Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:21895
HistoryMay 27, 2009 - 12:00 a.m.

SEC Consult SA-20090525-2 :: SonicWALL Global Security Client Local Privilege Escalation Vulnerability

2009-05-2700:00:00
vulners.com
7

SEC Consult Security Advisory < 20090525-2 >

          title: SonicWALL Global Security Client Local Privilege 
                 Escalation Vulnerability        
        program: SonicWALL Global Security Client

vulnerable version: 1.0.0.15 and possibly other versions
homepage: http://www.sonicwall.com
found: October 2006
by: lofi42
permanent link: https://www.sec-consult.com/advisories_e.html#a56

Vendor description:

The SonicWALL Global Security Client offers IT professionals the
capability to manage a mobile user’s online access, based upon corporate
policies, in order to ensure optimal security of the network and
maximize network resources. Instant messaging, high-risk Web sites and
network file access can all be allowed or disallowed as security and
productivity concerns dictate.

[source:
http://www.sonicwall.com/downloads/DS_GlobalSecurityClient_A4.pdf]

Vulnerability overview:

Local exploitation of a design error in SonicWALLs Global Security
Client could allow attackers to obtain increased privileges.

Vulnerability description:

The problem specifically exists because SYSTEM privileges are not
dropped when accessing the GSC properties from the System Tray applet.
The vulnerability can be exploited by right-clicking the System Tray
icon, choosing "Log", right click "Event Viewer", "Open Log File…".
The opened file selected can be abused by navigating to C:\WINDOWS
\SYSTEM32\, right-clicking cmd.exe, then selecting "Open"; doing so
spawns a command shell with SYSTEM privileges.

Proof of concept:

This vulnerability can be exploited without any special exploit code.

Vendor contact timeline:

2006: Vulnerability found
2006.10.25: Vulnerability first reported to vendor
2009.02.17: Vulnerability reported to vendor again
2009.03.16: Request for status update
2009.04.21: Request for status update
2009.05.25: Public Release

Patch:

SEC Consult was not able to get any vendor feedback on this issue. We
are currently not aware of a patch or workaround.

–

SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com

EOF SEC Consult Vulnerability Lab / @2009