Re: Sonicwall SOHO Content Blocking Script Injection, LogFile Denial of Service

From: JNJ (jnjat_private)
Date: Fri May 17 2002 - 11:25:34 PDT

Next message: tech : "RE: Sonicwall SOHO Content Blocking Script Injection, LogFile Denial of Service"

Previous message: frog frog: "Security holes : mcNews"
In reply to: E M: "Sonicwall SOHO Content Blocking Script Injection, LogFile Denial of Service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

And did you by chance contact the Sonicwall Corporation prior to publishing
this issue or did you simply rush to publish?  Although you so determinedly
state this is exploitable internally only, it presents not only a busy-work
issue for admins but obviously CAN be reworked to an externally initiated
instance by anyone with a modicum of development knowledge.

James

----- Original Message -----
From: "E M" <rdnktrkat_private>
To: <bugtraqat_private>
Cc: <vuln-devat_private>
Sent: Friday, May 17, 2002 11:55 AM
Subject: Sonicwall SOHO Content Blocking Script Injection, LogFile Denial of
Service


> This advisory may be reproduced unmodified.
>
> Sonicwall SOHO Content Blocking Script Injection and Logfile DoS
>
> Test Unit :
> Sonicwall SOHO3
> Firmware version: 6.3.0.0
> ROM version: 5.0.1.0
>
> Severity : Medium
>
> Issue :
> Sonicwall Allows administrators to block websites based on a user entered
> list of domains. These websites are blocked whenever they accessed by
> clients on the LAN interface.
>
> By passing a blocked URL injected script the attacker may execute scripts
> automatically when the logfile is viewed.
>
> The below example uses a commonly blocked ad server, please note this must
> be in your blocked sites list and that any site that is blocked will work
> fine.
>
>
bannerserver.gator.com/<SCRIPT>window.location.href="http://www.offroadwareh
ouse.com";</SCRIPT>
>
> This will be injected into the logfile, when an Admin attempts to view the
> log files they will be automatically redirected to the site of your
choice.
>
> Note that any <SCRIPT> is executed, for the example I show redirection as
a
> means of Denial of Service.
>
> Resolution :
> Only after rebooting the unit will you gain access to the logfiles, the
log
> is cleared on each reboot, thus you will be unable to locate the user on
the
> LAN segment who initiated the attack.
>
>
> Mitigating Factors :
> This attack must come from the Lan interface, which means that it is not
> remotely exploitable, this conclusion may be false but will be tested
> further.
>
>
> Author :
> Eric McCarty
> rdnktrkat_private
>
>
>
>
> _________________________________________________________________
> Send and receive Hotmail on your mobile device: http://mobile.msn.com
>

Next message: tech : "RE: Sonicwall SOHO Content Blocking Script Injection, LogFile Denial of Service"
Previous message: frog frog: "Security holes : mcNews"
In reply to: E M: "Sonicwall SOHO Content Blocking Script Injection, LogFile Denial of Service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 17 2002 - 15:22:33 PDT