be allowed or disallowed as security and productivity concerns

dictate.

 

[source: www.sonicwall.com/downloads/DS_GlobalSecurityClient_A4.pdf]

 

 

Vulnerability overview:

-----------------------

 

Local exploitation of a design error in SonicWALLs Global Security Client

could allow attackers to obtain increased privileges.

 

 

Vulnerability description:

--------------------------

 

The problem specifically exists because SYSTEM privileges are not dropped

when accessing the GSC properties from the System Tray applet. The

vulnerability can be exploited by right-clicking the System Tray icon,

choosing "Log", right click "Event Viewer", "Open Log File...". The opened

file selected can be abused by navigating to C:\WINDOWS\SYSTEM32\,

right-clicking cmd.exe, then selecting "Open"; doing so spawns a command

shell with SYSTEM privileges.

 

 

Proof of concept:

-----------------

 

This vulnerability can be exploited without any special exploit code.

 

 

Vendor contact timeline:

------------------------

 

2006: Vulnerability found

2006.10.25: Vulnerability first reported to vendor

2009.02.17: Vulnerability reported to vendor again

2009.03.16: Request for status update

2009.04.21: Request for status update

2009.05.25: Public Release

2009.06.08: Advisory updated with patch information

 

 

Patch:

------

The Global Security Client is no longer sold or maintained by the vendor.

 

 

--

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

 

Office Vienna

Mooslackengasse 17

A-1190 Vienna

Austria

 

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com

www.sec-consult.com

 

EOF SEC Consult Vulnerability Lab / @2009

Back