Sonicwall SSLVPN - Remote Code Execution (ShellShock)

What is the "Sonicwall SSLVPN - Remote Code Execution (ShellShock)" module?

The "Sonicwall SSLVPN - Remote Code Execution (ShellShock)" module is designed to detect a critical vulnerability in Sonicwall SSLVPN. This vulnerability, known as "ShellShock," allows remote unauthenticated attackers to execute arbitrary commands on the target system. The severity of this vulnerability is classified as critical.

This module was authored by PR3R00T.

Impact

If exploited, the "Sonicwall SSLVPN - Remote Code Execution (ShellShock)" vulnerability can lead to unauthorized remote code execution on the affected system. This can result in the compromise of sensitive data, unauthorized access, and potential system compromise.

How does the module work?

The module works by sending a specific HTTP request to the target system. The request is designed to exploit the ShellShock vulnerability in Sonicwall SSLVPN. The module then checks for specific matching conditions to determine if the vulnerability is present.

Here is an example of the HTTP request:

GET /cgi-bin/jarrewrite.sh HTTP/1.1
Host: <Hostname>
User-Agent: "() { :; }; echo ; /bin/bash -c 'cat /etc/passwd'"
Accept: */*

The module includes two matching conditions:

- The first condition checks the response body for the presence of the "root:.*:0:0:" pattern, indicating a successful exploitation of the vulnerability. - The second condition checks the HTTP response status code, expecting a 200 status code to confirm the vulnerability.

If both conditions are met, the module reports the presence of the vulnerability.