module
SonicWall Global Management System XMLRPC set_time_zone Unauth RCE
| Disclosed | Created |
|---|---|
| 07/22/2016 | 03/19/2019 |
Disclosed
07/22/2016
Created
03/19/2019
Description
This module exploits a vulnerability in SonicWall Global
Management System Virtual Appliance versions 8.1 (Build 8110.1197)
and below. This virtual appliance can be downloaded from
http://www.sonicwall.com/products/sonicwall-gms/ and is used 'in a
holistic way to manage your entire network security environment.'
These vulnerable versions (8.1 Build 8110.1197 and below) do not
prevent unauthenticated, external entities from making XML-RPC
requests to port 21009 of the virtual app. After the XML-RPC call
is made, a shell script is called like so:
'timeSetup.sh --tz="`command injection here`"' --usentp="blah"'.
Management System Virtual Appliance versions 8.1 (Build 8110.1197)
and below. This virtual appliance can be downloaded from
http://www.sonicwall.com/products/sonicwall-gms/ and is used 'in a
holistic way to manage your entire network security environment.'
These vulnerable versions (8.1 Build 8110.1197 and below) do not
prevent unauthenticated, external entities from making XML-RPC
requests to port 21009 of the virtual app. After the XML-RPC call
is made, a shell script is called like so:
'timeSetup.sh --tz="`command injection here`"' --usentp="blah"'.
Authors
Michael Flanderskernelsmith
Platform
Unix
Architectures
cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/unix/sonicwall/sonicwall_xmlrpc_rce
msf /(e) > show actions
...actions...
msf /(e) > set ACTION < action-name >
msf /(e) > show options
...show and set options...
msf /(e) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.