SonicWALL Global VPN Client Local Privilege Escalation

SEC Consult Security Advisory < 20090525-3 >

==========================================================================

title: SonicWALL Global VPN Client Local Privilege Escalation

Vulnerability

program: SonicWALL Global VPN Client

vulnerable version: Global VPN Client <= 4.0.0.835

possibly other versions

homepage: www.sonicwall.com

found: October 2006

by: lofi42

==========================================================================

 

Vendor description:

-------------------

 

The SonicWALL Global VPN Client offers an easy-to-use, easy-to-manage

Virtual Private Network (VPN) solution that provides users at distributed

locations with secure, reliable remote access via broadband, wireless and

dial-up connections.

 

[source: www.sonicwall.com/downloads/Global_VPN_DS_US.pdf]

 

 

Vulnerability overview:

-----------------------

 

A local privilege escalation vulnerability exists in SonicWALL Global VPN

client. By exploiting this vulnerability, a local attacker could execute

code with LocalSystem privileges.

 

 

Vulnerability description:

--------------------------

 

During installation of SonicWALL Global VPN Client permissions for

installation folder "%ProgramFiles%\SonicWALL\SonicWALL Global VPN Client"

by default are set to Everyone:Full Control without any warning.

 

The Service "RampartSvc" is started from this folder. Services are started

under LocalSystem account. There is no protection of service files. It's

possible for unprivileged users to replace service executable with the file

of his choice to get full access with LocalSystem privileges.

 

 

Proof of concept:

-----------------

 

This vulnerability can be exploited without any special exploit code.

 

 

Vendor contact timeline:

------------------------

 

2006: Vulnerability found

2006.10.25: Vulnerability first reported to vendor

2009.02.17: Vulnerability reported to vendor again

2009.03.16: Request for status update

2009.04.21: Request for status update

2009.05.25: Public Release

2009.06.08: Advisory updated with patch information

 

 

Patch:

------

 

The issue has been fixed in GVC v4.2.6 for 64-bit.

 

The current domestic GVC v4.2.6 32-bit is in beta and contains the fix.

Customers may obtain a copy by visiting the FTP site below:

 

ftp://utm.soniclab.us/GVC32

 

--

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

 

Office Vienna

Mooslackengasse 17

A-1190 Vienna

Austria

 

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com

www.sec-consult.com

 

EOF SEC Consult Vulnerability Lab / @2009