Well keep in mind the VX enterprise unit has the same problem so in effect you could see a LAN with hundreds of users using this as their Firewall. Eric. >From: "Darren W. MacDonald" <darrydooat_private> >To: "'tech '" <techat_private> >CC: <bugtraqat_private>, <vuln-devat_private> >Subject: RE: Sonicwall SOHO Content Blocking Script Injection, LogFile >Denial of Service >Date: Fri, 17 May 2002 21:43:29 -0400 > >But... it's a SOHO device... <scratch head> > >How many SOHO locations have *any* kind of admin, let alone a security >admin who has set up syslogd? Or a second Internet connection? > >Cheers >Darren W. MacDonald > >-----Original Message----- >From: tech [mailto:techat_private] >Sent: May 17, 2002 4:46 PM >To: bugtraqat_private >Cc: vuln-devat_private >Subject: RE: Sonicwall SOHO Content Blocking Script Injection, LogFile >Denial of Service > >In this case, if the user was send his/her logs to a syslog server, the >entries would be preserved when the SonicWALL is rebooted. So the >administrator would be able to see which user initiated the "script". >The other thing is that any "decent" network administrator would examine >a link before clicking on it to find out why it was blocked ... so the >locally trigger "script" is not a real threat. A lot of security >administrators will have a separate ISP line to test these >"questionable" links and there for not-endanger the rest of the site, >while doing log analysis. > >-----Original Message----- >From: E M [mailto:rdnktrkat_private] >Sent: Friday, May 17, 2002 11:56 AM >To: bugtraqat_private >Cc: vuln-devat_private >Subject: Sonicwall SOHO Content Blocking Script Injection, LogFile >Denial of Service > >This advisory may be reproduced unmodified. > >Sonicwall SOHO Content Blocking Script Injection and Logfile DoS > >Test Unit : >Sonicwall SOHO3 >Firmware version: 6.3.0.0 >ROM version: 5.0.1.0 > >Severity : Medium > >Issue : >Sonicwall Allows administrators to block websites based on a user >entered >list of domains. These websites are blocked whenever they accessed by >clients on the LAN interface. > >By passing a blocked URL injected script the attacker may execute >scripts >automatically when the logfile is viewed. > >The below example uses a commonly blocked ad server, please note this >must >be in your blocked sites list and that any site that is blocked will >work >fine. > >bannerserver.gator.com/<SCRIPT>window.location.href="http://www.offroadw >arehouse.com";</SCRIPT> > >This will be injected into the logfile, when an Admin attempts to view >the >log files they will be automatically redirected to the site of your >choice. > >Note that any <SCRIPT> is executed, for the example I show redirection >as a >means of Denial of Service. > >Resolution : >Only after rebooting the unit will you gain access to the logfiles, the >log >is cleared on each reboot, thus you will be unable to locate the user on >the >LAN segment who initiated the attack. > > >Mitigating Factors : >This attack must come from the Lan interface, which means that it is not > >remotely exploitable, this conclusion may be false but will be tested >further. > > >Author : >Eric McCarty >rdnktrkat_private > > > > >_________________________________________________________________ >Send and receive Hotmail on your mobile device: http://mobile.msn.com > > > _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com
This archive was generated by hypermail 2b30 : Sat May 18 2002 - 14:56:57 PDT