Climbing the SonicWall
by Kn1ghtl0rd (Kn1ghtl0rd@hotmail.com)
Since 9-11, Internet and network security have moved into the foreground.
The various companies that provide different security services have come up with the idea that there is a need for an all-inclusive network security appliance that includes anti-virus, anti-spyware, intrusion detection, content filtering, and firewall services.
A few of the more popular companies to produce these products are Symantec, McAfee, Nortel, WatchGuard, and SonicWall. Although the configuration and administration of these devices vary, they all have the same basic principals behind them.
I will be talking specifically about the SonicWall security appliances but the basic principals could be translated unto the other devices as well. The SonicWall comes in a few different models. The TZ 170 is a small ten user box similar to a router with a five port switch built in while the Pro series consists of the 1260, 2040, 3060, 4060, and 5060. Most of these boxes are pretty similar. They are rack-mountable units that have ports on the front for LAN, WAN, DMZ, and VPN.
The higher numbered models also support 10/100/1000 communications. The 1260 has a 24-port switch built in as well. There are a few other models which I will not describe too much because they are the same as all the ones listed above, just with wireless capabilities built in. I will however mention the SonicPoint which is a wireless access point that is self-configuring on a SonicWall system, which means once it is plugged into the network the main SonicWall is operating on, it will automatically be configured by the main firewall to mirror all of its settings.
The operating system that is used on each box is a proprietary system known as the SonicOS and there are two versions, standard and enhanced. With the enhanced version all the rules and settings are defined by using objects, so if you have a router or a wireless device attached that needs special rules you would define that router and its information like IP address, zone, authentication method etc. into an object within the SonicWall system.
So if there are changes to that device you only need to change it once in the SonicWall and it will affect all the rules set for that object. If you have any experience with modular or object oriented programming than you probably understand what I am talking about.
Another feature of the SonicOS Enhanced is that it has the ability to utilize an extra port that is included in all the Pro series models. The SonicOS Standard can only use the LAN, WAN, and DMZ/VPN ports. There is a fourth port that can be configured to another LAN or WAN port, so if you set it up to be a WAN port you can have two separate Internet connections and share the load or do a fail over service.
The SonicWall Pro series appliances can easily run you around $3000 and this is without anything else. SonicWall also provides an intrusion prevention service, which is pretty robust, but it uses snort rules contributed by the open-source community and they charge around $1500 a year for that service alone!
Also, they have a content filtering service, two types of anti-virus for the box and one for individual nodes attached to the machine. They also have an anti-spyware solution and a logging service called ViewPoint, which takes the raw data that the SonicWall collects and summarizes it into nice little charts and tables for administrators to look at.
The only thing I don't like about this is the ViewPoint server can be a normal PC with at least 512 RAM and a 2.8 GHz processor running Windows XP Pro, and the software installs a version of Tomcat web server and MSSQL server onto the machine.
Now you may ask what the big deal is. But it is a very big deal. If the ViewPoint server were able to be compromised then you could log into the SonicWall as an admin without verification.
On the main status page there is an area where you can log directly into the SonicWall, completely bypassing any security or knowledge of the IP address or the login methods. The ViewPoint server also supports concurrent login from the administrator.
Here is an example of how I broke into our own system during a pen-test.
Our system is composed of three remote offices and one corporate office. Two of the remote offices connect through a secure digital line that directly connects the offices to the corporate offices.
The third office is for a buildings and grounds crew and they have only one machine. The manager logs into our network by dialing into a Netgear dial-up router which patches it into our network, kind of like a VPN.
So I sat at home and dialed into the network, I already knew the admin password but for the sake of a good pen-test, I ran Ethereal and sniffed out my manager accessing the ViewPoint server which gave me the IP address of his machine and the server.
I ran a nice little program that sniffs passwords out of a network based on IP address so I got the password to the ViewPoint server. I proceeded to connect to the ViewPoint server with the username and password I sniffed out and, like I said, the ViewPoint server supports concurrent login from the admin so I connected and proceeded to get to the main SonicWall device.
The main box does not support concurrent login, but if there is already an admin on you can either boot him off or try again later. The ViewPoint server can help you monitor his activities.
Once inside the SonicWall you have free reign to open ports and services, unblock content filtering, stop services, or even turn off the Internet completely.
You could also set special rules within the virus scanner to allow your virus or whatever you want.
As you can see, this is a big hole in the system.
When using the ViewPoint server to access the SonicWall it sends a request for a certificate from the main box to verify it, but the certificates are allowed to be different.
In our situation the certificate is sent from the default IP address (192.168.168.168) but the actual IP address of the box is 192.1.1.99 so the certificate recognizes this and simply asks you if it's O.K. that they are different so you are able to login anyway.
Another way I logged in was with the use of an unprotected wireless router still plugged into the network. With this, I performed the same tasks as mentioned above.
I hope this article has been beneficial.
By the time it's published I will have a website up on Yahoo! GeoCities that will have all the manuals for the system in PDF format for anyone to download.
This information is supposed to be confidential, but what is the fun in that?
I only have a few megs of storage on Geocities so I will include the most informative of the manuals, but I will also include a list of manuals that I have available and if you would like them just send me an email and I will send them to you.
Hey Everyone, I was recently contacted by a SonicWALL employee regarding my article in the Autumn 2600 issue. He claimed that my article was a hoax, which it was not. I responded to him by stating that I would do anything I could to help them out. After which I re-ran my test scenario. With the new version of viewpoint my article is no longer valid. I wrote the article very early this year and I know there have been a few updates to the SonicWALL package that we currently posses so my article is no longer valid. I have also been asked to remove the manuals from my site and point everyone to the SonicWALL site which is fine because that is where I got them anyways. I am not totally sure on the version of viewpoint that I had at the time of my writing and I relayed this information on to the SonicWALL employee. Sorry for any inconvienance this may have caused. I am also going to be pulling my name out of the hat for NOTACON as well. It doesn't make a whole lot of sense to talk about something that isn't valid any longer. Till next time. Kn1ghtl0rd