SOPHOS WAF JSON Filter Bypass

`SECURITYLABS INTELLIGENT RESEARCH - SECURITY ADVISORY  
http://www.securitylabs.com.br/  
  
  
ADVISORY/0115 - SOPHOS WAF (WEBSERVER PROTECTION) DOES NOT ANALYZE JSON DATA  
  
  
PRIORITY: MEDIUM  
TYPE: WAF Bypass  
  
  
1 - About SecurityLabs Intelligent Research  
-----------------------------------------------  
  
SecurityLabs Intelligent Researh is a team specialized in projects of  
penetration test(Pentests),  
security audits and cryptanalysis.  
  
It has a group of researchers with more than 15 years of experience.  
  
All penetration tests (Pen-Test) conducted by Intruders Tiger Team Security  
have 100% of success.  
All cryptanalysis and security audits performed by the team were also well  
effective.  
  
This vulnerability was discovery during a penetration test.  
  
  
2 - Introduction  
------------------  
  
Sophos Webserver Protection uses mod_security.  
  
From "http://www.modsecurity.org/":  
  
"ModSecurity is a toolkit for real-time web application monitoring,  
logging, and access control.  
I like to think about it as an enabler: there are no hard rules telling you  
what to do; instead,  
it is up to you to choose your own path through the available features.  
That's why the title of this  
section asks what ModSecurity can do, not what it does."  
  
We can see yet from Sophos WebServer Protection Site  
(  
https://www.sophos.com/en-us/medialibrary/PDFs/factsheets/sophosutmwebserverprotectiondsna.pdf?la=en  
):  
  
"Web Application Firewall  
  
Our Web Application Firewall intercepts traffic to your servers to protect  
them from  
tampering and hacking attempts. It secures your web applications against  
more than 350  
attack patterns including SQL injection, cross-site scripting and directory  
traversal. We also  
scan all inbound files and content with our dual antivirus agents to keep  
infected content off  
your network."  
  
  
  
3 - Description  
----------------  
  
  
SecurityLabs Intelligent Research has found some conditions of bypass of  
the default signatures of mod_security  
on Sophos WebServer Protection(ModSecurity) that allows execution of SQL  
Injection attacks in JSON Requests.  
  
Sophos WebServer Protection don't analyze payload when Content-type is JSON.  
  
In default instalation, there is no "requestBodyProcessor" defined to check  
HTTP POST REQUEST BODY  
when Content-Type is "application/json".  
  
  
4 - Analysis  
---------------  
  
There are several ways to analyze this problem, including hacking  
production's environment, but  
the simplest way is sent HTTP requests with JSON data in body like this:  
  
  
POST /[URI] HTTP/1.1  
Host: [TARGET]  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20100101  
Firefox/15.0.1  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip, deflate  
Proxy-Connection: keep-alive  
X-Requested-With: XMLHttpRequest  
Content-Type: application/json; charset=utf-8  
Referer: http://[TARGET]/  
Content-Length: 27  
Cookie: ASP.NET_SessionId=d0dusce1rrsgx4rvvtwj0br0;  
_ga=GA1.3.234022554.1429121838; _gat=1  
Pragma: no-cache  
Cache-Control: no-cache  
  
{"id":"SQL INJECTION HERE"}  
  
  
5 - Detection  
--------------  
  
SecurityLabs Intelligent Research has found this vulnerability in Sophos  
UTM version 9.310.  
  
It is possible that previous versions have the same problem.  
  
  
6 - Workaround  
----------------  
  
Add the follow rule in file  
'/var/storage/chroot-reverseproxy/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf'  
to check JSON data  
too:  
  
SecRule REQUEST_HEADERS:Content-Type "application/json"  
"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=URLENCODED"  
  
  
7 - Credits  
-------------  
  
SecurityLabs Intelligent Research and Glaudson Ocampos  
has discovered this vulnerability.  
  
  
--   
Atenciosamente,  
  
Glaudson Ocampos  
Pesquisador de Segurança da Informação  
SecurityLabs Intelligent Research  
  
  
`