Home page logo

bugtraq logo Bugtraq mailing list archives

OS Command Injection Infoblox Network Automation
From: nate () depthsecurity com
Date: Wed, 9 Jul 2014 14:04:34 GMT

Product: Network Automation, licensed as:
•         NetMRI
•         Switch Port Manager
•         Automation Change Manager
•         Security Device Controller

Vendor: Infoblox
Vulnerable Version(s): 6.4.X.X-6.8.4.X
Tested Version:

Vendor Notification: May 12th, 2014 
Vendor Patch Availability to Customers: May 16th, 2014
Public Disclosure: July 9th, 2014 

Vulnerability Type: OS Command Injection [CWE-78]
CVE Reference: CVE-2014-3418
Risk Level: High 
CVSSv2 Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Solution Status: Solution Available

Discovered and Provided: Nate Kettlewell, Depth Security ( https://www.depthsecurity.com/ )


Advisory Details:

Depth Security discovered a vulnerability in the Infoblox Network Automation management web interface. This attack does 
not require authentication of any kind.

1) OS Command Injection in Infoblox Network Automation Products: CVE-2014-3418

The vulnerability exists due to insufficient sanitization of user-supplied data in in skipjackUsername POST parameter. 
A remote attacker can inject operating system commands as the root user, and completely compromise the operating system.

The following is the relevant portion of the multipart/form-data POST request to netmri/config/userAdmin/login.tdf

Content-Disposition: form-data; name="skipjackUsername"

admin`ping -n 20`



Infoblox immediately released a hotfix to remediate this vulnerability on existing installations 
The flaw was corrected in the 6.8.5 release (created expressly for dealing with this issue), and that release has been 
put into manufacturing for new appliances.


Proof of Concept:

In addition to manual exploitation via the above mentioned vector, proof of concept is provided in the form of a module 
for the metasploit framework.



[1] Depth Security Advisory - http://blog.depthsecurity.com/2014/07/os-command-injection-in-infoblox-netmri.html  - OS 
Command Injection in NetMRI.
[2] NetMRI - http://www.infoblox.com/products/network-automation/netmri - NetMRI is an Enterprise Network Management 
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org/ - targeted to developers and security practitioners, CWE 
is a formal list of software weakness types.
[4] NetMRI Metasploit Module - https://github.com/depthsecurity/NetMRI-2014-3418

  By Date           By Thread  

Current thread:
  • OS Command Injection Infoblox Network Automation nate (Jul 09)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]