SEC Consult Security Advisory < 20090525-2 > ========================================================================== title: SonicWALL Global Security Client Local Privilege Escalation Vulnerability program: SonicWALL Global Security Client vulnerable version: 1.0.0.15 and possibly other versions homepage: http://www.sonicwall.com found: October 2006 by: lofi42 permanent link: https://www.sec-consult.com/advisories_e.html#a56 ========================================================================== Vendor description: ------------------- The SonicWALL Global Security Client offers IT professionals the capability to manage a mobile user’s online access, based upon corporate policies, in order to ensure optimal security of the network and maximize network resources. Instant messaging, high-risk Web sites and network file access can all be allowed or disallowed as security and productivity concerns dictate. [source: http://www.sonicwall.com/downloads/DS_GlobalSecurityClient_A4.pdf] Vulnerability overview: ----------------------- Local exploitation of a design error in SonicWALLs Global Security Client could allow attackers to obtain increased privileges. Vulnerability description: -------------------------- The problem specifically exists because SYSTEM privileges are not dropped when accessing the GSC properties from the System Tray applet. The vulnerability can be exploited by right-clicking the System Tray icon, choosing "Log", right click "Event Viewer", "Open Log File...". The opened file selected can be abused by navigating to C:\WINDOWS \SYSTEM32\, right-clicking cmd.exe, then selecting "Open"; doing so spawns a command shell with SYSTEM privileges. Proof of concept: ----------------- This vulnerability can be exploited without any special exploit code. Vendor contact timeline: ------------------------ 2006: Vulnerability found 2006.10.25: Vulnerability first reported to vendor 2009.02.17: Vulnerability reported to vendor again 2009.03.16: Request for status update 2009.04.21: Request for status update 2009.05.25: Public Release Patch: ------ SEC Consult was not able to get any vendor feedback on this issue. We are currently not aware of a patch or workaround. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Unternehmensberatung GmbH Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com EOF SEC Consult Vulnerability Lab / @2009