exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Jun 22, 2004
Authored by Gregory Duchemin

It has been reported that a vulnerability exists in DNS One, potentially allowing malicious people to conduct script insertion attacks. The problem is that input supplied to the HOSTNAME and CLIENTID parameters in a valid DHCP request are logged unfiltered, allowing arbitrary HTML and script code to be embedded. Successful exploitation allows code execution in an administrative user's browser in context of the affected site when the report / log is viewed. Reportedly, firmware version 2.4.0-8 and 2.4.0-8A and prior are affected.

tags | advisory, arbitrary, code execution
SHA-256 | 834a3a0d683b2f180754f7d96f8cbc06c96db82fa7ecf2da5fe00ff2985869ab


Change Mirror Download
Hash: SHA1

TITLE: Security flaw in DNSONE appliance (http://www.infoblox.com)

TYPE: Script injection over DHCP


DNS One appliances are designed to provide the foundation for
next-generation network identity services
in a secure and easy-to-manage form factor.
The hardened appliance design and intuitive graphical user interface
(GUI) simplify the application and
administration of DNS and DHCP (Dynamic Host Configuration Protocol)
in the network - whether the problem
is protecting external name services, rapidly building out secondary
or caching name servers,
or provisioning branch offices cost-effectively.


The vulnerability relies in a lack of filtering of two DHCP options,
These options are used for several purposes like ddns updates, dhcp
lease identification, ...
but are also displayed AS IS in the on-demand reports generated from
the web-based management front-end
allowing script injection in the administrator browser by, for
instance, carrefully crafting and sending a dhcp REQUEST carrying
a malicious HOSTNAME option made of html/javascript scripting designed
to fool the site administrator
while viewing the reports.

Scripting sent in such a way will be executed on behalf of the unaware
administrator and may lead to the complete compromising of the
appliance with full access
to the administrative GUI.
For instance, one can inject a script designed to show a fake relogin
page made of the
DNSONE logo, asking the administrator to relogin for some
reasons like a session timeout, afterwhat login and password are sent
to a specific location known by the attacker.
Also if an administrator was to put the appliance in his browser's list of
trusted hosts, other scenarios involving the administrator workstation
would be possible too.

The underlying problem is the lack of filtering of data supplied by a
user and passed over DHCP up to the appliance.
This can easily be fixed by correctly escaping all user-supplied
html/script meta-characters

To successfuly exploit this flaw, one must send a valid DHCP REQUEST
along with the offending CLIENT ID and/or HOSTNAME options,
afterwhat the attacker can even conveniently consult the dhcp report
from the appliance https interface (if no web access list has been
configured though) in order to check
if the administrator has already consulted the 3vil report.

INFOBLOX has been contacted by May 28th in regard to this issue and
has made a new firmware available to fix it.


firmwares up to 2.4.0-8 (old hardware)
~ 2.4.0-8A (new hardware)


firmware 2.4.0-9 (old hardware)
~ 2.4.0-9A (new hardware)

AUTHOR: Gregory Duchemin (c3rb3r at sympatico.ca)

Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    17 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By