Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix erroneous cred reporting in SonicWALL exploit #7432

Merged
merged 1 commit into from Oct 13, 2016
Merged

Fix erroneous cred reporting in SonicWALL exploit #7432

merged 1 commit into from Oct 13, 2016

Conversation

wvu
Copy link
Contributor

@wvu wvu commented Oct 11, 2016
edited by bcook-r7

A session ID will be returned in the parsed JSON if the login succeeded.

Bad user:

{"noldapnouser"=>1, "loginfailed"=>1}

Bad password:

{"loginfailed"=>1}

Good user/password:

{"userid"=>"1", "sessionid"=>"4WJ9cNg1TkBrwjzX"}

The check can be improved if required. Right now, it's simply doing a key match for sessionid, much like the checks above it.

  • wget http://software.sonicwall.com/ScrutinizerSW/184-003184-00_Rev_A_sonicwall-oem-Scrutinizer-windows-installer.exe
  • Install it
  • Verify creds
  • python -m SimpleHTTPServer 8080
  • Verify no creds

@wvu
Fix erroneous cred reporting in SonicWALL exploit
e78d3d6 
A session ID will be returned in the parsed JSON if the login succeeded.

Bad user:

{"noldapnouser"=>1, "loginfailed"=>1}

Bad password:

{"loginfailed"=>1}

Good user/password:

{"userid"=>"1", "sessionid"=>"4WJ9cNg1TkBrwjzX"}
@bcook-r7
Copy link
Contributor

Thanks @wvu-r7, this looks good to me.

@bcook-r7 bcook-r7 merged commit e78d3d6 into rapid7:master Oct 13, 2016
bcook-r7 pushed a commit that referenced this pull request Oct 13, 2016
Land #7432, Fix erroneous cred reporting in SonicWALL exploit
2014b2d
@wvu
Copy link
Contributor Author

wvu commented Oct 13, 2016

Thanks!!

@wvu wvu deleted the beug/sonicwall branch October 13, 2016 03:55
@bcook-r7
Copy link
Contributor

bcook-r7 commented Oct 13, 2016
edited by tdoan-r7

Release Notes

This fix resolves incorrect reports of successful administrator credential logins when the sonicwall_scrutinizer_methoddetail_sql module is run against a non-exploitable HTTP service.

@tdoan-r7 tdoan-r7 added the rn-fix release notes fix label Oct 13, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@bcook-r7 bcook-r7

@dmohanty-r7 dmohanty-r7

Labels
bug module rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@wvu @bcook-r7 @tdoan-r7 @dmohanty-r7