Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Sonicwall SOHO Content Blocking Script Injection, LogFile Denial of Service

From: "JNJ" <jnj () pobox com>
Date: Sat, 18 May 2002 17:16:23 -0400
I am not in the practice of posting exploits to publically accessible lists
nor do I share them with the irresponsible.

James

----- Original Message -----
From: "E M" <rdnktrk () hotmail com>
To: <jnj () pobox com>; <bugtraq () securityfocus com>
Cc: <vuln-dev () securityfocus com>
Sent: Friday, May 17, 2002 10:31 PM
Subject: Re: Sonicwall SOHO Content Blocking Script Injection, LogFile
Denial of Service



Yes Sonicwall was contacted. I am working with them to resolve this issue.


Although you so determinedly state this is exploitable internally >only,

it

presents not only a busy-work issue for admins but obviously >CAN be
reworked to an externally initiated instance by anyone with a >modicum of
development knowledge.


True, no argument here, but any way you look at it, the issue involves
people on the LAN interface instigating the problem, if you can show how
this can be done on the WAN interface without LAN interaction, I'd love to
see it.

Eric M.



From: "JNJ" <jnj () pobox com>
To: <bugtraq () securityfocus com>
CC: <vuln-dev () securityfocus com>
Subject: Re: Sonicwall SOHO Content Blocking Script Injection, LogFile
Denial of Service
Date: Fri, 17 May 2002 14:25:34 -0400

And did you by chance contact the Sonicwall Corporation prior to

publishing

this issue or did you simply rush to publish?  Although you so

determinedly

state this is exploitable internally only, it presents not only a

busy-work

issue for admins but obviously CAN be reworked to an externally initiated
instance by anyone with a modicum of development knowledge.

James

----- Original Message -----
From: "E M" <rdnktrk () hotmail com>
To: <bugtraq () securityfocus com>
Cc: <vuln-dev () securityfocus com>
Sent: Friday, May 17, 2002 11:55 AM
Subject: Sonicwall SOHO Content Blocking Script Injection, LogFile Denial
of
Service



This advisory may be reproduced unmodified.

Sonicwall SOHO Content Blocking Script Injection and Logfile DoS

Test Unit :
Sonicwall SOHO3
Firmware version: 6.3.0.0
ROM version: 5.0.1.0

Severity : Medium

Issue :
Sonicwall Allows administrators to block websites based on a user

entered

list of domains. These websites are blocked whenever they accessed by
clients on the LAN interface.

By passing a blocked URL injected script the attacker may execute

scripts

automatically when the logfile is viewed.

The below example uses a commonly blocked ad server, please note this

must

be in your blocked sites list and that any site that is blocked will

work

fine.




bannerserver.gator.com/<SCRIPT>window.location.href="http://www.offroadware

h

ouse.com";</SCRIPT>


This will be injected into the logfile, when an Admin attempts to view

the

log files they will be automatically redirected to the site of your

choice.


Note that any <SCRIPT> is executed, for the example I show redirection

as
a

means of Denial of Service.

Resolution :
Only after rebooting the unit will you gain access to the logfiles,

the

log

is cleared on each reboot, thus you will be unable to locate the user

on

the

LAN segment who initiated the attack.


Mitigating Factors :
This attack must come from the Lan interface, which means that it is

not

remotely exploitable, this conclusion may be false but will be tested
further.


Author :
Eric McCarty
rdnktrk () hotmail com




_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com







_________________________________________________________________
Get your FREE download of MSN Explorer at

http://explorer.msn.com/intl.asp.
Previous By Date Next
Previous By Thread Next

Current thread: