Peachy Cloud Security logoPCS

    Alibaba Cloud WAF Command Injection Bypass via Wildcard Payload in All 1,462 Built-in Rule Set

    March 17, 2023
    3 min read
    Divyanshu
    information-technology
    alibabacloud
    cloud
    aws
    security
    Alibaba WAF version 3.0 was tested and very common payload was found bypassing command injection.

    While testing the capabilities of the firewall itself it was found that it was possible to bypass the rules. Due to the testing scope limitations, not all rules were tested, but bypass have been highlighted below.

    Description

    A web application firewall (WAF) is an HTTP application firewall that applies a set of rules to an HTTP conversation.

    In this case, Alibaba WAF 3.0 was tested against the Damn Vulnerable Web Application (DVWA), a known vulnerable application, with all 1,462 built-in rules enabled. These rules generally cover common attacks such as RCE, XSS, LFI, and SQL injection.

    The WAF is designed to protect against attacks; however, it was found that some payloads were not protected by the WAF, and command injection was possible even when the WAF rule to protect against RCE was enabled.

    The payload used to bypass command injection was through a wildcard, “?”, i.e. /???/??t%20/???/??ss?? ~ /bin/cat /etc/passwd.

    Payload: cat /etc/pa??wd or any wild card which works on linux using ?.

    WAF Endpoint: yikddcuvffqc4pf6bnvwrkct2p3extri.aliyunwaf4.com.

    Load Balancer: alb-4mtl8i5bgretjudf2j.ap-southeast-1.alb.aliyuncs.com

    DNS Settings

    Steps To Reproduce:

    1. Set up vulnerable DVWA on the ec2 instance along with ALB and Alibaba WAF 3.0 enabled with 1,462 built-in rules enabled
    2. Enable the AWS WAF: http://mywaf.xxxxx.co.in
    3. Login via admin/password and visit Command Injection.
    4. Perform the below-mentioned use cases by running: 8.8.8.8; cat /etc/passw?
    5. Check for the bypass

    Note: In case of other payload it will show blocked which shows WAF has been implemented Successfully.

    Impact

    • The impact of the vulnerability is significant and can lead to financial loss for companies that heavily rely on Alibaba WAF 3.0. This is due to the fact that they may switch to other, better-paid services such as Cloudflare.
    • The exploitation of a vulnerable application protected by Alibaba WAF is a serious concern as it defeats the basic feature of WAF, which is to protect against attacks. Command injection can be easily exploited as a result of this bypass.
    • Companies and users who rely on Alibaba WAF for protection are now exposed to OWASP attacks in case their applications are vulnerable. To mitigate this risk, they may need to purchase WAF from a marketplace or a third party, which can be costly. Some companies may even migrate to another cloud provider, resulting in a loss for both Alibaba and their customers who rely on WAF to protect their applications.

    Status: Closed — Informative

    Credit: https://medium.com/secjuice/waf-evasion-techniques-718026d693d8

    Alibaba Cloud WAF Command Injection Bypass via Wildcard Payload in All 1,462 Built-in Rule Set was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

    Continue reading on Medium

    Enjoyed this article? Visit Medium to leave a comment, clap, or follow Divyanshu for more insights!

    Read on Medium

    More Articles

    How I Found a Path Traversal in the Rancher Dashboard via HAR Replay

    The issue is considered as a hardening gap by the Rancher Security team, as it resides within a feature limited to dev mode in Rancher Dashboard. Finding bugs isn’t always about breaking into a live ...

    EKS Moved To containerd, GuardDuty’s Runtime Alert Stayed Behind. Here’s Why That Matters.

    Why this matters especially for startups relying on AWS GuardDuty? Why I’m Writing This Amazon EKS has moved to from 1.24 and later. Kubernetes removed dockershim in v1.24. Docker as a runtime is leg...