exploit the possibilities

Airlock WAF 4.2.4 Bypass

Airlock WAF 4.2.4 Bypass
Posted Jun 19, 2012
Authored by G. Wagner | Site sec-consult.com

The Airlock WAF protection can be completely bypassed by using overlong UTF-8character representations of the NUL character such as C0 80, E0 80 80 and F080 80 80. During the tests no internal knowledge of the WAF was known, but it is suspected that the UTF-8 decoder fails to reject the overlong NUL byte character representations and they get decoded as U+0000 later on. Further the WAF would not perform any checks for attack patterns after the NUL byte. Versions 4.2.4 and below are affected.

tags | exploit
MD5 | 91e21e7c63b0df2af93a914b379baa26

Airlock WAF 4.2.4 Bypass

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20120618-1 >
=======================================================================
title: Airlock WAF overlong UTF-8 sequence bypass
product: Airlock
vulnerable version: <= 4.2.4 (without hotfix HF4213)
fixed version: 4.2.5
impact: critical
homepage: http://www.ergon.ch/
found: 2012-04-05
by: G. Wagner
SEC Consult Vulnerability Lab
https://www.sec-consult.com/
=======================================================================


Vendor description:
-------------------

Airlock is a Web application firewall (WAF) that offers a combination of
defence mechanisms for Web applications. It has been developed to meet the
security standards criteria of the payment card industry (PCI DSS), online
banking security and the protection of e-commerce, and provides sustainable,
easy to administrate and audit security for Web applications.

source: http://www.ergon.ch/en/airlock/


Vulnerability overview/description:
-----------------------------------

The Airlock WAF protection can be completely bypassed by using overlong UTF-8
character representations of the NUL character such as C0 80, E0 80 80 and F0
80 80 80. During the tests no internal knowledge of the WAF was known, but it
is suspected that the UTF-8 decoder fails to reject the overlong NUL byte
character representations and they get decoded as U+0000 later on. Further the
WAF would not perform any checks for attack patterns after the NUL byte.


Proof of concept:
-----------------

The WAF blocks requests based on patterns that it recognizes as a web
application attack, for instance:

allowed:
http://www.abc.com/file.ext?id=101'+union+select

forbidden:
http://www.abc.com/file.ext?id=101'+union+select+1+from+Dual+--+


If an overlong UTF-8 character representation of the NUL byte forgoes any web
application attack sequence, the WAF would fail to recognize the attack
pattern, for instance:

forbidden:
http://www.abc.com/file.ext?id=101'+union+select+col1,col2,col3+from+table+--+

allowed:
http://www.abc.com/file.ext?id=101%C0%80'+union+select+col1,col2,col3+from+table+--+


Vendor contact timeline:
------------------------
2012-04-05: Informed customer about vulnerability in their Airlock WAF.
2012-06-08: Received permission from customer to contact vendor directly.
2012-06-11: Contacted security contact at Ergon with vulnerability information.
2012-06-13: Vendor indicates that issue is already fixed. They had received
vulnerability information already by the customer.
2012-06-18: Vendor provides information on patched versions.


Solution:
---------

The vendor resolved the issue on the 19th of April 2012 with Update 4.2.5 or
the Hotfix HF4213 for the versions 4.2.4 and 4.2.3.3.


Advisory URL:
-------------

https://www.sec-consult.com/en/advisories.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Singapore Pte. Ltd.

4 Battery Road
#25-01 Bank of China Building
Singapore (049908)

Mail: research at sec-consult dot com
https://www.sec-consult.com

EOF G. Wagner / @2012

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    28 Files
  • 2
    Nov 2nd
    1 Files
  • 3
    Nov 3rd
    1 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    19 Files
  • 6
    Nov 6th
    65 Files
  • 7
    Nov 7th
    22 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    1 Files
  • 10
    Nov 10th
    1 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    65 Files
  • 13
    Nov 13th
    27 Files
  • 14
    Nov 14th
    22 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close