vendor:
SSL-VPN Appliance
by:
Darren Martyn
9.8
CVSS
CRITICAL
Remote Code Execution
78
CWE
Product Name: SSL-VPN Appliance
Affected Version From: 8.0.0.0
Affected Version To: 8.0.0.3
Patch Exists: YES
Related CWE: CVE-2014-6271
CPE: a:sonicwall:ssl-vpn_appliance:8.0.0.0
Metasploit:
https://www.rapid7.com/db/vulnerabilities/freebsd-vid-81e2b308-4a6c-11e4-b711-6805ca0b3d42/, https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2014-6278/, https://www.rapid7.com/db/vulnerabilities/ubuntu-USN-2380-1/, https://www.rapid7.com/db/vulnerabilities/suse-cve-2014-6278/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-ELSA-2014-3093/, https://www.rapid7.com/db/vulnerabilities/gnu-bash-cve-2014-6278/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-ELSA-2014-3092/, https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2014-6278/, https://www.rapid7.com/db/vulnerabilities/pulse-secure-pulse-connect-secure-cve-2014-6278/, https://www.rapid7.com/db/vulnerabilities/freebsd-vid-512d1301-49b9-11e4-ae2c-c80aa9043978/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-ELSA-2014-3094/, https://www.rapid7.com/db/vulnerabilities/cisco-xe-cve-2014-6278/, https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2014-6277/, https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2014-1354/, https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2014-6278/, https://www.rapid7.com/db/vulnerabilities/suse-cve-2014-6277/, https://www.rapid7.com/db/vulnerabilities/hpsim-cve-2014-6277/, https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2014-6277/, https://www.rapid7.com/db/vulnerabilities/apple-osx-bash-cve-2014-6277/, https://www.rapid7.com/db/vulnerabilities/cisco-xe-cve-2014-6277/, https://www.rapid7.com/db/?q=CVE-2014-6271&type=&page=2, https://www.rapid7.com/db/?q=CVE-2014-6271&type=&page=3, https://www.rapid7.com/db/?q=CVE-2014-6271&type=&page=4, https://www.rapid7.com/db/?q=CVE-2014-6271&type=&page=2
Other Scripts:
N/A
Platforms Tested: None
2021
SonicWall SSL-VPN 8.0.0.0 – ‘shellshock/visualdoor’ Remote Code Execution (Unauthenticated)
This exploit basically implements the exploits Phineas Fisher used to pwn Hacking Team and the Cayman Trust Bank place. It uses the Shellshock vulnerability to gain a command execution primitive as the 'nobody' user in the cgi-bin/jarrewrite.sh web-script, spawns a trivial reverse shell using /dev/tcp.
Mitigation:
Upgrade to SMA 8.0.0.4 or later
