SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Firewall)  >   Dell SonicWALL Vendors:   SonicWALL
SonicWALL SOHO Firewall Device Log File Filtering Hole Lets Remote Users on the Local Network Inject Scripting into Log Files for Denial of Service or Potential Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1004320
SecurityTracker URL:  http://securitytracker.com/id/1004320
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 17 2002
Impact:   Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): SOHO3, Firmware version: 6.3.0.0, ROM version: 5.0.1.0
Description:   A vulnerability was reported in the SonicWALL SOHO firewall device. A remote user on the local network can, in certain situations, inject scripting into the log files that will be executed on the administrator's web browser when the administrator views the log.

This condition can be exploited when the administrator has blocked certain web sites using the SonicWALL web blocking feature. A remote user on the local network can issue an HTTP GET request for a "blocked list" URL, where the HTTP request also contains scripting in the URL. An example of this format is provided:

http://[blockedhost]/<SCRIPT>[script_goes_here]</SCRIPT>

The user-supplied URL will be entered into the log file. Then, when an administrator attempts to view the log file, the script will be executed by the administrator's browser. If the script includes a redirect, for example, the administrator's browser will be redirected and the administrator will not be able to view the log file (if scripting is enabled).

[Editors' note: It may be possible that this exploit method can be used to cause the administrator's browser to take firewall management actions on behalf of the administrator, however, this was not confirmed in the report.]

Impact:   A remote user can cause arbitrary scripting code to be executed by the administrator's browser when the administrator views the log file. It may be possible for this code to take firewall administrator actions on behalf of the administrator, but that was not confirmed.
Solution:   No solution was available at the time of this entry.

It appears that SonicWALL requires Javascript to be enabled on the administrator's browser inorder for the administrator to login. However, it also appears that Javascript is not required to view the log file. If so, then the administrator can disable Javascript before viewing the log file to determine which host injected the malicious scripting code.

Vendor URL:  www.sonicwall.com/ (Links to External Site)
Cause:   Input validation error

Message History:   None.


 Source Message Contents

Subject:  Sonicwall SOHO Content Blocking Script Injection, LogFile Denial of Service


This advisory may be reproduced unmodified.

Sonicwall SOHO Content Blocking Script Injection and Logfile DoS

Test Unit :
Sonicwall SOHO3
Firmware version: 6.3.0.0
ROM version: 5.0.1.0

Severity : Medium

Issue :
Sonicwall Allows administrators to block websites based on a user entered 
list of domains. These websites are blocked whenever they accessed by 
clients on the LAN interface.

By passing a blocked URL injected script the attacker may execute scripts 
automatically when the logfile is viewed.

The below example uses a commonly blocked ad server, please note this must 
be in your blocked sites list and that any site that is blocked will work 
fine.

bannerserver.gator.com/<SCRIPT>window.location.href="http://www.offroadwarehouse.com";</SCRIPT>

This will be injected into the logfile, when an Admin attempts to view the 
log files they will be automatically redirected to the site of your choice.

Note that any <SCRIPT> is executed, for the example I show redirection as a 
means of Denial of Service.

Resolution :
Only after rebooting the unit will you gain access to the logfiles, the log 
is cleared on each reboot, thus you will be unable to locate the user on the 
LAN segment who initiated the attack.


Mitigating Factors :
This attack must come from the Lan interface, which means that it is not 
remotely exploitable, this conclusion may be false but will be tested 
further.


Author :
Eric McCarty
rdnktrk@hotmail.com




_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC