WARNING! Fake news / Disputed / BOGUS

Webwasher CSM Appliance Script Security Restriction Bypass

2005.12.24
Credit: v0rt3x
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-Other


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Vendor: Webwasher (http://www.webwasher.com/) Product: Webwasher CSM Appliance Affected versions: CSM Suite 5.x Author: .v0rt3x (d0tv0rt3x[at]gmail[d0t]com) Date: 2005-Dec-22 ....Background.... "...Webwasher appliances provide high-performance "Proactive Filtering" of bidirectional SMTP, HTTP, HTTPS, and FTP traffic to detect and cleanse all forms of malware. The result is a security appliance that delivers the Blended Protection you need to protect against malicious content and unwanted email..." ....Description.... Webwasher CSM includes an encapsulation script mechanism with the aim of filtering malicious scripts. The encapsulation script makes use of specific potentially malicious tokens in order to detect and neutralize the malicious script. The detection of the tokens is case sensitive. However, some of the tokens can be executed whether they are written in lower case or upper case letters. In other words, by creating a specially crafted script, an attacker can bypass the filtering mechanism and execute malicious scripts. ....Proof.of.Concept.... 1) Create a malicious script by using an object which executes ".Run" method (e.g. one of the many WScript.Shell exploits). 2) Replace ".Run" with ".run". 3) Execute the malicious script "safely" through Webwasher CSM. ....Timeline.... 2005-May-15: Vendor was notified by mail. 2005-Aug-15: Vendor was notified again via contact form. 2005-Dec-22: No response from the vendor - public disclosure. SecurityReason UPDATE : -------------------------------------------------------------- The Proactive Security Filter is one of several security filters in the Webwasher CSM Suite. It can block or mitigate many day zero threats before their signature is added to the integrated Antivirus engines. While we never claimed it can detect 100% of new malware, we are continously improving the filter and welcome every input about new attack vectors. To respond to your posting: 1) First tests today do not confirm that (at least the current version of the product) is vulnerable as described. We checked the code and ran a few tests and confirmed that the handling is case in-sensitive. We'll run more tests and also check older versions after the Christmas holidays. 2) What we need from you is a proof of concept script that you think should be mitigated by the Proactive Filter but is not. Please contact me directly so we can work together to further improve our Proactive Security Filter. Btw, we have double-checked our records and found no evidence of being contacted prior to this posting yesterday. We have attempted to contact you, but got no response (so far). Also, we believe the timing of this posting - a day before Christmas - is very bad and not intented to giving us a fair chance to resolve this as quickly as we normally could. Thanks, Frank ---------------------------------------------------------------


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top