SonicWALL Global Security Client Local Privilege Escalation Vulnerability

2009.05.27
Credit: Bernhard Mueller
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

SEC Consult Security Advisory < 20090525-2 > ========================================================================== title: SonicWALL Global Security Client Local Privilege Escalation Vulnerability program: SonicWALL Global Security Client vulnerable version: 1.0.0.15 and possibly other versions homepage: http://www.sonicwall.com found: October 2006 by: lofi42 permanent link: https://www.sec-consult.com/advisories_e.html#a56 ========================================================================== Vendor description: ------------------- The SonicWALL Global Security Client offers IT professionals the capability to manage a mobile users online access, based upon corporate policies, in order to ensure optimal security of the network and maximize network resources. Instant messaging, high-risk Web sites and network file access can all be allowed or disallowed as security and productivity concerns dictate. [source: http://www.sonicwall.com/downloads/DS_GlobalSecurityClient_A4.pdf] Vulnerability overview: ----------------------- Local exploitation of a design error in SonicWALLs Global Security Client could allow attackers to obtain increased privileges. Vulnerability description: -------------------------- The problem specifically exists because SYSTEM privileges are not dropped when accessing the GSC properties from the System Tray applet. The vulnerability can be exploited by right-clicking the System Tray icon, choosing "Log", right click "Event Viewer", "Open Log File...". The opened file selected can be abused by navigating to C:\WINDOWS \SYSTEM32\, right-clicking cmd.exe, then selecting "Open"; doing so spawns a command shell with SYSTEM privileges. Proof of concept: ----------------- This vulnerability can be exploited without any special exploit code. Vendor contact timeline: ------------------------ 2006: Vulnerability found 2006.10.25: Vulnerability first reported to vendor 2009.02.17: Vulnerability reported to vendor again 2009.03.16: Request for status update 2009.04.21: Request for status update 2009.05.25: Public Release Patch: ------ SEC Consult was not able to get any vendor feedback on this issue. We are currently not aware of a patch or workaround.

References:

http://seclists.org/bugtraq/2009/May/0255.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top