lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20121115161423.12a88298@sec-consult.com>
Date: Thu, 15 Nov 2012 16:14:23 +0100
From: SEC Consult Vulnerability Lab <research@...-consult.com>
To: bugtraq <bugtraq@...urityfocus.com>, <full-disclosure@...ts.grok.org.uk>
Subject: SEC Consult SA-20121115-0 :: Applicure
 dotDefender WAF format string vulnerability

SEC Consult Vulnerability Lab Security Advisory < 20121115-0 >
==========================================================================
              title: Applicure dotDefender WAF format string vulnerability
            product: dotDefender for Linux/Apache
 vulnerable version: <= 4.26
      fixed version: 5.00
         CVE number: -
             impact: Medium (needs preconditions)
           homepage: http://www.applicure.com/Products/dotdefender
              found: 2012-10-13
                 by: Bernhard Mueller
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com
=========================================================================

Vendor/product description:
---------------------------
dotDefender is a web application security solution (a Web Application
Firewall, or WAF) that offers strong, proactive security for your websites and
web applications.

URL: http://www.applicure.com/Products/dotdefender


Vulnerability overview/description:
-----------------------------------
dotDefender displays an error page when blocking an attack. The error page is
generated from a template which can contain various template variables. These
variables are expanded into a buffer first, the result of which is then passed
to AP_PRINTF() without checking for format string identifiers. Any remaining
format strings are interpreted by AP_PRINTF(), allowing for a format string
injection attack.

This is immediately exploitable by an unauthenticated attacker if the <%IP%>
template tag is used in the error page (not the case in the default template).
In this case an attacker can inject format strings in the "Host"-header. Other
attack vectors may exist if the attacker manages to access the dotDefender web
interface which requires a password.

Successful exploitation allows an attacker to execute arbitrary code on the
server.


Proof of concept:
-----------------

No proof-of-concept exploit will be released.


Vulnerable / tested versions:
-----------------------------

The vulnerability has been tested with dotDefender 4.26 for Linux/Apache.

dotDefender for Windows is not affected.


Vendor contact timeline:
------------------------
2012-10-17: Contacted vendor
2012-11: Fixed version is released
2012-11-15: SEC Consult releases security advisory


Solution:
---------
Upgrade to at least version 5.00 of dotDefender for Linux:

http://www.applicure.com/download-latest


Advisory URL:
--------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The SEC Consult Group

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com


Office Singapore
4 Battery Road
#25-01 Bank of China Building
Singapore (049908)
Mail: office at sec-consult dot sg


Check out our blog at:

http://blog.sec-consult.com/


And this thing here:

http://wordpress.org/extend/plugins/mvis-security-center/


EOF B. Mueller / November 2012

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ