157 lines
6.2 KiB
Text
Executable file
157 lines
6.2 KiB
Text
Executable file
Title:
|
|
======
|
|
Sonicwall Scrutinizer v9.5.2 - SQL Injection Vulnerability
|
|
|
|
|
|
Date:
|
|
=====
|
|
2013-02-13
|
|
|
|
|
|
References:
|
|
===========
|
|
http://www.vulnerability-lab.com/get_content.php?id=789
|
|
|
|
#9984: Investigate Vulnerability Lab issues (this ticket included tracking the creation of our DBI shim to error on semi-colon)
|
|
#10149: Create a common function to escape characters that can be used for SQL injection
|
|
#10139: Review all mapping and flow analytics queries to make sure inputs included in SQL are escaped
|
|
#10141: Review all reporting and filtering queries to make sure inputs included in SQL are escaped
|
|
#10140: Review all alarm tab and admin tab queries to make sure inputs included in SQL are escaped
|
|
|
|
|
|
VL-ID:
|
|
=====
|
|
789
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
7.3
|
|
|
|
|
|
Introduction:
|
|
=============
|
|
Dell SonicWALL Scrutinizer is a multi-vendor, flow-based application traffic analytics, visualization and reporting tool
|
|
to measure and troubleshoot network performance and utilization while increasing productivity for enterprises and service providers.
|
|
Scrutinizer supports a wide range of routers, switches, firewalls, and data-flow reporting protocols, providing unparalleled insight
|
|
into application traffic analysis from IPFIX/NetFlow data exported by Dell SonicWALL firewalls, as well as support for a wide range
|
|
of routers, switches, firewalls, and data-flow reporting protocols. IT administrators in charge of high throughput networks can
|
|
deploy Scrutinizer as a virtual appliance for high performance environments.
|
|
|
|
(Copy of the Vendor Homepage: http://www.sonicwall.com/us/en/products/Scrutinizer.html )
|
|
|
|
|
|
|
|
Abstract:
|
|
=========
|
|
The Vulnerability Laboratory Research Team discovered SQL Injection vulnerability in the Dells Sonicwall OEM Scrutinizer v9.5.2 appliance application.
|
|
|
|
|
|
Report-Timeline:
|
|
================
|
|
2012-12-05: Researcher Notification & Coordination
|
|
2012-12-07: Vendor Notification
|
|
2013-01-08: Vendor Response/Feedback
|
|
2013-02-10: Vendor Fix/Patch
|
|
2013-02-11: Public Disclosure
|
|
|
|
|
|
Status:
|
|
========
|
|
Published
|
|
|
|
|
|
Affected Products:
|
|
==================
|
|
DELL
|
|
Product: Sonicwall OEM Scrutinizer 9.5.2
|
|
|
|
|
|
Exploitation-Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity:
|
|
=========
|
|
High
|
|
|
|
|
|
Details:
|
|
========
|
|
A blind SQL Injection vulnerability is detected in the Sonicwall OEM Scrutinizer v9.5.2 appliance application.
|
|
The bug allows remote attackers to execute/inject own sql statement/commands to manipulate the affected vulnerable application dbms.
|
|
The sql injection vulnerability is located in the fa_web.cgi file with the bound gadget listing module and the vulnerable orderby or
|
|
gadget parameters. Exploitation requires no user interaction & without privileged application user account. Successful exploitation of
|
|
the remote sql vulnerability results in dbms & application compromise.
|
|
|
|
Vulnerable File(s):
|
|
[+] fa_web.cgi
|
|
|
|
Vulnerable Module(s):
|
|
[+] gadget listing
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] orderby
|
|
[+] gadget
|
|
|
|
|
|
Proof of Concept:
|
|
=================
|
|
The remote sql injection vulnerability can be exploited by remote attackers without required privileged application user account
|
|
and also without user interaction. For demonstration or reproduce ...
|
|
|
|
PoC:
|
|
http://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytes-1%27[SQL INJECTION VULNERABILITY!]&orderby=1&cachebreaker=23_52_5_814-1%27
|
|
http://127.0.0.1:1339/cgi-bin/fa_web.cgi?gadget=applicationsbytes&orderby=-1%27[SQL INJECTION VULNERABILITY!]&cachebreaker=23_52_5_814-1%27
|
|
|
|
|
|
|
|
Solution:
|
|
=========
|
|
1) Scrutinizer team created a own DB layer that will die if a semicolon is found within a SQL query
|
|
2) We have changed more queries to pass inputs as bound variables to the DB engine which prevents possible SQL injection
|
|
|
|
|
|
Risk:
|
|
=====
|
|
The security risk of the remote sql injection vulnerability is estimated as high(+).
|
|
|
|
|
|
Credits:
|
|
========
|
|
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
|
|
|
|
|
|
Disclaimer:
|
|
===========
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
|
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
|
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
|
or trade with fraud/stolen material.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
|
|
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
|
|
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
|
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
|
|
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
|
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
|
|
|
|
Copyright ? 2012 | Vulnerability Laboratory
|
|
|
|
|
|
|
|
--
|
|
VULNERABILITY RESEARCH LABORATORY
|
|
LABORATORY RESEARCH TEAM
|
|
CONTACT: research@vulnerability-lab.com
|
|
|
|
|