what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

dnsone.txt

dnsone.txt
Posted Jun 22, 2004
Authored by Gregory Duchemin

It has been reported that a vulnerability exists in DNS One, potentially allowing malicious people to conduct script insertion attacks. The problem is that input supplied to the HOSTNAME and CLIENTID parameters in a valid DHCP request are logged unfiltered, allowing arbitrary HTML and script code to be embedded. Successful exploitation allows code execution in an administrative user's browser in context of the affected site when the report / log is viewed. Reportedly, firmware version 2.4.0-8 and 2.4.0-8A and prior are affected.

tags | advisory, arbitrary, code execution
SHA-256 | 834a3a0d683b2f180754f7d96f8cbc06c96db82fa7ecf2da5fe00ff2985869ab

dnsone.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TITLE: Security flaw in DNSONE appliance (http://www.infoblox.com)

TYPE: Script injection over DHCP

QUOTE from INFOBLOX:

DNS One appliances are designed to provide the foundation for
next-generation network identity services
in a secure and easy-to-manage form factor.
The hardened appliance design and intuitive graphical user interface
(GUI) simplify the application and
administration of DNS and DHCP (Dynamic Host Configuration Protocol)
in the network - whether the problem
is protecting external name services, rapidly building out secondary
or caching name servers,
or provisioning branch offices cost-effectively.

DETAILS:

The vulnerability relies in a lack of filtering of two DHCP options,
HOSTNAME and CLIENTID.
These options are used for several purposes like ddns updates, dhcp
lease identification, ...
but are also displayed AS IS in the on-demand reports generated from
the web-based management front-end
allowing script injection in the administrator browser by, for
instance, carrefully crafting and sending a dhcp REQUEST carrying
a malicious HOSTNAME option made of html/javascript scripting designed
to fool the site administrator
while viewing the reports.

Scripting sent in such a way will be executed on behalf of the unaware
administrator and may lead to the complete compromising of the
appliance with full access
to the administrative GUI.
For instance, one can inject a script designed to show a fake relogin
page made of the
DNSONE logo, asking the administrator to relogin for some
reasons like a session timeout, afterwhat login and password are sent
to a specific location known by the attacker.
Also if an administrator was to put the appliance in his browser's list of
trusted hosts, other scenarios involving the administrator workstation
would be possible too.

The underlying problem is the lack of filtering of data supplied by a
user and passed over DHCP up to the appliance.
This can easily be fixed by correctly escaping all user-supplied
html/script meta-characters


To successfuly exploit this flaw, one must send a valid DHCP REQUEST
packet
along with the offending CLIENT ID and/or HOSTNAME options,
afterwhat the attacker can even conveniently consult the dhcp report
from the appliance https interface (if no web access list has been
configured though) in order to check
if the administrator has already consulted the 3vil report.


INFOBLOX has been contacted by May 28th in regard to this issue and
has made a new firmware available to fix it.


VULNERABLE:

firmwares up to 2.4.0-8 (old hardware)
~ 2.4.0-8A (new hardware)


FIX:

firmware 2.4.0-9 (old hardware)
~ 2.4.0-9A (new hardware)


AUTHOR: Gregory Duchemin (c3rb3r at sympatico.ca)



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFA05kW9K2fGbOmSdYRAo/+AJ0QMi3+z2aOWVe1CBe3HJauOelzmQCgjX1m
3th3Tm0IQJDNIqTvra6QS5I=
=WSwb
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close