RE: Sonicwall SOHO Content Blocking Script Injection, LogFile Denial of Service

["E M" <rdnktrk () hotmail com>]

Well keep in mind the VX enterprise unit has the same problem so in effect 
you could see a LAN with hundreds of users using this as their Firewall.

Eric.


> From: "Darren W. MacDonald" <darrydoo () aci on ca>
> To: "'tech '" <tech () x4tress com>
> CC: <bugtraq () securityfocus com>, <vuln-dev () securityfocus com>
> Subject: RE: Sonicwall SOHO Content Blocking Script Injection, LogFile 
> Denial of Service
> Date: Fri, 17 May 2002 21:43:29 -0400
>
> But... it's a SOHO device... <scratch head>
>
> How many SOHO locations have *any* kind of admin, let alone a security
> admin who has set up syslogd? Or a second Internet connection?
>
> Cheers
> Darren W. MacDonald
>
> -----Original Message-----
> From: tech [mailto:tech () x4tress com]
> Sent: May 17, 2002 4:46 PM
> To: bugtraq () securityfocus com
> Cc: vuln-dev () securityfocus com
> Subject: RE: Sonicwall SOHO Content Blocking Script Injection, LogFile
> Denial of Service
>
> In this case, if the user was send his/her logs to a syslog server, the
> entries would be preserved when the SonicWALL is rebooted.  So the
> administrator would be able to see which user initiated the "script".
> The other thing is that any "decent" network administrator would examine
> a link before clicking on it to find out why it was blocked ... so the
> locally trigger "script" is not a real threat.  A lot of security
> administrators will have a separate ISP line to test these
> "questionable" links and there for not-endanger the rest of the site,
> while doing log analysis.
>
> -----Original Message-----
> From: E M [mailto:rdnktrk () hotmail com]
> Sent: Friday, May 17, 2002 11:56 AM
> To: bugtraq () securityfocus com
> Cc: vuln-dev () securityfocus com
> Subject: Sonicwall SOHO Content Blocking Script Injection, LogFile
> Denial of Service
>
> This advisory may be reproduced unmodified.
>
> Sonicwall SOHO Content Blocking Script Injection and Logfile DoS
>
> Test Unit :
> Sonicwall SOHO3
> Firmware version: 6.3.0.0
> ROM version: 5.0.1.0
>
> Severity : Medium
>
> Issue :
> Sonicwall Allows administrators to block websites based on a user
> entered
> list of domains. These websites are blocked whenever they accessed by
> clients on the LAN interface.
>
> By passing a blocked URL injected script the attacker may execute
> scripts
> automatically when the logfile is viewed.
>
> The below example uses a commonly blocked ad server, please note this
> must
> be in your blocked sites list and that any site that is blocked will
> work
> fine.
>
> bannerserver.gator.com/<SCRIPT>window.location.href="http://www.offroadw
> arehouse.com";</SCRIPT>
>
> This will be injected into the logfile, when an Admin attempts to view
> the
> log files they will be automatically redirected to the site of your
> choice.
>
> Note that any <SCRIPT> is executed, for the example I show redirection
> as a
> means of Denial of Service.
>
> Resolution :
> Only after rebooting the unit will you gain access to the logfiles, the
> log
> is cleared on each reboot, thus you will be unable to locate the user on
> the
> LAN segment who initiated the attack.
>
>
> Mitigating Factors :
> This attack must come from the Lan interface, which means that it is not
>
> remotely exploitable, this conclusion may be false but will be tested
> further.
>
>
> Author :
> Eric McCarty
> rdnktrk () hotmail com
>
>
>
>
> _________________________________________________________________
> Send and receive Hotmail on your mobile device: http://mobile.msn.com


_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com