CVE-2013-1359
published 2020-02-11CVE-2013-1359: An Authentication Bypass Vulnerability exists in DELL SonicWALL Analyzer 7.0, Global Management System (GMS) 4.1, 5.0, 5.1, 6.0, and 7.0; Universal Management…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
89.40%
99.8th percentile
An Authentication Bypass Vulnerability exists in DELL SonicWALL Analyzer 7.0, Global Management System (GMS) 4.1, 5.0, 5.1, 6.0, and 7.0; Universal Management Appliance (UMA) 5.1, 6.0, and 7.0 and ViewPoint 4.1, 5.0, 5.1, and 6.0 via the skipSessionCheck parameter to the UMA interface (/appliance/), which could let a remote malicious user obtain access to the root account.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | analyzer | — | — |
| sonicwall | global_management_system | — | — |
| sonicwall | global_management_system | — | — |
| sonicwall | global_management_system | — | — |
| sonicwall | global_management_system | — | — |
| sonicwall | global_management_system | — | — |
| sonicwall | gms | — | — |
| sonicwall | universal_management_appliance | — | — |
| sonicwall | universal_management_appliance | — | — |
| sonicwall | universal_management_appliance | — | — |
| sonicwall | viewpoint | — | — |
| sonicwall | viewpoint | — | — |
| sonicwall | viewpoint | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect authentication bypass attempts by monitoring HTTP POST requests to /appliance/applianceMainPage containing the 'skipSessionCheck=1' parameter, which bypasses session validation entirely. ↗
- →Alert on multipart/form-data POST requests to /appliance/applianceMainPage?skipSessionCheck=1 with action=file_system and task=uploadFile, indicating a JSP webshell upload attempt. ↗
- →Detect POST requests to /appliance/applianceMainPage?skipSessionCheck=1 with action=show_diagnostics and task=search, used by attackers to fingerprint the GMS installation path prior to exploitation. ↗
- →Monitor for GET requests to /appliance/*.jsp following a file upload to the appliance web directory, indicating execution of a dropped JSP webshell. ↗
- →Alert on the Apache-Coyote server banner in HTTP responses from SonicWALL GMS, which is used by the exploit module to fingerprint the target before attack. ↗
- →Detect new .jsp files written under the Tomcat/webapps/appliance/ directory on SonicWALL GMS hosts, as the exploit drops a JSP reverse shell payload there. ↗
- ·The exploit targets SonicWALL GMS versions 6.0.6017 and 6.0.6022 specifically in testing, but the authentication bypass affects a broader range of versions including GMS 4.1–7.0, UMA 5.1–7.0, ViewPoint 4.1–6.0, and Analyzer 7.0. ↗
- ·On the Linux Virtual Appliance target, the Linux Meterpreter payload did not run successfully during testing; a plain shell payload should be used instead. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6qrj-83cw-546c: An Authentication Bypass Vulnerability exists in DELL SonicWALL Analyzer 7
ghsa_unreviewed·2022-05-05
CVE-2013-1359 [HIGH] GHSA-6qrj-83cw-546c: An Authentication Bypass Vulnerability exists in DELL SonicWALL Analyzer 7
An Authentication Bypass Vulnerability exists in DELL SonicWALL Analyzer 7.0, Global Management System (GMS) 4.1, 5.0, 5.1, 6.0, and 7.0; Universal Management Appliance (UMA) 5.1, 6.0, and 7.0 and ViewPoint 4.1, 5.0, 5.1, and 6.0 via the skipSessionCheck parameter to the UMA interface (/appliance/), which could let a remote malicious user obtain access to the root account.
SonicWall
CVE-2013-1359: An Authentication Bypass Vulnerability exists in DELL SonicWALL Analyzer 7.0, Global Management System (GMS) 4.1, 5.0, 5.1, 6.0, and 7.0; Universal Ma
vendor_sonicwall·2020-02-11·CVSS 9.8
CVE-2013-1359 [CRITICAL] CWE-287 CVE-2013-1359: An Authentication Bypass Vulnerability exists in DELL SonicWALL Analyzer 7.0, Global Management System (GMS) 4.1, 5.0, 5.1, 6.0, and 7.0; Universal Ma
CVE-2013-1359: An Authentication Bypass Vulnerability exists in DELL SonicWALL Analyzer 7.0, Global Management System (GMS) 4.1, 5.0, 5.1, 6.0, and 7.0; Universal Management Appliance (UMA) 5.1, 6.0, and 7.0 and ViewPoint 4.1, 5.0, 5.1, and 6.0 via the skipSessionCheck parameter to the UMA interface (/appliance/), which could let a remote malicious user obtain access to the root account.
No detection rules found.
Exploit-DB
SonicWALL Gms 6 - Arbitrary File Upload (Metasploit)
exploitdb·2013-01-24
CVE-2013-1359 SonicWALL Gms 6 - Arbitrary File Upload (Metasploit)
SonicWALL Gms 6 - Arbitrary File Upload (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 [ /Apache-Coyote/ ] }
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'SonicWALL GMS 6 Arbitrary File Upload',
'Description' => %q{
This module exploits a code execution flaw in SonicWALL GMS. It exploits two
vulnerabilities in order to get its objective. An authentication bypass in the
Web Administration interface allows to abuse the "appliance" ap
Exploit-DB
SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x - Remote Command Execution
exploitdb·2013-01-18
CVE-2013-1359 SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x - Remote Command Execution
SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x - Remote Command Execution
---
#!/usr/bin/perl
##
# Title: SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root/SYSTEM exploit
# Name: sgmsRCE.pl
# Author: Nikolas Sotiriu (lofi)
#
# Use it only for education or ethical pentesting! The author accepts
# no liability for damage caused by this tool.
#
##
use strict;
use HTTP::Request::Common qw(POST);
use LWP::UserAgent;
use LWP::Protocol::https;
use Getopt::Std;
my %args;
getopt('hlp:', \%args);
my $victim = $args{h} || usage();
my $lip = $args{l};
my $lport = $args{p};
my $detect = $args{d};
my $shellname = "cbs.jsp";
banner();
my $gms_path;
my $target;
my $sysshell;
my $agent = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0,},);
$agent->agent("Mozilla/5.0 (X11; Linux x86_64; rv:11
Metasploit
SonicWALL GMS 6 Arbitrary File Upload
metasploit
SonicWALL GMS 6 Arbitrary File Upload
SonicWALL GMS 6 Arbitrary File Upload
This module exploits a code execution flaw in SonicWALL GMS. It exploits two vulnerabilities in order to get its objective. An authentication bypass in the Web Administration interface allows to abuse the "appliance" application and upload an arbitrary payload embedded in a JSP. The module has been tested successfully on SonicWALL GMS 6.0.6017 over Windows 2003 SP2 and SonicWALL GMS 6.0.6022 Virtual Appliance (Linux). On the Virtual Appliance the linux meterpreter hasn't run successfully while testing, shell payload has been used.
No writeups or analysis indexed.
http://www.exploit-db.com/exploits/24204http://www.exploit-db.com/exploits/24322http://www.securityfocus.com/bid/57445http://www.securitytracker.com/id/1028007https://exchange.xforce.ibmcloud.com/vulnerabilities/81367https://fortiguard.com/encyclopedia/ips/35264/multiple-sonicwall-products-authentication-bypass-vulnshttps://packetstormsecurity.com/files/author/7547/https://seclists.org/fulldisclosure/2013/Jan/125http://www.exploit-db.com/exploits/24204http://www.exploit-db.com/exploits/24322http://www.securityfocus.com/bid/57445http://www.securitytracker.com/id/1028007https://exchange.xforce.ibmcloud.com/vulnerabilities/81367https://fortiguard.com/encyclopedia/ips/35264/multiple-sonicwall-products-authentication-bypass-vulnshttps://packetstormsecurity.com/files/author/7547/https://seclists.org/fulldisclosure/2013/Jan/125
2020-02-11
Published