what you don't know can hurt you

dotDefender WAF 4.26 Format String

dotDefender WAF 4.26 Format String
Posted Nov 16, 2012
Authored by Bernhard Mueller | Site sec-consult.com

Applicure dotDefender WAF versions 4.26 and below suffer from a format string vulnerability.

tags | advisory
MD5 | 6ddbce0bb1d4a694a440233f185a5d1f

dotDefender WAF 4.26 Format String

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20121115-0 >
==========================================================================
title: Applicure dotDefender WAF format string vulnerability
product: dotDefender for Linux/Apache
vulnerable version: <= 4.26
fixed version: 5.00
CVE number: -
impact: Medium (needs preconditions)
homepage: http://www.applicure.com/Products/dotdefender
found: 2012-10-13
by: Bernhard Mueller
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=========================================================================

Vendor/product description:
---------------------------
dotDefender is a web application security solution (a Web Application
Firewall, or WAF) that offers strong, proactive security for your websites and
web applications.

URL: http://www.applicure.com/Products/dotdefender


Vulnerability overview/description:
-----------------------------------
dotDefender displays an error page when blocking an attack. The error page is
generated from a template which can contain various template variables. These
variables are expanded into a buffer first, the result of which is then passed
to AP_PRINTF() without checking for format string identifiers. Any remaining
format strings are interpreted by AP_PRINTF(), allowing for a format string
injection attack.

This is immediately exploitable by an unauthenticated attacker if the <%IP%>
template tag is used in the error page (not the case in the default template).
In this case an attacker can inject format strings in the "Host"-header. Other
attack vectors may exist if the attacker manages to access the dotDefender web
interface which requires a password.

Successful exploitation allows an attacker to execute arbitrary code on the
server.


Proof of concept:
-----------------

No proof-of-concept exploit will be released.


Vulnerable / tested versions:
-----------------------------

The vulnerability has been tested with dotDefender 4.26 for Linux/Apache.

dotDefender for Windows is not affected.


Vendor contact timeline:
------------------------
2012-10-17: Contacted vendor
2012-11: Fixed version is released
2012-11-15: SEC Consult releases security advisory


Solution:
---------
Upgrade to at least version 5.00 of dotDefender for Linux:

http://www.applicure.com/download-latest


Advisory URL:
--------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The SEC Consult Group

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com


Office Singapore
4 Battery Road
#25-01 Bank of China Building
Singapore (049908)
Mail: office at sec-consult dot sg


Check out our blog at:

http://blog.sec-consult.com/


And this thing here:

http://wordpress.org/extend/plugins/mvis-security-center/


EOF B. Mueller / November 2012

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    1 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close