Tuesday, December 4, 2007

SonicWALL Global VPN Client Format String

==============================
=======================================================
title: SonicWALL Global VPN Client Format String
Vulnerability
program: SonicWALL Global VPN Client
vulnerable version: < 4.0.0.830
homepage: www.sonicwall.com
found: 06-12-2007
by: lofi42*
perm. link: http://www.sec-consult.com/305.html
=====================================================================================

Vendor description:
---------------

The SonicWALL Global VPN Client provides mobile users with access to
mission-critical network resources by establishing secure connections to
their office network's IPSec-compliant SonicWALL VPN gateway.


Vulnerabilty overview:
---------------

SonicWALL Global VPN Client suffers from a format string vulnerability
that can be triggered by supplying a specially crafted configuration
file. This vulnerability allows an attacker to execute arbitrary code in
the context of the vulnerable client. For a successful attack, the
attacker would have to entice his victim into importing the special
configuration file.


Vulnerability details:
---------------

Format string errors occur when the client parses the "name" attribute
of the "Connection" tag and the content of the "Hostname" Tags in the
configuration file.

Examples:


%s%s%s%s

The bugs has been verified in version 3.1.556 and beta 4.0.0.810. With
version 3.1.556 the client has to initiate a connection to trigger the
vulnerability, whereas with version 4.0.0.810, the bug can be exploited
by simply double-clicking the configuration file. This can be attributed
to the 4.0 version trying to write the imported configuration to an
extra debug log.


Proof-of-concept:
---------------

In 4.0.0.810, the bug can be beautifully demonstrated by supplying a
crafted config file and then viewing the debug logfile. A configuration
like this...

AAAAAAAAAA%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%
x.%x
BBBBBBBBBB%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%
x.%x.%x.%x.%x.%x.%x

...yields the following logfile:

----------------------< Connection name
>-----------------------------------
OnLogMessage(): 'The connection "AAAAAAAAAAe64d20.37327830.46413139.
203a3833.782b8d00.6f4c6e4f.73654d67.65676173.203a2928.65685427.
6e6f6320.7463656e.206e6f69.41414122.41414141.25414141" has been
enabled.' ''
----------------------</Connection name
>-----------------------------------
----------------------e>--------------------------------------------
BBBBBBBBBB656d616e.41414120.41414141.25414141.78252e78.2e78252e.252e7825.
78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.
74207825.6e61206f.20504920.72646461.2e737365.42272027.42424242.42424242'
----------------------</HostName>---------------------------------------


This vulnerability allows reading / writing to arbitrary memory
addresses within the process memory space. Exploitation is trivial under
these circumstances.


vendor status:
---------------
vendor notified: 2007-08-16
vendor response: 2007-08-29
patch available: 2007-11-26

The issue has been fixed in SonicWall VPN client 4.0.0.830.

at 7:42 AM

Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)