lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <40D39916.2070101@sympatico.ca>
Date: Fri, 18 Jun 2004 18:38:30 -0700
From: c3rb3r <c3rb3r@...patico.ca>
To: bugtraq@...urityfocus.com
Subject: Script injection in DNSONE appliance


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
TITLE: Security flaw in DNSONE appliance (http://www.infoblox.com)

TYPE: Script injection over DHCP

QUOTE from INFOBLOX:

DNS One appliances are designed to provide the foundation for
next-generation network identity services
in a secure and easy-to-manage form factor.
The hardened appliance design and intuitive graphical user interface
(GUI) simplify the application and
administration of DNS and DHCP (Dynamic Host Configuration Protocol)
in the network - whether the problem
is protecting external name services, rapidly building out secondary
or caching name servers,
or provisioning branch offices cost-effectively.

DETAILS:

The vulnerability relies in a lack of filtering of two DHCP options,
HOSTNAME and CLIENTID.
These options are used for several purposes like ddns updates, dhcp
lease identification, ...
but are also displayed AS IS in the on-demand reports generated from
the web-based management front-end
allowing script injection in the administrator browser by, for
instance, carrefully crafting and sending a dhcp REQUEST carrying
a malicious HOSTNAME option made of html/javascript scripting designed
to fool the site administrator
while viewing the reports.

Scripting sent in such a way will be executed on behalf of the unaware
administrator and may lead to the complete compromising of the
appliance with full access
to the administrative GUI.
For instance, one can inject a script designed to show a fake relogin
page made of the
DNSONE logo, asking the administrator to relogin for some
reasons like a session timeout, afterwhat login and password are sent
to a specific location known by the attacker.
Also if an administrator was to put the appliance in his browser's list of
trusted hosts, other scenarios involving the administrator workstation
would be possible too.

The underlying problem is the lack of filtering of data supplied by a
user and passed over DHCP up to the appliance.
This can easily be fixed by correctly escaping all user-supplied
html/script meta-characters


To successfuly exploit this flaw, one must send a valid DHCP REQUEST
packet
along with the offending CLIENT ID and/or HOSTNAME options,
afterwhat the attacker can even conveniently consult the dhcp report
from the appliance https interface (if no web access list has been
configured though) in order to check
if the administrator has already consulted the 3vil report.


INFOBLOX has been contacted by May 28th in regard to this issue and
has made a new firmware available to fix it.


VULNERABLE:

firmwares up to 2.4.0-8 (old hardware)
~                        2.4.0-8A (new hardware)


FIX:

firmware 2.4.0-9 (old hardware)
~              2.4.0-9A (new hardware)


AUTHOR: Gregory Duchemin (c3rb3r at sympatico.ca)



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iD8DBQFA05kW9K2fGbOmSdYRAo/+AJ0QMi3+z2aOWVe1CBe3HJauOelzmQCgjX1m
3th3Tm0IQJDNIqTvra6QS5I=
=WSwb
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ