avatarDivyanshu

Summary

Researchers discovered a command injection bypass vulnerability in Alibaba Cloud WAF version 3.0 through wildcard payloads, despite the presence of 1,462 built-in security rules.

Abstract

The Alibaba Cloud WAF, version 3.0, was found to be susceptible to command injection attacks despite its extensive rule set designed to protect against such threats. During a security assessment using the Damn Vulnerable Web Application (DVWA), it was observed that certain payloads, specifically those utilizing wildcard characters, could circumvent the WAF's protections. This vulnerability was identified even with the rule intended to prevent Remote Code Execution (RCE) being active. The bypass was achieved using payloads with question marks, such as /???/??t%20/???/??ss??, which mimicked the cat /etc/passwd command on a Linux system. The discovery raises concerns about the effectiveness of Alibaba WAF's security measures and could potentially lead to significant financial implications for companies relying on this service, as they might consider switching to alternative, more robust, and potentially more expensive security solutions.

Opinions

  • The bypass of the WAF's security rules undermines the confidence in Alibaba Cloud WAF's ability to protect against common web application attacks.
  • The exploitation of this vulnerability could lead to a loss of trust and business for Alibaba, as customers may seek more reliable security services from competitors like Cloudflare.
  • Companies and users dependent on Alibaba WAF's protection face increased risk due to the possibility of OWASP attacks bypassing the WAF.
  • The need for additional security measures or migration to other cloud providers is suggested, which could result in additional costs and resources for affected businesses.
  • The vulnerability's severity is underscored by the ease with which the command injection can be exploited, despite the WAF's comprehensive rule set.

Alibaba Cloud WAF Command Injection Bypass via Wildcard Payload in All 1,462 Built-in Rule Set

Alibaba WAF version 3.0 was tested and very common payload was found bypassing command injection.

While testing the capabilities of the firewall itself it was found that it was possible to bypass the rules. Due to the testing scope limitations, not all rules were tested, but bypass have been highlighted below.

Description

A web application firewall (WAF) is an HTTP application firewall that applies a set of rules to an HTTP conversation.

In this case, Alibaba WAF 3.0 was tested against the Damn Vulnerable Web Application (DVWA), a known vulnerable application, with all 1,462 built-in rules enabled. These rules generally cover common attacks such as RCE, XSS, LFI, and SQL injection.

The WAF is designed to protect against attacks; however, it was found that some payloads were not protected by the WAF, and command injection was possible even when the WAF rule to protect against RCE was enabled.

The payload used to bypass command injection was through a wildcard, “?”, i.e. /???/??t%20/???/??ss?? ~ /bin/cat /etc/passwd.

Payload: cat /etc/pa??wd or any wild card which works on linux using ?.

WAF Endpoint: yikddcuvffqc4pf6bnvwrkct2p3extri.aliyunwaf4.com.

Load Balancer: alb-4mtl8i5bgretjudf2j.ap-southeast-1.alb.aliyuncs.com

DNS Settings

Steps To Reproduce:

  1. Set up vulnerable DVWA on the ec2 instance along with ALB and Alibaba WAF 3.0 enabled with 1,462 built-in rules enabled
  2. Enable the AWS WAF: http://mywaf.xxxxx.co.in
  3. Login via admin/password and visit Command Injection.
  4. Perform the below-mentioned use cases by running: 8.8.8.8; cat /etc/passw?
  5. Check for the bypass

Note: In case of other payload it will show blocked which shows WAF has been implemented Successfully.

Impact

  • The impact of the vulnerability is significant and can lead to financial loss for companies that heavily rely on Alibaba WAF 3.0. This is due to the fact that they may switch to other, better-paid services such as Cloudflare.
  • The exploitation of a vulnerable application protected by Alibaba WAF is a serious concern as it defeats the basic feature of WAF, which is to protect against attacks. Command injection can be easily exploited as a result of this bypass.
  • Companies and users who rely on Alibaba WAF for protection are now exposed to OWASP attacks in case their applications are vulnerable. To mitigate this risk, they may need to purchase WAF from a marketplace or a third party, which can be costly. Some companies may even migrate to another cloud provider, resulting in a loss for both Alibaba and their customers who rely on WAF to protect their applications.

Status: Closed — Informative

Cloud
Security
Information Technology
AWS
Alibabacloud
Recommended from ReadMedium
avatarJonathan Mondaut
How ChatGPT Turned Me into a Hacker

Discover how ChatGPT helped me become a hacker, from gathering resources to tackling CTF challenges, all with the power of AI.

4 min read
avatarkerstan
How I Discovering the Origin IP In Bug Bounty — Bug Bounty Tuesday

we may encounter different WAFs that prevent us from finding the accurate target IP. I am going to share how to find your target’s Origin…

3 min read
avatarn00🔑
Android Pentesting

Android Penetration Testing is a systematic process used to identify security vulnerabilities in an Android application. It involves using…

7 min read
avatarVaishali Nagori
8 Different Ways to Bypass SSL Pinning in iOS Applications

What is SSL Pinning:

9 min read
avatarElNiak
Mastering SQLMap: A Beginner’s Guide for Cybersecurity Enthusiasts

Unlock the secrets of SQL Injection with SQLMap. Learn how to detect, exploit, and prevent SQLi vulnerabilities to strengthen your…

6 min read
avatarTanish Saxena
Hunting for Firebase Enums in Android Application

Here is how I found 2 Insecure Firebase

4 min read