155 lines
No EOL
6 KiB
Text
155 lines
No EOL
6 KiB
Text
Title:
|
||
======
|
||
Sonicwall Scrutinizer v9.5.2 - SQL Injection Vulnerability
|
||
|
||
|
||
Date:
|
||
=====
|
||
2013-02-13
|
||
|
||
|
||
References:
|
||
===========
|
||
http://www.vulnerability-lab.com/get_content.php?id=789
|
||
|
||
#9984: Investigate Vulnerability Lab issues (this ticket included tracking the creation of our DBI shim to error on semi-colon)
|
||
#10149: Create a common function to escape characters that can be used for SQL injection
|
||
#10139: Review all mapping and flow analytics queries to make sure inputs included in SQL are escaped
|
||
#10141: Review all reporting and filtering queries to make sure inputs included in SQL are escaped
|
||
#10140: Review all alarm tab and admin tab queries to make sure inputs included in SQL are escaped
|
||
|
||
|
||
VL-ID:
|
||
=====
|
||
789
|
||
|
||
|
||
Common Vulnerability Scoring System:
|
||
====================================
|
||
7.3
|
||
|
||
|
||
Introduction:
|
||
=============
|
||
Dell SonicWALL Scrutinizer is a multi-vendor, flow-based application traffic analytics, visualization and reporting tool
|
||
to measure and troubleshoot network performance and utilization while increasing productivity for enterprises and service providers.
|
||
Scrutinizer supports a wide range of routers, switches, firewalls, and data-flow reporting protocols, providing unparalleled insight
|
||
into application traffic analysis from IPFIX/NetFlow data exported by Dell SonicWALL firewalls, as well as support for a wide range
|
||
of routers, switches, firewalls, and data-flow reporting protocols. IT administrators in charge of high throughput networks can
|
||
deploy Scrutinizer as a virtual appliance for high performance environments.
|
||
|
||
(Copy of the Vendor Homepage: http://www.sonicwall.com/us/en/products/Scrutinizer.html )
|
||
|
||
|
||
|
||
Abstract:
|
||
=========
|
||
The Vulnerability Laboratory Research Team discovered SQL Injection vulnerability in the Dells Sonicwall OEM Scrutinizer v9.5.2 appliance application.
|
||
|
||
|
||
Report-Timeline:
|
||
================
|
||
2012-12-05: Researcher Notification & Coordination
|
||
2012-12-07: Vendor Notification
|
||
2013-01-08: Vendor Response/Feedback
|
||
2013-02-10: Vendor Fix/Patch
|
||
2013-02-11: Public Disclosure
|
||
|
||
|
||
Status:
|
||
========
|
||
Published
|
||
|
||
|
||
Affected Products:
|
||
==================
|
||
DELL
|
||
Product: Sonicwall OEM Scrutinizer 9.5.2
|
||
|
||
|
||
Exploitation-Technique:
|
||
=======================
|
||
Remote
|
||
|
||
|
||
Severity:
|
||
=========
|
||
High
|
||
|
||
|
||
Details:
|
||
========
|
||
A blind SQL Injection vulnerability is detected in the Sonicwall OEM Scrutinizer v9.5.2 appliance application.
|
||
The bug allows remote attackers to execute/inject own sql statement/commands to manipulate the affected vulnerable application dbms.
|
||
The sql injection vulnerability is located in the fa_web.cgi file with the bound gadget listing module and the vulnerable orderby or
|
||
gadget parameters. Exploitation requires no user interaction & without privileged application user account. Successful exploitation of
|
||
the remote sql vulnerability results in dbms & application compromise.
|
||
|
||
Vulnerable File(s):
|
||
[+] fa_web.cgi
|
||
|
||
Vulnerable Module(s):
|
||
[+] gadget listing
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] orderby
|
||
[+] gadget
|
||
|
||
|
||
Proof of Concept:
|
||
=================
|
||
The remote sql injection vulnerability can be exploited by remote attackers without required privileged application user account
|
||
and also without user interaction. For demonstration or reproduce ...
|
||
|
||
PoC:
|
||
http://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytes-1%27[SQL INJECTION VULNERABILITY!]&orderby=1&cachebreaker=23_52_5_814-1%27
|
||
http://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytes&orderby=-1%27[SQL INJECTION VULNERABILITY!]&cachebreaker=23_52_5_814-1%27
|
||
|
||
|
||
|
||
Solution:
|
||
=========
|
||
1) Scrutinizer team created a own DB layer that will die if a semicolon is found within a SQL query
|
||
2) We have changed more queries to pass inputs as bound variables to the DB engine which prevents possible SQL injection
|
||
|
||
|
||
Risk:
|
||
=====
|
||
The security risk of the remote sql injection vulnerability is estimated as high(+).
|
||
|
||
|
||
Credits:
|
||
========
|
||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
|
||
|
||
|
||
Disclaimer:
|
||
===========
|
||
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
||
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
||
or trade with fraud/stolen material.
|
||
|
||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
|
||
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
|
||
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
|
||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||
|
||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
|
||
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
|
||
|
||
Copyright <20> 2012 | Vulnerability Laboratory
|
||
|
||
|
||
|
||
--
|
||
VULNERABILITY RESEARCH LABORATORY
|
||
LABORATORY RESEARCH TEAM
|
||
CONTACT: research@vulnerability-lab.com |