SonicWALL Global Security Client Local Privilege

SEC Consult Security Advisory < 20090525-2 >


title: SonicWALL Global Security Client Local Privilege

Escalation Vulnerability

program: SonicWALL Global Security Client

vulnerable version: and possibly other versions


found: October 2006

by: lofi42



Vendor description:



The SonicWALL Global Security Client offers IT professionals the capability

to manage a mobile user's online access, based upon corporate policies,

in order to ensure optimal security of the network and maximize network

resources. Instant messaging, high-risk Web sites and network file access

can all be allowed or disallowed as security and productivity concerns






Vulnerability overview:



Local exploitation of a design error in SonicWALLs Global Security Client

could allow attackers to obtain increased privileges.



Vulnerability description:



The problem specifically exists because SYSTEM privileges are not dropped

when accessing the GSC properties from the System Tray applet. The

vulnerability can be exploited by right-clicking the System Tray icon,

choosing "Log", right click "Event Viewer", "Open Log File...". The opened

file selected can be abused by navigating to C:\WINDOWS\SYSTEM32\,

right-clicking cmd.exe, then selecting "Open"; doing so spawns a command

shell with SYSTEM privileges.



Proof of concept:



This vulnerability can be exploited without any special exploit code.



Vendor contact timeline:



2006: Vulnerability found

2006.10.25: Vulnerability first reported to vendor

2009.02.17: Vulnerability reported to vendor again

2009.03.16: Request for status update

2009.04.21: Request for status update

2009.05.25: Public Release

2009.06.08: Advisory updated with patch information





The Global Security Client is no longer sold or maintained by the vendor.





SEC Consult Unternehmensberatung GmbH


Office Vienna

Mooslackengasse 17

A-1190 Vienna



Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com


EOF SEC Consult Vulnerability Lab / @2009