26 January 2021

Security researcher releases an exploit for SonicWall VPNs


Security researcher releases an exploit for SonicWall VPNs

A former member of the infamous hacktivist collective Lulz Security (LulzSec) has shared a zero-day exploit for a popular SonicWall VPN application, which utilizes the same vulnerabilities used by a notorious hacktivist known as Phineas Phisher to compromise the Italian spyware vendor Hacking Team and other companies.

On Monday, a security researcher Darren Martyn has published the exploit in his blog, after SonicWall revealed that hackers had breached its internal systems using a zero day flaw in its remote access tools.

“I’ve been sitting on this one for quite a while now, and figured what with SonicWall back in the news for getting owned via some 0days in their own s**t products, it would be somewhat amusing to release this,” Martyn wrote.

The researcher explained that SonicWall “Virtual Office” SSL-VPN products ship with an outdated version of Bash vulnerable to ShellShock, which makes them vulnerable to unauthenticated remote code execution (as a “nobody” user) via the /cgi-bin/jarrewrite.sh URL.

“The exploit is incredibly trivial. We simply spaff a shellshock payload containing a bash /dev/tcp backconnect at it, and we get a shell. Now, the environment on these things is incredibly limited – its stripped down Linux. But we have bash, openssl, and FTP. So you could always download your own toolkit for further exploitation,” Martyn said.

The researcher did not provide details on how to gain administrative privileges on the SonicWall VPN to prevent unskilled hackers from just copy pasting the exploit and using it in their attacks.

Following publication of the exploit code, SonicWall said that the vulnerabilities that this exploit relies on had been already patched.

“The vulnerability that this post is referencing was patched in 2015 in SMA 8.0.0.4. It cannot be exploited in version 9 or 10,” the company said in a message on Twitter.


Back to the list

Latest Posts

Vulnerability in Trend Micro antivirus products exploited in the wild

Vulnerability in Trend Micro antivirus products exploited in the wild

The flaw affects Trend Micro Apex One, Apex One SaaS, and OfficeScan Corporate Edition.
22 April 2021
University of Minnesota banned from Linux development for submitting buggy patches

University of Minnesota banned from Linux development for submitting buggy patches

Two graduate students at the University of Minnesota deliberately introduced known security bugs in the Linux kernel in the name of research.
22 April 2021
Qlocker ransomware campaign targets QNAP devices across the globe

Qlocker ransomware campaign targets QNAP devices across the globe

The campaign uses 7-zip to move files on QNAP devices into password-protected archives.
22 April 2021