[CVE-2016-6484] Infoblox Network Automation CRLF Injection/ HTTP- splitting

From: alex_haynes@outlook.com
To: bugtraq@securityfocus.com
Subject: [CVE-2016-6484] Infoblox Network Automation CRLF Injection/ HTTP- splitting

Exploit Title: [CVE-2016-6484] Infoblox Network Automation CRLF Injection/ HTTP splitting vulnerability
Product: Infoblox Network Automation
Vulnerable Versions: 7.0.1 and all previous versions 
Tested Version: 6.9.2
Advisory Publication:  06/09/2016
Vulnerability Type: [CWE-113:] Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Response Splitting)
CVE Reference: CVE-2016-6484
Credit: Alex Haynes

Advisory Details:

(1) Vendor & Product Description


Product & Version:
Infoblox Network Automation v7.0.1

Vendor URL & Download:

Product Description:
"Infoblox also offers a complementary, powerful network automation platform which enables discovery, switch port management, network change configuration and compliance management for multi-vendor network devices. Automation cuts down administrator workload and reduces risk of network outages due to improper configurations or changes."

(2) Vulnerability Details:
The login page of netmri is vulnerable to a HTTP splitting/CRLF injection. 
The POST of the login action contains the following parameters, and the \u201ccontentType\u201d parameter can be modified to be reflected in the response header: 
Once we control content-type, we can inject \u201ccarriage return\u201d : %0a and \u201cline feed\u201d : %0d characters to break the header and introduce our own, effectively \u201csplitting the response. We can then introduce our own HTML and/or javascript to provoke a HTML injection or cross-site scripting attack.:
skipjackPassword=test&width=100&contentType=%0d%0aContentLength:%2019%0d%0a%0d%0a<html><h1>Injected HTML</h1><script>alert(\u2018xss\u2019);</script><!--</html>

(3) Advisory Timeline:
25/01/2016 - First Contact informing vendor of vulnerabilities. No response.
01/02/2016 - Follow up e-mail to inform them of vulnerabilities. Response requesting further information.
01/02/2016 - Information on vulnerabilities sent to vendor. No response.
08/02/2016 - follow up e-mail requesting update. Vendor responds asking us to open a support ticket.
12/02/2016 - Infoblox products out of support so cannot raise ticket. write to vendor to explain situation. No response.
24/02/2016 - Follow up with vendor on vulnerabilities requesting an update.
10/03/2016 - Final follow up to vendor requesting an update. Vendor responds and opens support ticket for vulnerabilities, mentioning they will look into vulnerabilities.
14/03/2016 - vendor responds saying they are able to reproduce vulnerabilities
17/03/2016 - Vendor responds saying some of the vulnerabilities are already fixed in version 7.0.4 but cannot confirm which ones.
05/04/2016 - Request update from vendor on status of vulnerabilities.
12/04/2016 - Vendor responds saying CSRF already fixed in 7.0.1, XSS and HTTP Splitting to be fixed in upcoming 7.1.1 - expected release in summer.
30/06/2016 - Patch 7.1.1 released
06/09/2016 - Public disclosure

Upgrade to Version 7.1.1

(5) Credits:
Discovered by Alex Haynes

Copyright © 1995-2018 LinuxRocket.net. All rights reserved.