Authentication Bypass in SonicWall SonicOS SSLVPN

Repository purpose: a Python-based SonicWall “Security Audit Toolkit” plus a Docker CTF-style lab that simulates and (in solutions) exploits two critical SonicWall CVEs. Top-level structure: - sonicwall_audit.py: main orchestrator CLI that runs modules (ssl, cve, auth, web) against a target https://<host>:<port>, writes JSON/text reports to reports/. - validate_cves.py: standalone deep validators for CVE-2021-20038 and CVE-2024-53704 using non-destructive behavioral checks. - modules/: implementation of auditors/validators and report generation. - lab/: docker-compose lab with two containers: - cve-2021-20038: Apache + deliberately vulnerable 32-bit CGI binary /usr/lib/cgi-bin/sslvpnclient (and symlinks portal/welcome/etc). Protections disabled (no canary, execstack, no PIE, ASLR disabled in entrypoint) to make stack overflow exploitation feasible. - cve-2024-53704: Flask/Gunicorn SSLVPN simulator on 4433 with vulnerable swap cookie deserialization (conditional HMAC verification). - lab/exploits/: skeleton exploit templates (incomplete). - lab/solutions/: working exploits. Exploit capabilities present: 1) CVE-2024-53704 (auth bypass via cookie forgery): Working exploit forges a base64-encoded JSON session cookie named swap with {username, authenticated:true} and omits sig_version so the server skips HMAC verification. It then accesses /virtual-office/ and /dashboard to retrieve the flag. 2) CVE-2021-20038 (stack buffer overflow -> RCE): Working exploit crafts a URL-encoded query string payload to overflow a 4096-byte stack buffer in the CGI handler (strcpy of QUERY_STRING). Payload includes a NOP sled, null-free 32-bit x86 Linux shellcode that runs /bin//sh -c "cat /root/flag.txt", padding to offset 4100, and an attacker-chosen return address into the sled. Output is returned in the HTTP response body. Important distinction: the main toolkit modules and CVE validators are primarily scanners/validators and explicitly avoid destructive exploitation; the actual exploitation code is confined to the lab solution scripts intended for the local practice environment.

Repository contains a single Ruby proof-of-concept script (CVE-2024-53704.rb) that targets CVE-2024-53704 by brute-forcing/leaking valid session cookies via a network-accessible API oracle. Key behavior: - Connects to a target IP and port (default 4433) using a raw TCP socket; wraps the socket in TLS for ports 443 and 4433 with certificate verification disabled. - Sends repeated GET requests to /__api__/v1/client/sessionstatus?cookie=... and interprets responses: if the response includes 'notfound' the candidate is rejected; otherwise it is treated as a possible valid cookie/prefix. - Cookie construction: builds a 32-byte raw cookie where the last byte is a checksum computed as XOR of all bytes, then base64-encodes the 32-byte value (expected length 44 chars). The brute-force iterates lowercase letters a-z for each position, pads remaining bytes with NULs, and recurses until a full 31-character prefix is found (final byte is checksum). Capabilities/impact: - Enables discovery of valid session cookies (session ID leakage) which could facilitate session hijacking depending on the target application’s session handling. Structure: - Helper functions: send_http_data (minimal HTTP response reader honoring Content-Length), calc_checksum (XOR checksum), get_sessionstatus (request builder/sender), brute_cookies (recursive brute-force), hax (driver). - CLI options: -t target IP (required; note option name typo '--taget'), -p port, -v verbose (prints partial candidates).

This repository is a proof-of-concept exploit for CVE-2024-53704, targeting Dell SonicWALL NetExtender VPN servers. The exploit consists of a Python package ('nxbender') and a main script (CVE-2024-53704.py or nxbender/__init__.py) that allows an attacker to establish a VPN session by providing a valid or stolen 'swap' cookie, bypassing the normal authentication process. The code handles the full VPN connection process: it sets up the session, negotiates the tunnel, and configures network routes on the attacker's machine. The exploit interacts with the NetExtender server over HTTPS (default port 4433) and uses PPP over SSL to establish the tunnel. The repository is structured as a Python package with modules for session management, PPP handling, and SSL connections. The README provides detailed usage instructions, configuration options, and security warnings. No hardcoded credentials or IPs are present; the attacker must supply the target server and swap cookie. The exploit is operational but requires attacker-supplied credentials and root privileges for full functionality.