-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 TITLE: Security flaw in DNSONE appliance (http://www.infoblox.com) TYPE: Script injection over DHCP QUOTE from INFOBLOX: DNS One appliances are designed to provide the foundation for next-generation network identity services in a secure and easy-to-manage form factor. The hardened appliance design and intuitive graphical user interface (GUI) simplify the application and administration of DNS and DHCP (Dynamic Host Configuration Protocol) in the network - whether the problem is protecting external name services, rapidly building out secondary or caching name servers, or provisioning branch offices cost-effectively. DETAILS: The vulnerability relies in a lack of filtering of two DHCP options, HOSTNAME and CLIENTID. These options are used for several purposes like ddns updates, dhcp lease identification, ... but are also displayed AS IS in the on-demand reports generated from the web-based management front-end allowing script injection in the administrator browser by, for instance, carrefully crafting and sending a dhcp REQUEST carrying a malicious HOSTNAME option made of html/javascript scripting designed to fool the site administrator while viewing the reports. Scripting sent in such a way will be executed on behalf of the unaware administrator and may lead to the complete compromising of the appliance with full access to the administrative GUI. For instance, one can inject a script designed to show a fake relogin page made of the DNSONE logo, asking the administrator to relogin for some reasons like a session timeout, afterwhat login and password are sent to a specific location known by the attacker. Also if an administrator was to put the appliance in his browser's list of trusted hosts, other scenarios involving the administrator workstation would be possible too. The underlying problem is the lack of filtering of data supplied by a user and passed over DHCP up to the appliance. This can easily be fixed by correctly escaping all user-supplied html/script meta-characters To successfuly exploit this flaw, one must send a valid DHCP REQUEST packet along with the offending CLIENT ID and/or HOSTNAME options, afterwhat the attacker can even conveniently consult the dhcp report from the appliance https interface (if no web access list has been configured though) in order to check if the administrator has already consulted the 3vil report. INFOBLOX has been contacted by May 28th in regard to this issue and has made a new firmware available to fix it. VULNERABLE: firmwares up to 2.4.0-8 (old hardware) ~ 2.4.0-8A (new hardware) FIX: firmware 2.4.0-9 (old hardware) ~ 2.4.0-9A (new hardware) AUTHOR: Gregory Duchemin (c3rb3r at sympatico.ca) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFA05kW9K2fGbOmSdYRAo/+AJ0QMi3+z2aOWVe1CBe3HJauOelzmQCgjX1m 3th3Tm0IQJDNIqTvra6QS5I= =WSwb -----END PGP SIGNATURE-----