Script injection in DNSONE appliance

[c3rb3r <c3rb3r () sympatico ca>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TITLE: Security flaw in DNSONE appliance (http://www.infoblox.com)

TYPE: Script injection over DHCP

QUOTE from INFOBLOX:

DNS One appliances are designed to provide the foundation for
next-generation network identity services
in a secure and easy-to-manage form factor.
The hardened appliance design and intuitive graphical user interface
(GUI) simplify the application and
administration of DNS and DHCP (Dynamic Host Configuration Protocol)
in the network - whether the problem
is protecting external name services, rapidly building out secondary
or caching name servers,
or provisioning branch offices cost-effectively.

DETAILS:

The vulnerability relies in a lack of filtering of two DHCP options,
HOSTNAME and CLIENTID.
These options are used for several purposes like ddns updates, dhcp
lease identification, ...
but are also displayed AS IS in the on-demand reports generated from
the web-based management front-end
allowing script injection in the administrator browser by, for
instance, carrefully crafting and sending a dhcp REQUEST carrying
a malicious HOSTNAME option made of html/javascript scripting designed
to fool the site administrator
while viewing the reports.

Scripting sent in such a way will be executed on behalf of the unaware
administrator and may lead to the complete compromising of the
appliance with full access
to the administrative GUI.
For instance, one can inject a script designed to show a fake relogin
page made of the
DNSONE logo, asking the administrator to relogin for some
reasons like a session timeout, afterwhat login and password are sent
to a specific location known by the attacker.
Also if an administrator was to put the appliance in his browser's list of
trusted hosts, other scenarios involving the administrator workstation
would be possible too.

The underlying problem is the lack of filtering of data supplied by a
user and passed over DHCP up to the appliance.
This can easily be fixed by correctly escaping all user-supplied
html/script meta-characters


To successfuly exploit this flaw, one must send a valid DHCP REQUEST
packet
along with the offending CLIENT ID and/or HOSTNAME options,
afterwhat the attacker can even conveniently consult the dhcp report
from the appliance https interface (if no web access list has been
configured though) in order to check
if the administrator has already consulted the 3vil report.


INFOBLOX has been contacted by May 28th in regard to this issue and
has made a new firmware available to fix it.


VULNERABLE:

firmwares up to 2.4.0-8 (old hardware)
~                        2.4.0-8A (new hardware)


FIX:

firmware 2.4.0-9 (old hardware)
~              2.4.0-9A (new hardware)


AUTHOR: Gregory Duchemin (c3rb3r at sympatico.ca)



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFA05kW9K2fGbOmSdYRAo/+AJ0QMi3+z2aOWVe1CBe3HJauOelzmQCgjX1m
3th3Tm0IQJDNIqTvra6QS5I=
=WSwb
-----END PGP SIGNATURE-----