RE: Sonicwall SOHO Content Blocking Script Injection, LogFile Denial of Service

From: E M (rdnktrk@hotmail.com)
Date: 05/18/02 

From: "E M" <rdnktrk@hotmail.com>
To: darrydoo@aci.on.ca, tech@x4tress.com
Date: Sat, 18 May 2002 12:40:25 -0700

Well keep in mind the VX enterprise unit has the same problem so in effect
you could see a LAN with hundreds of users using this as their Firewall.

Eric.

>From: "Darren W. MacDonald" <darrydoo@aci.on.ca>
>To: "'tech '" <tech@x4tress.com>
>CC: <bugtraq@securityfocus.com>, <vuln-dev@securityfocus.com>
>Subject: RE: Sonicwall SOHO Content Blocking Script Injection, LogFile
>Denial of Service
>Date: Fri, 17 May 2002 21:43:29 -0400
>
>But... it's a SOHO device... <scratch head>
>
>How many SOHO locations have *any* kind of admin, let alone a security
>admin who has set up syslogd? Or a second Internet connection?
>
>Cheers
>Darren W. MacDonald
>
>-----Original Message-----
>From: tech [mailto:tech@x4tress.com]
>Sent: May 17, 2002 4:46 PM
>To: bugtraq@securityfocus.com
>Cc: vuln-dev@securityfocus.com
>Subject: RE: Sonicwall SOHO Content Blocking Script Injection, LogFile
>Denial of Service
>
>In this case, if the user was send his/her logs to a syslog server, the
>entries would be preserved when the SonicWALL is rebooted. So the
>administrator would be able to see which user initiated the "script".
>The other thing is that any "decent" network administrator would examine
>a link before clicking on it to find out why it was blocked ... so the
>locally trigger "script" is not a real threat. A lot of security
>administrators will have a separate ISP line to test these
>"questionable" links and there for not-endanger the rest of the site,
>while doing log analysis.
>
>-----Original Message-----
>From: E M [mailto:rdnktrk@hotmail.com]
>Sent: Friday, May 17, 2002 11:56 AM
>To: bugtraq@securityfocus.com
>Cc: vuln-dev@securityfocus.com
>Subject: Sonicwall SOHO Content Blocking Script Injection, LogFile
>Denial of Service
>
>This advisory may be reproduced unmodified.
>
>Sonicwall SOHO Content Blocking Script Injection and Logfile DoS
>
>Test Unit :
>Sonicwall SOHO3
>Firmware version: 6.3.0.0
>ROM version: 5.0.1.0
>
>Severity : Medium
>
>Issue :
>Sonicwall Allows administrators to block websites based on a user
>entered
>list of domains. These websites are blocked whenever they accessed by
>clients on the LAN interface.
>
>By passing a blocked URL injected script the attacker may execute
>scripts
>automatically when the logfile is viewed.
>
>The below example uses a commonly blocked ad server, please note this
>must
>be in your blocked sites list and that any site that is blocked will
>work
>fine.
>
>bannerserver.gator.com/<SCRIPT>window.location.href="http://www.offroadw
>arehouse.com";</SCRIPT>
>
>This will be injected into the logfile, when an Admin attempts to view
>the
>log files they will be automatically redirected to the site of your
>choice.
>
>Note that any <SCRIPT> is executed, for the example I show redirection
>as a
>means of Denial of Service.
>
>Resolution :
>Only after rebooting the unit will you gain access to the logfiles, the
>log
>is cleared on each reboot, thus you will be unable to locate the user on
>the
>LAN segment who initiated the attack.
>
>
>Mitigating Factors :
>This attack must come from the Lan interface, which means that it is not
>
>remotely exploitable, this conclusion may be false but will be tested
>further.
>
>
>Author :
>Eric McCarty
>rdnktrk@hotmail.com
>
>
>
>
>_________________________________________________________________
>Send and receive Hotmail on your mobile device: http://mobile.msn.com
>
>
>

_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail.
http://www.hotmail.com

Relevant Pages
Quantcast