RE: Sonicwall SOHO Content Blocking Script Injection, LogFile Denial of Service

From: tech (techat_private)
Date: Fri May 17 2002 - 13:46:12 PDT

Next message: J Edgar Hoover: "Xerox DocuTech problems"

Previous message: JNJ: "Re: Sonicwall SOHO Content Blocking Script Injection, LogFile Denial of Service"
Maybe in reply to: E M: "Sonicwall SOHO Content Blocking Script Injection, LogFile Denial of Service"
Next in thread: Darren W. MacDonald: "RE: Sonicwall SOHO Content Blocking Script Injection, LogFile Denial of Service"
Next in thread: JNJ: "Re: Sonicwall SOHO Content Blocking Script Injection, LogFile Denial of Service"
Reply: Darren W. MacDonald: "RE: Sonicwall SOHO Content Blocking Script Injection, LogFile Denial of Service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In this case, if the user was send his/her logs to a syslog server, the
entries would be preserved when the SonicWALL is rebooted.  So the
administrator would be able to see which user initiated the "script".
The other thing is that any "decent" network administrator would examine
a link before clicking on it to find out why it was blocked ... so the
locally trigger "script" is not a real threat.  A lot of security
administrators will have a separate ISP line to test these
"questionable" links and there for not-endanger the rest of the site,
while doing log analysis.

-----Original Message-----
From: E M [mailto:rdnktrkat_private] 
Sent: Friday, May 17, 2002 11:56 AM
To: bugtraqat_private
Cc: vuln-devat_private
Subject: Sonicwall SOHO Content Blocking Script Injection, LogFile
Denial of Service

This advisory may be reproduced unmodified.

Sonicwall SOHO Content Blocking Script Injection and Logfile DoS

Test Unit :
Sonicwall SOHO3
Firmware version: 6.3.0.0
ROM version: 5.0.1.0

Severity : Medium

Issue :
Sonicwall Allows administrators to block websites based on a user
entered 
list of domains. These websites are blocked whenever they accessed by 
clients on the LAN interface.

By passing a blocked URL injected script the attacker may execute
scripts 
automatically when the logfile is viewed.

The below example uses a commonly blocked ad server, please note this
must 
be in your blocked sites list and that any site that is blocked will
work 
fine.

bannerserver.gator.com/<SCRIPT>window.location.href="http://www.offroadw
arehouse.com";</SCRIPT>

This will be injected into the logfile, when an Admin attempts to view
the 
log files they will be automatically redirected to the site of your
choice.

Note that any <SCRIPT> is executed, for the example I show redirection
as a 
means of Denial of Service.

Resolution :
Only after rebooting the unit will you gain access to the logfiles, the
log 
is cleared on each reboot, thus you will be unable to locate the user on
the 
LAN segment who initiated the attack.


Mitigating Factors :
This attack must come from the Lan interface, which means that it is not

remotely exploitable, this conclusion may be false but will be tested 
further.


Author :
Eric McCarty
rdnktrkat_private




_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com

Next message: J Edgar Hoover: "Xerox DocuTech problems"
Previous message: JNJ: "Re: Sonicwall SOHO Content Blocking Script Injection, LogFile Denial of Service"
Maybe in reply to: E M: "Sonicwall SOHO Content Blocking Script Injection, LogFile Denial of Service"
Next in thread: Darren W. MacDonald: "RE: Sonicwall SOHO Content Blocking Script Injection, LogFile Denial of Service"
Next in thread: JNJ: "Re: Sonicwall SOHO Content Blocking Script Injection, LogFile Denial of Service"
Reply: Darren W. MacDonald: "RE: Sonicwall SOHO Content Blocking Script Injection, LogFile Denial of Service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 17 2002 - 15:45:05 PDT