Dell SonicWALL Global Management System GMS 8.1 Blind SQL Injection

Title: Dell SonicWALL Global Management System GMS 8.1 Blind SQL Injection
Advisory ID: ZSL-2016-5388
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (4/5)
Release Date: 29.12.2016
Summary
Provide your organization, distributed enterprise or managed service offering with an intuitive, powerful way to rapidly deploy and centrally manage SonicWall solutions, with SonicWall GMS. Get more value from your firewall, secure remote access, anti-spam, and backup and recovery solutions with enhanced network security monitoring and robust network security reporting. By deploying GMS in an enterprise, you can minimize administrative overhead by streamlining security appliance deployment and policy management.
Description
Dell SonicWALL GMS suffers from multiple SQL Injection vulnerabilities. Input passed via the GET parameters 'searchBySonicwall', 'firstChangeOrderID', 'secondChangeOrderID' and 'coDomainID' is not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Vendor
Dell Inc. - https://www.sonicwall.com/products/sonicwall-gms/
Affected Version
8.1
8.0 SP1 Build 8048.1410
Flow Server Virtual Appliance
Tested On
SonicWALL
MySQL/5.0.96-community-nt
Apache-Coyote/1.1
Apache Tomcat 6.0.41
Vendor Status
[26.01.2016] Vulnerabilities discovered.
[29.01.2016] Vendor contacted.
[29.01.2016] Vendor responds asking more details providing PGP keys.
[29.01.2016] Sent details to the vendor.
[29.01.2016] Vendor confirms receipt of the issues forwarding to engineering team.
[12.02.2016] Asked vendor for status update.
[12.02.2016] Vendor confirms the issues scheduling a patch release.
[23.02.2016] Asked vendor for status update.
[24.02.2016] Vendor replied.
[19.04.2016] Asked vendor for status update.
[20.04.2016] Vendor informs one of the issues is in remediation stage, remaining ones still under review.
[22.04.2016] Working with the vendor.
[02.12.2016] Vendor releases patch in GMS 8.2 to address these issues.
[29.12.2016] Coordinated public security advisory released.
PoC
sonicwall_sqli.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://support.sonicwall.com/product-notification/215257?productName=SonicWALL%20GMS
[2] http://www.dell.com/learn/nz/en/nzbsd1/campaigns/contributors-dell-software-security?c=nz&l=en&s=bsd&cs=nzbsd1
[3] https://www.exploit-db.com/exploits/40977/
[4] http://www.securityfocus.com/bid/95155
[5] https://cxsecurity.com/issue/WLB-2016120168
[6] https://packetstormsecurity.com/files/140300
[7] https://exchange.xforce.ibmcloud.com/vulnerabilities/120214
Changelog
[29.12.2016] - Initial release
[02.01.2017] - Added reference [4], [5] and [6]
[29.01.2017] - Added reference [7]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk