Applicure dotDefender WAF format string vulnerability

SEC Consult Vulnerability Lab Security Advisory < 20121115-0 >

==========================================================================

title: Applicure dotDefender WAF format string vulnerability

product: dotDefender for Linux/Apache

vulnerable version: <= 4.26

fixed version: 5.00

CVE number: -

impact: Medium (needs preconditions)

homepage: www.applicure.com/Products/dotdefender

found: 2012-10-13

by: Bernhard Mueller

SEC Consult Vulnerability Lab

www.sec-consult.com

=========================================================================

 

Vendor/product description:

---------------------------

dotDefender is a web application security solution (a Web Application

Firewall, or WAF) that offers strong, proactive security for your websites and

web applications.

 

URL: www.applicure.com/Products/dotdefender

 

 

Vulnerability overview/description:

-----------------------------------

dotDefender displays an error page when blocking an attack. The error page is

generated from a template which can contain various template variables. These

variables are expanded into a buffer first, the result of which is then passed

to AP_PRINTF() without checking for format string identifiers. Any remaining

format strings are interpreted by AP_PRINTF(), allowing for a format string

injection attack.

 

This is immediately exploitable by an unauthenticated attacker if the <%IP%>

template tag is used in the error page (not the case in the default template).

In this case an attacker can inject format strings in the "Host"-header. Other

attack vectors may exist if the attacker manages to access the dotDefender web

interface which requires a password.

 

Successful exploitation allows an attacker to execute arbitrary code on the

server.

 

 

Proof of concept:

-----------------

 

No proof-of-concept exploit will be released.

 

 

Vulnerable / tested versions:

-----------------------------

 

The vulnerability has been tested with dotDefender 4.26 for Linux/Apache.

 

dotDefender for Windows is not affected.

 

 

Vendor contact timeline:

------------------------

2012-10-17: Contacted vendor

2012-11: Fixed version is released

2012-11-15: SEC Consult releases security advisory

 

 

Solution:

---------

Upgrade to at least version 5.00 of dotDefender for Linux:

 

www.applicure.com/download-latest

 

 

Advisory URL:

--------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The SEC Consult Group

 

Office Vienna

Mooslackengasse 17

A-1190 Vienna

Austria

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com

www.sec-consult.com

 

 

Office Singapore

4 Battery Road

#25-01 Bank of China Building

Singapore (049908)

Mail: office at sec-consult dot sg

 

 

Check out our blog at:

 

blog.sec-consult.com

 

 

And this thing here:

 

wordpress.org/extend/plugins/mvis-security-center/

 

 

EOF B. Mueller / November 2012