I am not in the practice of posting exploits to publically accessible lists nor do I share them with the irresponsible. James ----- Original Message ----- From: "E M" <rdnktrkat_private> To: <jnjat_private>; <bugtraqat_private> Cc: <vuln-devat_private> Sent: Friday, May 17, 2002 10:31 PM Subject: Re: Sonicwall SOHO Content Blocking Script Injection, LogFile Denial of Service > Yes Sonicwall was contacted. I am working with them to resolve this issue. > > >Although you so determinedly state this is exploitable internally >only, it > >presents not only a busy-work issue for admins but obviously >CAN be > >reworked to an externally initiated instance by anyone with a >modicum of > >development knowledge. > > True, no argument here, but any way you look at it, the issue involves > people on the LAN interface instigating the problem, if you can show how > this can be done on the WAN interface without LAN interaction, I'd love to > see it. > > Eric M. > > > >From: "JNJ" <jnjat_private> > >To: <bugtraqat_private> > >CC: <vuln-devat_private> > >Subject: Re: Sonicwall SOHO Content Blocking Script Injection, LogFile > >Denial of Service > >Date: Fri, 17 May 2002 14:25:34 -0400 > > > >And did you by chance contact the Sonicwall Corporation prior to publishing > >this issue or did you simply rush to publish? Although you so determinedly > >state this is exploitable internally only, it presents not only a busy-work > >issue for admins but obviously CAN be reworked to an externally initiated > >instance by anyone with a modicum of development knowledge. > > > >James > > > >----- Original Message ----- > >From: "E M" <rdnktrkat_private> > >To: <bugtraqat_private> > >Cc: <vuln-devat_private> > >Sent: Friday, May 17, 2002 11:55 AM > >Subject: Sonicwall SOHO Content Blocking Script Injection, LogFile Denial > >of > >Service > > > > > > > This advisory may be reproduced unmodified. > > > > > > Sonicwall SOHO Content Blocking Script Injection and Logfile DoS > > > > > > Test Unit : > > > Sonicwall SOHO3 > > > Firmware version: 6.3.0.0 > > > ROM version: 5.0.1.0 > > > > > > Severity : Medium > > > > > > Issue : > > > Sonicwall Allows administrators to block websites based on a user > >entered > > > list of domains. These websites are blocked whenever they accessed by > > > clients on the LAN interface. > > > > > > By passing a blocked URL injected script the attacker may execute > >scripts > > > automatically when the logfile is viewed. > > > > > > The below example uses a commonly blocked ad server, please note this > >must > > > be in your blocked sites list and that any site that is blocked will > >work > > > fine. > > > > > > > >bannerserver.gator.com/<SCRIPT>window.location.href="http://www.offroadware h > >ouse.com";</SCRIPT> > > > > > > This will be injected into the logfile, when an Admin attempts to view > >the > > > log files they will be automatically redirected to the site of your > >choice. > > > > > > Note that any <SCRIPT> is executed, for the example I show redirection > >as > >a > > > means of Denial of Service. > > > > > > Resolution : > > > Only after rebooting the unit will you gain access to the logfiles, the > >log > > > is cleared on each reboot, thus you will be unable to locate the user on > >the > > > LAN segment who initiated the attack. > > > > > > > > > Mitigating Factors : > > > This attack must come from the Lan interface, which means that it is not > > > remotely exploitable, this conclusion may be false but will be tested > > > further. > > > > > > > > > Author : > > > Eric McCarty > > > rdnktrkat_private > > > > > > > > > > > > > > > _________________________________________________________________ > > > Send and receive Hotmail on your mobile device: http://mobile.msn.com > > > > > > > > > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. >
This archive was generated by hypermail 2b30 : Sat May 18 2002 - 14:59:40 PDT