GTA WAF GB-OS v6.2.02 - Bypass & Persistent Vulnerability

2016-02-24T00:00:00
ID VULNERLAB:1713
Type vulnerlab
Reporter Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Modified 2016-02-24T00:00:00

Description

An application-side input validation web vulnerability has been discovered in the official GTA Web Firewall appliance - GB OS v6.2.02. The vulnerability allows a local attackers to inject own malicious script codes on the application-side of the affected modules context.

The security vulnerability is located in the Edit Packet Capture Filter function of the Monitor - Packet Capture - [Monitor - Tools - Packet Capture] module. Remote attackers are able to inject script codes to the description input field by adding a new packet capture filter in the web firewall interface. The injection point is the Edit Packet Capture Filter - Description Input Field and the execution point is the Packet Capture item listing. The attack vector is persistent (application-side) and the request method to inject is POST.

The web firewall interface has an own validation procedure to filter bad inputs. The input validation of the description can be bypassed by injection of a splitted char injection. The attacker can inject two payloads and the first is filtered, the second bypasses the validation.

The security risk of the application-side validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.0. Exploitation of the persistent input validation web vulnerability requires a privileged admin appliance web-application user account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected or connected application modules.

Request Method(s): [+] POST

Vulnerable Service(s): [+] GB OS v6.2.02

Vulnerable Module(s): [+] Packet Capture - [Monitor - Tools - Packet Capture]

Vulnerable Input(s): [+] Edit Packet Capture Filter - [Description]

Vulnerable Parameter(s): [+] description - listtextplain

Affected Module(s): [+] Packet Capture Item Listing