Security Advisory --------------------------------------- Vulnerable Software: phion airlock Web Application Firewall Vulnerable Version: 4.1-10.41 Homepage: http://www.phion.com/ Found by: Michael Kirchner, Wolfgang Neudorfer, Lukas Nothdurfter (Team h4ck!nb3rg) Impact: Remote Denial of Service via Management Interface (unauthenticated) and Command Execution Product Description --------------------------------------- phion's web application firewall (WAF) airlock provides a unique combination of protective mechanisms for web applications. Whether you want to observe PCI DSS, safeguard online banking or protect e-commerce applications: airlock ensures sustained and manageable web application security. [Source: http://www.phion.com/INT/products/websecurity/Pages/default.aspx] Vulnerability Description --------------------------------------- The phion airlock Web Application Firewall operates as a reverse proxy between the clients and the web server to be protected. All HTTP requests are checked before being forwarded to the web server. The system can be administered via a seperate management interface which is normally not accessible for external users. By sending a specially crafted HTTP GET request an attacker with access to the management interface (but no authentication needed) is able to conduct a denial of service attack. The vendor describes the vulnerability as follows: "The airlock Configuration Center shows many system monitoring charts to check the system status and history. These images are generated on the fly by a CGI script, and the image size is part of the URL parameter. Unreasonably large values for the width and height parameters will cause excessive resource consumption. Depending on the actual load and the memory available, the system will be out-of-service for some minutes or crash completely, making a reboot necessary." [Source: https://techzone.phion.com/dos-vulnerability-4.1-sysmon-images] Further research showed that the vulnerability can also be used to execute arbitrary system commands. This allows attackers to run operating system commands under the user of the web server (uid=12359(wwwca) gid=54329(wwwca)). Proof of Conept --------------------------------------- A denial of service or execution of arbitrary system commands can be accomplished by a single HTTP request if an attacker can reach the management interface IP address of the WAF. According exploits will not be published. Vulnerable Versions --------------------------------------- The tested version was 4.1-10.41. Prior versions are also likely to be vulnerable. Patch --------------------------------------- The vendor provides a hotfix as well as an updated version of the product. The hotfix can be downloaded at: https://techzone.phion.com/hotfix_HF4112 Contact Timeline --------------------------------------- 2009-04-27: Vendor informed 2009-04-28: Inital vendor reply 2009-04-29: Vulnerability confirmed and manual workaround available at phion techzone 2009-05-12: Hotfix and updated version available 2009-07-01: Public release Further information --------------------------------------- Information about the web application firewall project this advisory originates from can be found at: http://www.h4ck1nb3rg.at/wafs/