dotDefender <= 4.26 WAF format string vulnerability

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1046112 漏洞类型
发布时间 2012-11-16 更新时间 2012-11-16
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2012110107
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
Vendor/product description:
---------------------------
dotDefender is a web application security solution (a Web Application
Firewall, or WAF) that offers strong, proactive security for your websites and
web applications.

URL: http://www.applicure.com/Products/dotdefender


Vulnerability overview/description:
-----------------------------------
dotDefender displays an error page when blocking an attack. The error page is
generated from a template which can contain various template variables. These
variables are expanded into a buffer first, the result of which is then passed
to AP_PRINTF() without checking for format string identifiers. Any remaining
format strings are interpreted by AP_PRINTF(), allowing for a format string
injection attack.

This is immediately exploitable by an unauthenticated attacker if the <%IP%>
template tag is used in the error page (not the case in the default template).
In this case an attacker can inject format strings in the "Host"-header. Other
attack vectors may exist if the attacker manages to access the dotDefender web
interface which requires a password.

Successful exploitation allows an attacker to execute arbitrary code on the
server.


Proof of concept:
-----------------

No proof-of-concept exploit will be released.


Vulnerable / tested versions:
-----------------------------

The vulnerability has been tested with dotDefender 4.26 for Linux/Apache.

dotDefender for Windows is not affected.


Vendor contact timeline:
------------------------
2012-10-17: Contacted vendor
2012-11: Fixed version is released
2012-11-15: SEC Consult releases security advisory


Solution:
---------
Upgrade to at least version 5.00 of dotDefender for Linux:

http://www.applicure.com/download-latest


Advisory URL:
--------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~
The SEC Consult Group