XSS through DHCP: How Attackers Use Standards
During a security assessment, we sometimes need to think outside of the box in order to find interesting and impactful exploits. To aid us in this, we can use protocol standards as a roadmap to assumptions that may be built into a piece of software. Oftentimes, breaking those assumptions means breaking the software. Software may be secure when well-behaved peers follow protocols standards, but have a vulnerability when they do not.
We recently had a good example of this concept on an assessment, where we violated the DHCP standard in order to perform Cross-Site Scripting (XSS) on a router’s admin interface page.
The router that we were testing, like many others, had a section of the web interface dedicated to listing the devices that were connected to the network. The devices are represented by their hostname — a field the router receives during DHCP IP address negotiation. This raises two very important questions: 1) what are the expected characters in a hostname; and 2) are the hostnames validated or escaped in any way?