SonicWALL SSL VPN Client Remote ActiveX Multiple Vulnerabilities
BID:26288
Info
SonicWALL SSL VPN Client Remote ActiveX Multiple Vulnerabilities
| Bugtraq ID: | 26288 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2007-5603 CVE-2007-5814 CVE-2007-5815 |
| Remote: | Yes |
| Local: | No |
| Published: | Nov 01 2007 12:00AM |
| Updated: | Nov 15 2007 12:37AM |
| Credit: | Will Dormann, krafty and lofi42 are independently credited with the discovery of this issue. |
| Vulnerable: |
SonicWALL SSL VPN 1.3 3 |
| Not Vulnerable: |
SonicWALL SSL VPN 200 2.1 SonicWALL SSL VPN 2.5 |
Discussion
SonicWALL SSL VPN Client Remote ActiveX Multiple Vulnerabilities
SonicWALL SSL VPN Client is prone to multiple remote vulnerabilities. The issues occur in different ActiveX controls and include arbitrary-file-deletion and multiple stack-based buffer-overflow vulnerabilities.
Attackers can exploit these issues to execute arbitrary code within the context of the affected application and delete arbitrary files on the client's computer. Failed exploit attempts will result in denial-of-service conditions.
These issues affect SonicWALL SSL VPN 1.3.0.3 software as well as WebCacheCleaner 1.3.0.3 and NeLaunchCtrl 2.1.0.49 ActiveX controls; other versions may also be vulnerable.
SonicWALL SSL VPN Client is prone to multiple remote vulnerabilities. The issues occur in different ActiveX controls and include arbitrary-file-deletion and multiple stack-based buffer-overflow vulnerabilities.
Attackers can exploit these issues to execute arbitrary code within the context of the affected application and delete arbitrary files on the client's computer. Failed exploit attempts will result in denial-of-service conditions.
These issues affect SonicWALL SSL VPN 1.3.0.3 software as well as WebCacheCleaner 1.3.0.3 and NeLaunchCtrl 2.1.0.49 ActiveX controls; other versions may also be vulnerable.
Exploit / POC
SonicWALL SSL VPN Client Remote ActiveX Multiple Vulnerabilities
The following proofs of concept are available:
Arbitrary file deletion issue:
dim o
Set o = CreateObject("MLWebCacheCleaner.WebCacheCleaner.1")
o.FileDelete("c:\bla\bla")
Buffer-overflow vulnerability:
o.AddRouteEntry ("", "ABCDEFGHIJKLMNOPQRSTUVWX");
The following exploit is available for the AddRouteEntry method:
The following proofs of concept are available:
Arbitrary file deletion issue:
dim o
Set o = CreateObject("MLWebCacheCleaner.WebCacheCleaner.1")
o.FileDelete("c:\bla\bla")
Buffer-overflow vulnerability:
o.AddRouteEntry ("", "ABCDEFGHIJKLMNOPQRSTUVWX");
The following exploit is available for the AddRouteEntry method:
Solution / Fix
SonicWALL SSL VPN Client Remote ActiveX Multiple Vulnerabilities
Solution:
The vendor has released SSL VPN 200 2.1 and SSL VPN 2.5 to address these issues. Please see the references for more information.
Solution:
The vendor has released SSL VPN 200 2.1 and SSL VPN 2.5 to address these issues. Please see the references for more information.
References
SonicWALL SSL VPN Client Remote ActiveX Multiple Vulnerabilities
References:
References:
- Microsoft Knowledge Base Article 240797 (Microsoft)
- ViewPoint Homepage (SonicWALL)
- SEC Consult SA-20071101-0 :: Multiple Vulnerabilities in SonicWALL SSL-VPN Clien (Bernhard Mueller)
- SEC Consult SA-20071101-0 :: Multiple Vulnerabilities in SonicWALL SSL-VPN Clien (Bernhard Mueller
) - Vulnerability Note VU#298521 SonicWall NetExtender NELaunchCtrl ActiveX control (US-CERT)