lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 29 May 2009 15:14:19 +1000
From: Patrick Webster <>
Subject: SonicWALL SSL-VPN Appliance Format String Vulnerability - Vulnerability Advisory
Release Date:

 SonicWALL - SSL-VPN Remote Access

 "SonicWALL SSL VPN appliances provide small and mid-size organizations an
 easy-to-use, secure and affordable remote access solution that requires no
 pre-installed client software. Utilizing a standard Web browser, authorized
 users such as employees, contractors, partners and customers, can easily and
 securely access e-mail, files, intranets, Web and legacy applications
 and remote desktops from any location."

Versions affected:
 SonicWALL SSL-VPN 2000/4000 and below.
 SonicWALL SSL-VPN 200 and below.

Vulnerability discovered:

 Format string vulnerability.

Vulnerability impact:

 High - Remote code execution, and the ability to remotely map out the
internal memory structures.

Vulnerability information:

 This vulnerability allows remote attackers to execute format string specifiers
 on the remote appliance as an unauthenticated user.

 The device uses a HTML form, where failed authentication results in an error:
 "Login failed - Incorrect name/password"


 By inserting format strings instead of expected input, the statement
is interpreted
 by printf() and the result is returned in a HTTP GET response.


 The following GET request will result in "ABCD0044434241" being returned.


 0x44434241 is the little endian hexadecimal representation for ABCD.

 It is possible to read memory remotely by specifying further format
 strings, such as:




 This may reveal sensitive information.

 Attempts to write to memory result in an error, indicating that an
access violation
 may have occurred, therefore remote code execution is likely possible
with further research (i.e. physical access :).


 "Sorry, the SSL-VPN you are trying to reach is unavailable at this
time. Please try again later."

References: advisory

 Patrick Webster ( )

Disclosure timeline:
 12-Jan-2009 - Discovered during audit.
 09-Feb-2009 - 1st email sent to No response.
 27-Feb-2009 - 2nd email sent to No response.
 01-May-2009 - Asked contacts within the security industry for
SonicWALL contact.
 07-May-2009 - Received email from SonicWALL contact.
 08-May-2009 - Sent details to SonicWALL contact.
 15-May-2009 - SSL 200 - fix released.
 27-May-2009 - SSL 2000/4000 - fix released.
 29-May-2009 - Public disclosure.


Powered by blists - more mailing lists