Title: ====== Sonicwall OEM Scrutinizer v9.5.2 - Multiple Web Vulnerabilities Date: ===== 2013-02-14 References: =========== http://www.vulnerability-lab.com/get_content.php?id=786 VL-ID: ===== 786 Common Vulnerability Scoring System: ==================================== 5.2 Introduction: ============= Dell™ SonicWALL™ Scrutinizer is a multi-vendor, flow-based application traffic analytics, visualization and reporting tool to measure and troubleshoot network performance and utilization while increasing productivity for enterprises and service providers. Scrutinizer supports a wide range of routers, switches, firewalls, and data-flow reporting protocols, providing unparalleled insight into application traffic analysis from IPFIX/NetFlow data exported by Dell SonicWALL firewalls, as well as support for a wide range of routers, switches, firewalls, and data-flow reporting protocols. IT administrators in charge of high throughput networks can deploy Scrutinizer as a virtual appliance for high performance environments. (Copy of the Vendor Homepage: http://www.sonicwall.com/us/en/products/Scrutinizer.html ) Abstract: ========= The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in the Dell Sonicwall OEM Scrutinizer v9.5.2 appliance application. Report-Timeline: ================ 2012-12-05: Researcher Notification & Coordination 2012-12-07: Vendor Notification 2013-01-08: Vendor Response/Feedback 2013-02-10: Vendor Fix/Patch 2013-02-11: Public or Non-Public Disclosure Status: ======== Published Affected Products: ================== DELL Product: Sonicwall OEM Scrutinizer 9.5.2 Exploitation-Technique: ======================= Remote Severity: ========= High Details: ======== Multiple persistent input validation vulnerabilities are detected in the Sonicwall OEM Scrutinizer v9.5.2 appliance application. The bugs allows remote attackers to implement/inject malicious script code on the application side (persistent). The first persistent vulnerability is located in the Alarm - New Board & Policy Manager module with the bound vulnerable Search item - BBSearchText parameter request. The vulnerability allows to inject persistent script code as search item value. The result is the persistent execution of script code out of the BBSearchText listing. The secound persistent vulnerability is located in the Dashboard - Flow Expert module with the bound vulnerable Mytab parameter. The vulnerability allows to inject persistent script code as myTab link value. The result is the persistent execution of script code out of the Mytab link listing. The 3rd persistent vulnerability is located in the MyView (CGI) module with the bound vulnerable `newName` parameter request. The vulnerability allows to inject persistent script code as newName. The result is the persistent execution of script code out of the core value listing. The 4th persistent vulnerability is located in the Admin > Admin [New Users & New Group] module with the bound vulnerable groupName & username parameters. The vulnerability allows to inject persistent script code as username or groupname. The result is the persistent execution of script code out of all username and group listings + checkboxes. The 5th persistent vulnerability is located in the Admin > Admin [Mapping / Maps (CGI) - Dashboard Status] module with the bound vulnerable groupMembers, Type, Checkbox Linklike, indexColumn, name, Object Name & settings groups(checkbox) parameters. The vulnerability allows to inject persistent script code as groupMembers, Type, Checkbox Linklike, indexColumn, name, Object Name & settings groups(checkbox) value(s). The result is the persistent execution of script code out of the groupMembers, Type, Checkbox Linklike, indexColumn, name, Object Name listings and settings groups checkbox. The 6th persistent vulnerability is located in the Alarms > Overview Bulletin Board > Advanced Filters module with the bound vulnerable displayBBAdvFilterModal() - (Policy Name, Board Name, Violators) parameters. The vulnerability allows to inject persistent script code as Policy Name, Board Name and Violator. The result is the persistent execution of script code out of the Policy Name, Board Name and Violator listings. Successful exploitation of the vulnerability can lead to persistent session hijacking (manager/admin), persistent phishing, persistent external redirects to malware or scam and persistent web context manipulation in the affected vulnerable module(s). Exploitation requires low user interaction & a low privileged appliance web application user account. Vulnerable Section(s): [+] Alarm [+] Dashboard [+] MyView (CGI) [+] Admin > Admin [+] Admin > Admin [+] Alarms Vulnerable Module(s): [+] New Board & Policy Manager [+] Flow Expert [+] Value [+] New Users & New Group [+] Mapping / Maps (CGI) - Dashboard Status [+] Overview Bulletin Board > Advanced Filters Vulnerable Parameter(s): [+] Search item - BBSearchText [+] Mytab [+] newName [+] groupName & username - Place in Usergroup - Listing [+] groupMembers, Type, Checkbox Linklike, indexColumn, name, Object Name & settings groups(checkbox) [+] displayBBAdvFilterModal() - (Policy Name, Board Name, Violators) Proof of Concept: ================= The persistent input validation web vulnerabilities can be exploited by remote attackers with low privileged application user account and low required user interaction. For demonstration or reproduce ... Review: Alarm > New Board & Policy Manager - [BBSearchText] Search item Review: Dashboard > Flow Expert > Mytab - [Mytab Name]
Flow Expert Configure Flow Analytics CrossCheck ExampleCisco PfRTraining<[PERSISTENT INJECTED SCRIPT CODE!]">%20%20%20%20"><[PERSISTENT INJECTED SCRIPT CODE!]") < Add a tab
Review: MyView (CGI) > Value - [newName] {"newName":"<[PERSISTENT INJECTED SCRIPT CODE!]"> \"><[PERSISTENT INJECTED SCRIPT CODE!]") <"} Review: Admin > Admin > New Users & New Group - [groupname, up_availGroups & username - Place in Usergroup - Listing]
User Preferences
New User

​​​​​

Users
Review: Admin > Admin > Mapping/Maps (CGI) - Dashboard Status - [groupMembers, Type, Checkbox Linklike, indexColumn,name,ObjectName & settings groups]
Group NameTypeMembershipMap Status
GoogleMembership
​​​​​
Type​​​​​ ​​​​​
Map TypeBackground
Google-
...
Object Name TypeMembership
GroupMembership​​​​​