Experts from Industrial and IoT cybersecurity company Claroty developed a generic method for bypassing the web application firewalls (WAF) of a variety of leading manufacturers.
Following a study of the wireless device management platform from Cambium Networks, Claroty’s researchers identified the technique. They found a SQL injection flaw that might allow unauthorized access to private data such as session cookies, tokens, SSH keys, and password hashes.
Reports stated that the vulnerability could be exploited against the on-premises version, but the Amazon Web Services (AWS) WAF prohibited all attempts to do so against the cloud version by flagging the SQL injection payload as malicious.
“This is a dangerous bypass, especially as more organizations continue to migrate more business and functionality to the cloud,” Noam Moshe, a vulnerability researcher at Claroty, wrote in a company blog post.
“IoT and OT processes that are monitored and managed from the cloud may also be impacted by this issue, and organizations should ensure they’re running updated versions of security tools in order to block these bypass attempts.”
Later finding revealed that the WAF could be bypassed by abusing the JSON data-sharing format. All of the significant SQL engines support JSON syntax and it is turned on by default.
“Using JSON syntax, it is possible to craft new SQLi payloads. These payloads, since they are not commonly known, could be used to fly under the radar and bypass many security tools.” Claroty reports.
CVE-2022-1361 Improper Neutralization of Special Elements Used In a SQL Command (‘SQL INJECTION’)
Further, a specific Cambium vulnerability the researchers uncovered proved more challenging to exploit (CVE-2022-1361). Moshe says “at the core of the vulnerability is a simple SQL injection vulnerability; however, the actual exploitation process required us to think outside the box and create a whole new SQL technique”.
Hence, they were able to exfiltrate users’ sessions, SSH keys, password hashes, tokens, and verification codes using this vulnerability.
The vulnerability’s main problem was that the developers in this instance did not utilize a prepared statement to attach user-supplied data to a query.
“Instead of using a safe method of appending user parameters into an SQL query and sanitizing the input, they simply appended it to the query directly”, he added
New SQL Injection Payload That Would Bypass the WAF
The WAF did not recognize the new SQL injection payload that Claroty researchers created, but it was still valid for the database engine to parse.
They did this by using JSON syntax. They did this by utilizing the JSON operator “@<” which put the WAF into a loop and let the payload reach the intended database.
Reports say the researchers successfully reproduced the bypass against Imperva, Palo Alto Networks, Cloudflare, and F5 products.
Claroty added support for the technique to the SQLMap open-source exploitation tool.
“We discovered that the leading vendors’ WAFs did not support JSON syntax in their SQL injection inspection process, allowing us to prepend JSON syntax to a SQL statement that blinded a WAF to the malicious code,” the security firm explained.
Hence Claroty says, by adopting this innovative method, attackers might gain access to a backend database and utilize additional flaws and exploits to leak data directly to the server or via the cloud.
Web Application Firewall WAF A Complete Guide