Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] RE: Webwasher CSM Appliance Script Security Restrictio

from [Frank Berzau] Network Security [Permanent Link]
Subject: [Full-disclosure] RE: Webwasher CSM Appliance Script Security Restriction Bypass
Date: Fri, 23 Dec 2005 13:48:59 -0500 
The Proactive Security Filter is one of several security filters in the
Webwasher CSM Suite. It can block or mitigate many day zero threats
before their signature is added to the integrated Antivirus engines.
While we never claimed it can detect 100% of new malware, we are
continously improving the filter and welcome every input about new
attack vectors.

To respond to your posting:

1) First tests today do not confirm that (at least the current version
of the product) is vulnerable as described. We checked the code and ran
a few tests and confirmed that the handling is case in-sensitive. We'll
run more tests and also check older versions after the Christmas
holidays.

2) What we need from you is a proof of concept script that you think
should be mitigated by the Proactive Filter but is not. Please contact
me directly so we can work together to further improve our Proactive
Security Filter.

Btw, we have double-checked our records and found no evidence of being
contacted prior to this posting yesterday. We have attempted to contact
you, but got no response (so far). Also, we believe the timing of this
posting - a day before Christmas - is very bad and not intented to
giving us a fair chance to resolve this as quickly as we normally could.

Thanks, Frank

-----------------------------------------------------
Frank Berzau
Director, European Support
CyberGuard Corp.
 

-----Original Message-----
From: d0t v0rt3x [mailto:d0tv0rt3x@gmail.com] 
Sent: Thursday, December 22, 2005 9:42 PM
To: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
Subject: Webwasher CSM Appliance Script Security Restriction Bypass

Vendor: Webwasher (http://www.webwasher.com/)
Product: Webwasher CSM Appliance
Affected versions: CSM Suite 5.x
Author: .v0rt3x (d0tv0rt3x[at]gmail[d0t]com)
Date: 2005-Dec-22

....Background....
"...Webwasher appliances provide high-performance "Proactive
Filtering" of bidirectional SMTP, HTTP, HTTPS, and FTP traffic to
detect and cleanse all forms of malware. The result is a security
appliance that delivers the Blended Protection you need to protect
against malicious content and unwanted email..."

....Description....
Webwasher CSM includes an encapsulation script mechanism with the aim
of filtering malicious scripts.
The encapsulation script makes use of specific potentially malicious
tokens in order to detect and neutralize the malicious script.
The detection of the tokens is case sensitive. However, some of the
tokens can be executed whether they are written in lower case or upper
case letters.
In other words, by creating a specially crafted script, an attacker
can bypass the filtering mechanism and execute malicious scripts.

....Proof.of.Concept....
1) Create a malicious script by using an object which executes ".Run"
method (e.g. one of the many WScript.Shell exploits).
2) Replace ".Run" with ".run".
3) Execute the malicious script "safely" through Webwasher CSM.

....Timeline....
2005-May-15: Vendor was notified by mail.
2005-Aug-15: Vendor was notified again via contact form.
2005-Dec-22: No response from the vendor - public disclosure.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] RE: Webwasher CSM Appliance Script Security Restriction Bypass, Frank Berzau <=
Previous by Date:  New site location, shadown
Next by Date:  [Full-disclosure] [ GLSA 200512-14 ] NBD Tools: Buffer overflow in NBD server, Thierry Carrez
Previous by Thread:  [Full-disclosure] html in simpbook, zeus olimpusklan
Next by Thread:  [Full-disclosure] [ GLSA 200512-14 ] NBD Tools: Buffer overflow in NBD server, Thierry Carrez
Indexes:  [Date] [Thread] [Top] [All Lists]