Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Arbitrary File Deletion
Vendor: SonicWall Vendor URL: https://www.sonicwall.com/ Versions affected: 10.2.0.8-37sv, 10.2.1.1-19sv Systems Affected: SMA 100 Series (SMA 200, 210, 400, 410, 500v) Author: Richard Warren <richard.warren[at]nccgroup[dot]trust> Risk: CVSS 9.1 (Critical)
SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv and below suffer from an unauthenticated arbitrary file-delete vulnerability which can be exploited by a remote attacker to delete arbitrary files from the underlying Operating System.
This vulnerability exists in the sonicfiles
RAC_DOWNLOAD_TAR method, which allows users to download a tar file from a specified SMB share, and is exposed to unauthenticated users. Before a file is downloaded,
unlink is called on the local file-path. By exploiting a directory traversal vulnerability in this method, an attacker can cause
unlink to be called on a path of their choosing, resulting in arbitrary file deletion.
Note that because the server runs as the
nobody user, only files that are owned by
nobody can be deleted.
By deleting the
persist.db file, an attacker can corrupt the locally stored user database. Depending on the device, deleting this file will either cause the device to immediately reboot, or for the HTTP server to become unresponsive. In either case, when the device is rebooted, the default password of
admin:password will be restored – allowing the attacker to log into the administrative interface with known credentials.
Once access to the administrative interface has been gained, the attacker could exploit CVE-2021-20044 to achieve Remote Code Execution as
A remote unauthenticated attacker could exploit this issue to delete arbitrary files from the underlying Operating System. This may include database and configuration files owned by the
nobody user. Depending on which file is deleted this could either result in Denial of Service, or takeover of the device.
RAC_DOWNLOAD_TAR (RacNumber 44) method allows users to download a .tar file from a user specified SMB share. This RacNumber maps to the
download_tar Python method, which in turn shells out to
download_tar function was found to be vulnerable to arbitrary file deletion due to directory traversal and an unguarded call to
The following code shows the arguments passed to the
fileexplorer binary. As shown, if the user supplies a
swcctn and timestamp parameter, these are used to create a path which is passed to the child program:
fileexplorer, after parsing the arguments, the
createTar function is called. As shown in the following screenshot, a call to
unlink is made with the user-controlled temp-file path in
arg4 (which comes from the
list_file_path variable passed from Python and derived from the user-supplied
timestamp parameters). This is called implicitly before the function returns – to delete the temp file. However, as this file-path is user-controlled, directory traversal could be used to delete arbitrary files:
The following request will result in the file
/tmp/foo_bar being deleted:
As shown below, the
foo_bar file is deleted after the HTTP request is made:
In theory this is harder to exploit because of the
_ requirement, however this problem can be worked around by traversing into a directory containing an underscore and building a path back out of it using the
timestamp parameters. This requires a directory containing an underscore that the
nobody user can traverse. The following directory fits this requirement:
Therefore, an attacker can make a request such as:
And the path becomes:
This can be seen in the following
As shown in the following screenshot, the file
/tmp/foobar is deleted after the HTTP request is made:
This could allow the attacker to delete any file on the device as long as it is accessible by the nobody user. An attacker could leverage this to delete configuration files, meaning that when the device is rebooted, the default configuration would be applied – leaving the device in a vulnerable state. A similar issue was recently patched under CVE-2021-20034 and documented by Rapid7.
As noted in the Attacker KB article, this could be exploited by deleting the
/etc/EasyAccess/var/conf/persist.db database to reset the default configuration – which will cause the default administrator password (
admin:password) to be restored upon reboot.
During testing against the SonicWall SMA Azure appliance, it was noted that the server was rebooted immediately by the
watchdog process following deletion of the
persist.db file. No manual intervention was required. However, this behaviour appears to vary between configurations (e.g., ESX vs Azure).
Following reboot, it would be possible to exploit the CVE-2021-20044 post-auth RCE using known credentials.
The following screenshot shows successful exploitation of the unauthenticated arbitrary file delete, followed by CVE-2021-20044 to achieve code execution as
Upgrade to SMA version 10.2.0.9-41sv, 10.2.1.3-27sv or above.
2021-10-29 - Vulnerability reported to SonicWall PSIRT. 2021-11-02 - Reply from SonicWall PSIRT stating that the vulnerability has been "rejected" as a duplicate/known issue. 2021-11-06 - SonicWall confirm they have addressed the other reported issues and shared a draft KB article, which omits details of arbitrary file-deletion and XSS issues. NCC Group requests clarification around this - providing evidence of successful exploitation on latest firmware versions (10.2.0.8-37v and 10.2.1.2-24sv). 2021-11-06 - SonicWall PSIRT respond stating that these issues were rejected, referencing the original triage response. 2021-12-07 - Patch released and SonicWall publish KB article. 2021-12-07 - NCC Group request further clarification on missing vulnerabilities. 2021-12-08 - NCC Group confirms that the arbitrary file-deletion vulnerability was fixed on firmware versions 10.2.0.9-41sv and 10.2.1.3-27sv. 2021-12-08 - SonicWall PSIRT responds stating that the issue was found by internal review prior to NCC Group's report, and for this reason was omitted from the advisory notes. 2021-12-09 - NCC Group advisory released.
Jennifer Fernick and Aaron Haymore from NCC Group for their assistance with disclosure.
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published Date: 2021-12-09
Written By: Richard Warren