Call us on 03450 21 21 51

SRM Solutions
Tech corner: discovering the Dell Sonicwall Zero Day Vulnerability
The SRM Blog

Tech corner: discovering the Dell Sonicwall Zero Day Vulnerability

Dean Moulden

Written by Dean Moulden

23rd September 2019

Share this article

tech corner

 

Here’s a little insight into the Zero Day Vulnerability we discovered back in November 2018

As in every penetration test, we thoroughly analysed each host and service found. The first step towards discovering this vulnerability was the use of dirb to enumerate URLs on the SonicWall Analyzer, which yielded the “/ws” URL as a result. Visiting this URL returns an HTTP 500 response (Internal Server Error) as shown.

pen testing

This error message, beyond providing valuable information about the technologies in use, allowed SRM to infer the error’s cause. The reference to “AuthorizationFilter” indicated that the application expected to receive an Authorization HTTP header containing the credentials to authenticate the user.

Sending the request with an Authorization header corresponding to the credentials “user:password” (Authorization: Basic dXNlcjpwYXNzd29yZA==) resulted in an HTTP 401 (Unauthorized) response, shown, indicating that our inference was correct.

vulnerability assessment

The username portion of the credentials was then tested for SQL injection, with the header corresponding to the username/password pair test’ or ‘1’=’1:password (Authorization: Basic dGVzdCcgb3IgJzEnPScxOnBhc3N3b3Jk) returning an HTTP Code 200 (Success).

The difference in HTTP response codes (401 and 200) provides us with an oracle to establish whether our injected SQL evaluates to true or false, allowing for a Boolean blind SQL injection to be carried out.

A script was created to automate the process, and was used to dump the database username, table names, and table column names, highlighting the degree of vulnerability and indicating the nature of the vulnerable data.

The vulnerable URL was “Google Dorked” to determine how many installations were exposed on the internet. The number was small, as expected for a service that should be run on internal networks.

Among the URLs returned was https://www.sonicwall.com/.

SonicWall operate cloud infrastructure to provide for organisations that do not wish to self-host the Analyzer software. The vulnerability was tested and found to be present on the SonicWall’s infrastructure. As this is exposed to the internet, and the database is likely to contain a very large number of accounts, the vulnerability presents a significantly higher risk in this context.

The privileges of the database user on SonicWall’s service were enumerated and found to be limited in accordance with best practice, which prevented remote code execution, DNS exfiltration and other further exploits which otherwise may have been possible.

The vulnerability described above was immediately reported to Dell once identified.

Find out more about our Penetration Testing services here or why not call us for a chat on 03450 21 21 51 and we’re always happy to provide a no-obligation quote.