lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <9C33822957B15740A01A28A5EBAE353A04293144@cghqmail1.cyberguard.net>
Date: Wed Dec 28 16:23:35 2005
From: frank at cyberguard.com (Frank Berzau)
Subject: RE: Webwasher CSM Appliance Script Security
	Restriction Bypass

As discribed in our first response on Dec 23, we meanwhile ran
additional tests against older versions of Webwasher CSM because the
initial posting of ".v0rt3x" does not specify a version number.

Our first test results are confirmed:
The script mitigation of Webwasher CSM 5.1 and newer cannot be bypassed
by changing the capitalization of the Run method as described in the
posting.

Since Dec 23, we've been trying to contact ".v0rt3x", asking for further
information, for his PoC example etc. We are still waiting for a
response.
In our email archives we could not find the initial notifications
mentioned by ".v0rt3x" in his initial posting in the timeline section. 

Based on our test results and the lack of detailed input from ".v0rt3x"
we declare the reported issue disproved and consider this case resolved.

Thanks, Frank

-----------------------------------------------------
Frank Berzau
Director, European Support
CyberGuard Corp.
 

-----Original Message-----
From: d0t v0rt3x [mailto:d0tv0rt3x@...il.com] 
Sent: Thursday, December 22, 2005 9:42 PM
To: full-disclosure@...ts.grok.org.uk; bugtraq@...urityfocus.com
Subject: Webwasher CSM Appliance Script Security Restriction Bypass

Vendor: Webwasher (http://www.webwasher.com/)
Product: Webwasher CSM Appliance
Affected versions: CSM Suite 5.x
Author: .v0rt3x (d0tv0rt3x[at]gmail[d0t]com)
Date: 2005-Dec-22

....Background....
"...Webwasher appliances provide high-performance "Proactive
Filtering" of bidirectional SMTP, HTTP, HTTPS, and FTP traffic to
detect and cleanse all forms of malware. The result is a security
appliance that delivers the Blended Protection you need to protect
against malicious content and unwanted email..."

....Description....
Webwasher CSM includes an encapsulation script mechanism with the aim
of filtering malicious scripts.
The encapsulation script makes use of specific potentially malicious
tokens in order to detect and neutralize the malicious script.
The detection of the tokens is case sensitive. However, some of the
tokens can be executed whether they are written in lower case or upper
case letters.
In other words, by creating a specially crafted script, an attacker
can bypass the filtering mechanism and execute malicious scripts.

....Proof.of.Concept....
1) Create a malicious script by using an object which executes ".Run"
method (e.g. one of the many WScript.Shell exploits).
2) Replace ".Run" with ".run".
3) Execute the malicious script "safely" through Webwasher CSM.

....Timeline....
2005-May-15: Vendor was notified by mail.
2005-Aug-15: Vendor was notified again via contact form.
2005-Dec-22: No response from the vendor - public disclosure.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ